{"id":11598,"date":"2018-02-26T13:17:25","date_gmt":"2018-02-26T21:17:25","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2018\/02\/26\/news-5369\/"},"modified":"2018-02-26T13:17:25","modified_gmt":"2018-02-26T21:17:25","slug":"news-5369","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2018\/02\/26\/news-5369\/","title":{"rendered":"USPS Finally Starts Notifying You by Mail If Someone is Scanning Your Snail Mail Online"},"content":{"rendered":"

Credit to Author: BrianKrebs| Date: Mon, 26 Feb 2018 19:28:41 +0000<\/strong><\/p>\n

In October 2017, KrebsOnSecurity warned<\/a> that ne’er-do-wells could take advantage of a relatively new service offered by the U.S. Postal Service<\/strong> that provides scanned images of all incoming mail before it is slated to arrive at its\u00a0destination address. We advised that stalkers or scammers could abuse this service by signing up as anyone in the household, because the USPS wasn’t at that point set up to use its own unique communication system — the U.S. mail — to alert residents when someone had signed up to receive these scanned images.<\/p>\n

\"\"<\/p>\n

Image: USPS<\/p>\n<\/div>\n

The USPS recently told this publication that beginning Feb. 16 it started alerting all households by mail whenever anyone signs up to receive these scanned notifications of mail delivered to that address. The notification program, dubbed “Informed Delivery<\/strong>,” includes a scan of the front and back of each envelope or package destined for a specific address each day.<\/p>\n

The Postal Service says consumer feedback on its Informed Delivery service has been overwhelmingly positive, particularly among residents who travel regularly and wish to keep close tabs on any bills or other mail being delivered while they\u2019re on the road. It has been available to select addresses in\u00a0several states\u00a0since 2014 under a targeted USPS pilot program, but it has since expanded to include\u00a0many ZIP codes nationwide. U.S. residents can find out if their address is eligible by visiting\u00a0informeddelivery.usps.com<\/a>.<\/p>\n

According to the USPS, some 8.1 million accounts have been created via the service so far (Oct. 7, 2017, the last time I wrote about Informed Delivery<\/a>, there were 6.3 million subscribers, so the program has grown more than 28 percent in five months).<\/p>\n

Roy Betts<\/strong>, a spokesperson for the USPS’s communications team, says post offices handled 50,000 Informed Delivery notifications the week of Feb. 16, and are delivering an additional 100,000 letters to existing Informed Delivery addresses this coming week.<\/p>\n

Currently, the USPS allows address changes via the USPS Web site or in-person at any one of more than 35,000 USPS retail locations nationwide. When a request is processed, the USPS sends a confirmation letter to both the old address and the new address.<\/p>\n

If someone already signed up for Informed Delivery later posts a change of address request, the USPS does not automatically transfer the Informed Delivery service to the new address: Rather, it sends a mailer with a special code tied to the new address and to the username that requested the change. To resume Informed Delivery at the new address, that code needs to be entered online using the account that requested the address change.<\/p>\n

A review of the methods used by the USPS to validate new account signups last fall suggested the service was wide open to abuse by a range of parties, mainly because of weak authentication and because it is not easy to opt out of the service.<\/p>\n

Signing up requires an eligible resident\u00a0to create a free user account<\/a>\u00a0at USPS.com, which asks for the resident\u2019s name, address and an email address. The final step in validating residents involves answering four so-called \u201cknowledge-based authentication\u201d or KBA questions.<\/p>\n

The USPS told me it uses two ID proofing vendors:\u00a0Lexis Nexis<\/a>;\u00a0<\/strong>and, naturally, recently breached big three credit bureau Equifax<\/a> \u2014 to ask the magic KBA questions, rotating between them randomly.<\/p>\n

KrebsOnSecurity has\u00a0assailed KBA<\/a>\u00a0as an unreliable authentication method because so many answers to the multiple-guess questions are available on sites like\u00a0Spokeo<\/strong>\u00a0and\u00a0Zillow<\/strong>, or via social networking profiles.<\/p>\n

It’s also nice when Equifax gives away a metric truckload of information about where you’ve worked, how much you made at each job, and what addresses you frequented when. See: How to Opt Out of Equifax Revealing Your Salary History<\/a> for how much leaks from this lucrative division of Equifax.<\/span><\/p>\n

All of the data points in an employee history profile from Equifax will come in handy for answering the KBA questions, or at least whittling away those that don’t match salary ranges or dates and locations of the target identity’s previous addresses.<\/p>\n

Once signed up, a resident can view scanned images of the front of each piece of incoming mail in advance of its arrival. Unfortunately, anyone able to defeat those automated KBA questions from Equifax and Lexis Nexis — be they stalkers, jilted ex-partners or private investigators — can see who you\u2019re communicating with via the Postal mail.<\/p>\n

Maybe this is much ado about nothing: Maybe it’s just a reminder that people in the United States shouldn’t expect more than a post card’s privacy guarantee (which in can leak the “who” and “when” of any correspondence, and sometimes the “what” and “why” of the communication). We’d certainly all be better off if more people kept that guarantee in mind for email in addition to snail mail. At least now the USPS will deliver your address a piece of paper letting you know when someone signs up to look at those W’s in your snail mail online.<\/p>\n

https:\/\/krebsonsecurity.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

<\/p>\n

Credit to Author: BrianKrebs| Date: Mon, 26 Feb 2018 19:28:41 +0000<\/strong><\/p>\n

In October 2017, KrebsOnSecurity warned that ne’er-do-wells could take advantage of a relatively new service offered by the U.S. Postal Service that provides scanned images of all incoming mail before it is slated to arrive at its\u00a0destination address. We advised that stalkers or scammers could abuse this service by signing up as anyone in the household, because the USPS wasn’t at that point set up to use its own unique communication system — the U.S. mail — to alert residents when someone had signed up to receive these scanned images. The USPS recently told this publication that beginning Feb. 16 it started alerting all households by mail whenever anyone signs up to receive these scanned notifications of mail delivered to that address. The notification program, dubbed “Informed Delivery,” includes a scan of the front and back of each envelope or package destined for a specific address.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10643,10642],"tags":[16740,17627,15358,15359,12313,11404,17220,11931,16311],"class_list":["post-11598","post","type-post","status-publish","format-standard","hentry","category-independent","category-krebs","tag-a-little-sunshine","tag-equifax-spokeo","tag-informed-delivery","tag-kba","tag-knowledge-based-authentication","tag-lexisnexis","tag-security-tools","tag-usps","tag-zillow"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/11598","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=11598"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/11598\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=11598"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=11598"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=11598"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}