The U.S. Postal Service has been both praised and derided for its Informed Delivery service. Now there is a new criticism of the offering, which allows people to get scanned images of the front of incoming snail mail by email: Krebs On Security calls it "a stalker’s dream."
That’s right. Informed Delivery is “raising eyebrows among security experts who worry about the service’s potential for misuse by private investigators, identity thieves, stalkers or abusive ex-partners,” Krebs writes.
Historically, the postal service has faced security issues like mail theft and mail dumping. These days, the threats are cyber-based. But so are the opportunities.
Krebs monitored the signup procedure for the free service, and found it suffers from weak authentication.
Residents have to answer four “knowledge-based authentication” (KBA) questions to sign up. But, Krebs asserts, “many answers to the multiple-guess questions are available on sites like Spokeo and Zillor, or via social networking profiles.”
Worse, the KBA questions were provided by the “recently breached big-three credit bureau Equifax, no less,” Krebs continues.
Finally, the service is not easy to opt out of, Krebs says. And there’s no paper-mail notification when someone signs up at a resident’s address: That means investigators, stalkers and ex-spouses can enroll in a person’s name and see the scanned mail.
Security expert Peter Swire told Krebs that the USPS should use the channel it controls to verify people. “Multi-channel authentication is becoming the industry norm, and the U.S. Postal Service should catch up to that,” he said.
The USPS responded to Krebs that the USPS will implement snail mail notification in January 2018. This will be done using the capability that allows the USPS to confirm address changes. And a USPS spokesperson sent the following statement to Email Insider:
The Postal Service safeguards consumers’ personal information by following industry best practices for identity verification and uses an identity verification solution (IVS) developed specifically for Informed Delivery users.
"If a consumer is unable to verify his or her identity during online enrollment, he or she will be directed to visit a USPS location to verify his or her identity in person and provide the requisite documentation and forms of identification.
"Next month, the Postal Service plans to augment its already robust process by adopting a multi-factor authentication process for new users and is committed to enhancing authentication as best practices emerge. Actions like this will further strengthen the Informed Delivery identity verification process.
"Informed Delivery is in full compliance with federal privacy laws and was launched in close coordination with the Postal Service’s Privacy Office, its Chief Information Security Officer, and the U.S. Postal Inspection Service, whose sole mandate is to safeguard the entire Postal Service system.
The spokesperson alsopointed out that the service now has 6.3 million accounts, and that it is especially popular with people who travel a great deal: They can keep up with their mail on the road. That's a good reason to sign up for it right there.