Schneier on Security
A blog covering security and security technology.
« Keystroke Biometrics |
| How Australian Authorities Respond to Potential Terrorists »
April 23, 2007
Hacking the U.S. Post Office
This is clever:
Many USA ecommerce shops don’t send their goods to Russia or to the countries of the Ex-USSR.
Some shops send but delivery costs differ greatly from the homeland ones, they are usually much bigger.
So what did some Russians invented? They got a way to fool the delivery.
It’s no secret that many bigger shops use electronic systems processing orders. So in order to see if this address is in USA or Canada it uses ZIP code, state or province name and words "USA" or "CANADA".
So what was possible to do is to put totally Russian address in the order delivery form, like: Moscow, Lenin St. 20, Russia in the address fields, usually there is a plenty of space to enter long things like this, and in the field country they put Canada in the field ZIP code Canadian zip code.
What happens next? The parcel travels to Canada, to the area to which the specified ZIP code belongs and there postal workers just see it’s not a Canadian address but Russian. They consider it to be some sort of mistake and forward it further, to Russia.
Posted on April 23, 2007 at 1:00 PM
• 43 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Working for ecommerce companies, many have address comparison programs for US & Canadian addresses, and so this trick will fail. The usual method will have the order pop on an address exception list and, once it is determined to be to an undesirable destination (Russia, not Canada), the order will be cancelled. Small shops on auction sites and the likes may, however, be taken in by this, although even they can use usps.gov to check addresses that look snarky. This trick would only work if you have automated a portion of your process but do not have the sophistication of exceptions screening.
Poor and inconsistent postal code validation seems to be pretty common. Two days ago, I had to do something similar to order a pizza from the web site of a famous chain.
The system was not allowing me to enter a Canadian postal code so I first entered a US one and then, after the registration process was done, corrected the address to use the right code.
Suffice it to say that international addressing standards are, ahem, all over the map.
I'd take these claims with a few large grains of salt.
First off, the package is missing the the standard bar-cides strips that get aplied during automated processing (we are way past hamd-sorting up here).
Secondly, the mailing label shown looks a bit suspicious -- it lacks any kind of identification as to the sender (most companies at least put a logo on), and the labels are not the normal cross-border custinms labels that appear on parcels. The parcel labels don't even show the US and Canada customs clearance stamps / stickers.
And I very much doubt that Canada Post wouuld incur the costs of forwarding a misadressed parcel to "Russia" rather than returning it to the sender in the US.
I think this is not hacking the U.S. Post Office, but rather Canadian Post...if it is working...
I used a similar ruse to get Eddie Izzard VHS tapes from his webstore before they were available in the U.S. I just selected the PAL system tape, then for shipping options chose "Royal mail to Australia" and put in my real address. Worked like a charm.
That's not hacking but rather tricking.
International packages require accompanying customs forms, which would either be missing or incorrect. That alone makes it highly unlikely that the package goes anywhere but back to the sender.
Yeah, I also have a high degree of skepticism about the part where Canada Post just decides to forward the merchandise to Russia for free.
I work for an e-commerce company, though, and we see people trying to do stuff like this all the time. Usually our shipping system kicks the orders out. I guess the ones it doesn't kick out, we wouldn't be aware of.
What is wrong with sending stuff to Russia?
OK, you may want to confirm that funds are in your bank before delivery, but a customer is a customer.
A bit off topic, but closely related. A much bigger problem is US e-shops refusing to accept credit/debit cards issued by non-US banks. Sometimes you just can’t enter anything other than US/Canada in the ‘billing/country’ field. One can guess why this is happening, but it’s very inconvenient for a non-US customer. Anyway, recently I discovered a simple way to work around this annoyance. I just specify a valid US billing address with my non-US card details and it works like a charm. I do have a US-issued card at that address (it’s just very inconvenient for me to transfer funds there so I mainly use foreign cards) and this fact must be tricking the AVS into rating this card as ‘good’ or whatever status is sufficient for a purchase.
"That's not hacking but rather tricking."
In this case, they're the same thing. I define hacking a system as manipulating it to do something it doesn't normally do, something you want it to do. In this case you're exploiting a loophole in the address-detection system on the U.S. end, and the address-correction system on the Canadian end.
It might not -- as some readers have suggested -- work, but it most certainly is a hack.
"What is wrong with sending stuff to Russia?"
Nothing, other than the fact that a lot of (not very motivated) American vendors don't want to go through the hassle of international shipping, even to Canada; I see it all the time on ebay and other sites.
Mind you, it's their stuff their selling and they have every right to artificially restrict availability, but not much point in selling on the Internet if you're too lazy to fill out a customs form at the post office.
Then again, could be people are worried to ship internationally due to Big Brother ^H^H^H^H^H^H^H^H^H^H^H Homeland "Security" and don't want to end up on a watch list for being cognizant of a world 'over there' ;-)
I think the problem is the tubes - they are too damn small 'cause them ferriners use metric or something.
erm....why is this titled "Hacking The U.S.Post Office"? Does "Hacking The Canadian Post Office" sound too boring?
The USPS parsed the highest level of the address and sent the item there. Were they expected to validate the entire foreign address?
This appears to be common approach in other situations and by nationals of other countries. When my eBay account was hijacked last year, the hijacker used "Ha Noi, VN, Japan" as his shipping address, apparently to hide his actual country known to be the source of many fraudulent transactions.
Somewhat related: I live outside the USA and buy web space from a company called media3. I always paid online with a credit card.
Several months ago, they changed their online form: it now requires a ZIP code. I called them to explain I haven't a US zip code (why would they care? they're not shipping anything). The guy I spoke to suggested I enter their zip code. That worked.
Who knows how long it will continue to work, though. I'll move my web sites to European providers, I guess.
This is the oldest trick in the book, but its use is obviously limited. Just put the recipient's name as the return address and any old ship to address. Leave the stamp off and "viola!" the letter is mailed to the recipient with a "return to sender" message.
You don't even need the "Forever Stamp" or any stamp at all!
Re the comments questioning why the Canadian post office would "incur the expense" of forwarding mail that arrived in Canada by mistake: post offices routinely do this. Usually it isn't the sender's fault, it's the fault of the post office in the sender's country. For example the Australian post office regularly forwards a significant quantity of mail from the USA addressed to places in Austria.
Don't mock it. Postal services do their best to ensure delivery.
I live in Israel (intl. notation "il"), and have seen more than once where people^H^H^H^H^H^HAmericans misunderstood the address to be something along the lines of "3A Jabotinsky st., Ramat Gan, Illinois". Often such envelops had clearly been mailed to Illinois, where an alert postal worker found (surprise) that there is no city called "Ramat Gan", and hand wrote "Try Israel". It is particularly amusing when the content of the envelop is a registered delivery cease and desist notice. Obviously, the delivery registration is a US postal service, so the attachment is still present. Also, the rules for serving in Israel are different, so such deliveries bear little legal substance. It really pays to pay attention to what country the entity you are serving is in.
There are also frequent stories from the Israeli postal service of envelops, usually from abroad, who send letters addressed to "God, Jerusalem, Israel". If it's general requests they try to put them in the wailing wall. Otherwise, there is not much they can do about them, but they do get a human to look at them.
@geoff & rusty
Some people may deny shipment to Russia over fraud concerns. If they notice that all of the orders that received charge backs were all shipped to Russia. Then they might just block the any shipments to them.
In Vista, the name of a program affects the rights needed to run it:
I particularly like the line: "The Vista feature you've run into is the equivalent of an airport metal detector." Was this a commentry on Vista security, or on airport security?
@doov: In the UK, if the stamps are missing/insufficient, the recipient must pay the postage to receive the parcel.
This should work for the general case, also - with the Canadian Post Office getting their fee for forwarding to a UK address.
I just assumed that all post offices did this; it just seems obvious.
Re-routing of letters and small envelops is not uncommon, but large parcels cost significantly more to handle. They take up a lot of space in cargo and it is easier to "return to sender" for correction.
But the real reason I say this one is a hoax is the lack of custom clearance stickers, etc. I do enough cross-border shipping and ordering to know that the parcel would not be processed without US and Canada customs declaration forms, etc. Especialy from a cmmercial entity.
Yes, and I am aware of the CA abbreviation being confused for California instead of Canada, and that when the Canadian postal code was first released that there were stories of mail destined for postal code T0K 0Y0 ending up in Japan.
And postal services do attempt delivery whenver possible -- but usually for letters and small envelops only. (THe stories about handling of letters addressed to "God, Jerusalem, Isreal" are similar to the ones in Canada and the US addresses to "Santa, North Pole". Canada Post even has a special postal code designation - H0H 0H0 - that kids can write to to reach Santa.) Large parcels, especially those from commercial entities, would likely be returned for address correction, as it costs a lot more to send a parcel onwards. Also, the parcel would not have the correct customs clearance.
However, the parcels would have to have US customs export forms and Canadian customs entry forms attached, as the package value (even if zero) has to be declared. These are usually glued onto the address label, and are not that easy to tear off without leaving a trace. The parcel in the photo lacks any evidence of these forms. Also, since Canada Post is highly automated, there would have been a MICR style strip attached that carried a bar-code for re-routing. Quite simply put, the address label and parcel shown do not bear any of the markings one would expect of a parcel that was routed cross-border, or subsequently re-routed.
"It might not -- as some readers have suggested -- work, but it most certainly is a hack."
I got your point, it's just that when I noticed the title I thought of some kind of "cold iron" vulnerability within the postal service's site or something.
There's another scheme carders have been using for years that I'm aware of and it's called a "drop place". They purchase the items, ship them to a merchant-friendly country's drop place, someone picks it up and forwards it to the final destination thus bypassing the merchant's policy not to ship to blacklisted countries.
Here's an ongoing discussion in action :
If you watch old American movies/tv shows, you'll see this sometimes. But, the USPS has stopped doing that (a long time ago) due to lost revenue. It happened all too often that the recipient decided the postal charges exceeded the value of the crap inside. The post then gets to foot the bill. They got tired of this and abolished the practice.
poor Canada. US phone phreaks wrought havoc on their phone operators too.
Last month I tried the USPS software for printing your own Priority Mail address labels with postage. I thought I had set up everything correctly, including my USPS account info (for payment via my credit card), and then used the software to print a label for a package to be sent elsewhere in the US. I wasn't quite sure why the label I printed said "Postage Required" where the "stamp" usually goes, but decided to send the package anyway. Well, the package got delivered in 2 days, as promised, but I never got charged for it. Way to go, USPS!
The same trick works with addresses like
'23, aviatorilor street, bucarest, germany'
given to european ecommerce shops.
Slightly off topic -- but did you know that they are planning to introduce post codes to Ireland in 2008!
Interestingly the main opponent of this is -- the post office - An Post.
They have worked so long without post codes that they have better OCR technoligy than most other post offices and when the high tech fails, well, the Postman will know who its for anyway.
When postcodes are introduced (for the benefit of rival carriers) the post office plans to ignore them!
I see this writing was written by colleague of mine in Eastern block. Our grammar is far superior to your inferior grammar.
BTW, surely most Russians did invented anything!
In Frank Abagnale's 'Catch me if you can' (the book, not the movie), he described one of his scams:
1) Write a cheque. Text on cheque of bank name and address "First Acme Bank, San Francisco". Transit code at the bottom of the cheque coded for "First Empire Bank, Boston".
2) Deposit cheque in Houston. Bank says, "Oooo! This is a very large cheque, we'll have to wait till it clears."
3) Cheque goes to Boston because of the transit code. Boston bank says "Ooops, wrong bank!", must be a misprint, and mails the cheque to San Franscisco.
4) Five days later, while the cheque is still in transit, the Houston bank says, "Well, it hasn't come back by now, it must be good!", and pays out cash.
5) Um, skip town.
So as bad guy I could sit on a bus with a parcel and a pen and 'do global mail'.
@ chuck at April 23, 2007 02:49 PM
"A much bigger problem is US e-shops refusing to accept credit/debit cards issued by non-US banks. Sometimes you just can’t enter anything other than US/Canada in the ‘billing/country’ field. ...I discovered a simple way to work around this annoyance. I just specify a valid US billing address with my non-US card details and it works like a charm.
Hmm. I'm not sure this works as I tried it with a UK card and it failed. I'd called my card issuer and explained the problem and they said that they would enter the US address on their system and that payments should go through thereafter but they did not. If I recall correctly, the merchant's system recognized the card as foreign from the card number even though I'd entered the (valid) US address. (Note though that the US address was on the issuer's system as an additional address, not as the main billing address, though the issuer had assured me that that should not be a problem.)
This is very annoying for a UK citizen as we are ripped off horribly on many prices here, so much so that even after paying int'l shipping and additional taxes, it's often far cheaper to import from the US.
Mark: as a person in the U.S., I wish it were easier to order things from the U.K. I'd love to mail order things from a number of U.K. catalogs such as Liberty, various clothing stores, garden ornament stores etc., but many refuse to ship to the U.S.
I can't imagine why that is if I'm willing to pay the postage.
Our system uses QAS address verification. So this would never work. In fact, you can't even put in a street address that doesn't exist or a zip code that is incorrect.
The software world needs to wake up and start doing address validation instead of just accepting random strings of characters.
>>The software world needs to wake up and start doing address validation
>>instead of just accepting random strings of characters.
You just have to hope that you don't live in a new development where your street isn't yet in the 'database'....
Especially great if you are moving to a new house and cant get anything delivered......
"Validating against all known addresses" creates more problems than it solves.
I'm moving out of the USA shortly, and would still like to purchase things from various on-line stores (who don't deliver outside the USA).
My proposed solution is to have the item delivered to my very close friend, along with an e-mailed pre-paid-printed UPS international shipping label, as well as a $5 target voucher (for his troubles). He can check the goods on receipt, stick the label on the box, sit it at the door, and spend the $5.
Keep in mind that Abagnale did that scam in the 1960's when check clearing did take several days and instantaneous banking was still a thing of the future. Also that particular scam worked worked because there were / so many independent or small area banks in the US.
Putting the destination address as return address, and leaving out the stamp, is only viable if you don't care how long it takes to get to your destination. It can take well over a month to bounce back to that address, even if it's within the same city. This appears to be deliberate throttling to combat exactly this threat, since true bouncebacks (e.g. correct postage but wrong destination address) come back within 1-2 weeks.
The US postal service is so automated (otherwise you wouldn't be able to mail a letter for 39-41 cents) that all sorts of things can slip through. For example, US stamps do not encode value in machine-readable format (UK stamps do). So basically, any first-class stamp from the past twenty years is a "forever stamp" as far as the machine is concerned.
The annoyance factor of getting a bounceback. then having to remail the letter, is the deterrent. A human will notice a 22-cent stamp on a 41-cent letter. etc.
The mail delivery person is the last but often the only line of defense against postage errors, because (s)he is frequently the only human at the postal service who ever looks at a mailpiece.
There's some fascinating information at endicia.com about US postal matters. Gives lots of ideas for gaming the system (the founder of the company even writes: Please don't use this information to scam the postal service.). If the problem becomes big, then they'll address it. Otherwise, they'll just let it go. It's like proof-of-payment systems for subways and trains.
That's not hacking but rather tricking.
Can I send prescriiption drugs to Canada?
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.