Staying Secure with Informed Delivery
Informed Delivery® was launched by the USPS® to reengage a tepid mailing audience and curb its declining revenue. Consumers who sign up for the service are able to preview mail on their mobile device before it arrives, allowing the “mail moment” to become more interactive. The problem is, the vast amount of the American public does not know about Informed Delivery, or if they do, they have not signed up. Only 4% of Americans are currently enrolled in Informed Delivery [1].
Informed Delivery, as it turns out, is unfortunately known within the cybercriminal community. It has been a popular topic on dark web forums[2] for its usefulness in aiding identity theft. The lack of public awareness about Informed Delivery makes the get-rich-quick scheme even easier for criminals to execute.
Here’s what’s happening: criminals sign up for Informed Delivery as other people, order credit cards in their name, see exactly when the card arrives, retrieve the card, and rack up charges before anyone’s the wiser. They can also see package arrival times so that while you’re still waiting, wondering where your popcorn tin is, it’s already halfway across the city being eaten in a cyber-lair.
We reached out to the USPS about fraud concerns, but their email back seemed somewhat dismissive; “Media reports are blaming an innovative system for a criminal and societal problem.” Others disagree. On the list of the concerned is the Secret Service. According to Krebs on Security, the Secret Service sent a national alert to law enforcement about the danger of Informed Delivery in further emboldening identity thieves. After a backlash of complaints, the USPS has begun sending out notices in the mail to inform residents when their address has been signed up for Informed Delivery. The problem is, if criminals are already frequenting the mailbox, there’s no guarantee the notice will arrive.
Mail is an alluring platform for cyber criminals since it is inherently simple, physical, and non-hackable. Of course, unintentionally, Informed Delivery has changed this dynamic.
Potential solutions start at the verification process to get an account. Today, Informed Delivery only uses Knowledge Based Authentication (KBA) for its identity verification. It provides multiple choice questions on information, so the chances of guessing right are 25%[3]. However, a multi-channel verification would strengthen this. For example, USPS could text a code that only your cell phone number would receive to confirm the account creation. Until this process is tightened up, what are your choices today?
You could sign up first to make sure no one else can sign up as you. Although if you run into issues with this, here are special steps to take. Assuming you could sign up, don’t forget that every person at the house who can receive mail needs their own Informed Delivery account. This is what the Post Office™ recommended via our emailed communications: “We believe that the best way to help stem identity theft, mail theft, or package theft is to have every household sign up for Informed Delivery, so customers can have the convenience and security of monitoring their mail and package deliveries.”
Despite this, people are asking for an opt-out and a return to the double-blind mailbox life. They want their addresses to be blocked from the Informed Delivery program as a protective measure. Others want an opt-out because they don’t like the idea of their mailbox data being scanned into a giant database somewhere where the information could be sold off to third-parties. Whatever your reason, there is a way out.
The USPS can block your address from informed delivery by emailing esafe@usps.com. We tried it out received a quick response:
“Per your request, your address has been blocked from all Informed Delivery access. Please note that Postal Service customer identities are not compromised by using the Informed Delivery feature. In the fraud cases reported, an individual’s identity has already been compromised by a criminal who then has used it to set up an Informed Delivery account.”
Informed Delivery is not a bad idea, in fact it’s positive in that it further enhances the mail moment and has helped keep mail competitive with digital advertising. While some issues have arisen relating to the execution of the process, the USPS is aware of them and will likely continue to enhance security features.
BCC Software will continue to keep you updated with any news relating to this, so stay tuned.
