Schneier on Security
A blog covering security and security technology.
« Triple-DES Upgrade Adding Insecurities? |
| Deniable File System »
April 17, 2006
Man Diverts Mail to Himself
Someone filed change-of-address forms with the post office to divert other peoples' mail to himself. 170 times.
Postal Service spokeswoman Patricia Licata said a credit card is required for security reasons. "We have systems in place to prevent this type of occurrence," she said, but declined further comment on the specific case until officials have time to analyze what happened.
Sounds like those systems don't work very well.
Posted on April 17, 2006 at 12:02 PM
• 26 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
OK this guy comes off as an idiot begging to be caught. What scares the heck out of me however would be the following scenario:
ID Thief 1 steals ID from Victim A (enough to obtain a credit card). ID Thief then uses A's credit card to redirect so that it looks as if Victim A is the culprit.
After obtaining Credit Card information for Victim B-Z, rinse lather and repeat for a third set of victims....
Personally, I just wish I could file a change of address form for "Resident". He gets a ton of mail at my house.
More seriously, I've always wondered why this sort of thing isn't more common. My guess has always been that it's too easy to track down who was doing it. In this case, it was pretty easy to do just that. The hard part appears to be noticing that it was done in the first place. My gut feeling is that there isn't really a big problem here. I would bet that changing your address to somewhere outside of the jurisdiction of US laws is significantly more difficult, you're telling the authorities where you live (or at least where you'll be picking up your mail) in the process of comitting your crime, and it looks like you're giving a valid credit card (which might not be yours, but that probably makes it easier to spot and not much more difficult to track down) Then there's the other side of it, in that it doesn't appear to be overly profitable to do this sort of crime. Lastly, my recollection is that interfering with the mail is a fairly heavily punished crime, in addition to any other crimes committed using the information gleaned from the purloined letters.
So, I don't think it's much of a problem. the criminals who do this will be the rare cases that are both smart enough to do it, while simultaneously stupid enough to think they won't get caught and severely punished. This guy falls into that niche, but I doubt that many others will. There are probably ways to make the system better, and they probably should be evaluated, not so much to prevent this particular brand of fraud, but more as a matter of good hygine to prevent some more clever type of fraud that we haven't come up with yet.
This seems to be a time sensitive attack. I mean, think about it, how long until you realize you don't have any mail and talk to the post office?
I know if I don't get any two days in a row, I'm calling to make sure.. I get enough junk mail to wonder why not.
Last time I filled out a change-of-address, I got a notice in the mail at my current address to tell me my mail was going to be forwarded. Perhaps these aren't sent out by all postal offices consistently? That's shocking that it took 170 times before he got caught. Heh...perhaps on the website, there's a checkbox where you can say whether you want to be notified and he simply unchecked that box (just a guess).
@Confused: perhaps this works well where you live. In Canada, the post office cannot easily let you know if there is a change of address outstanding. I've tried to do this once after going for a week with no mail (not even junk).
The USPS online change of address site doesn't work very well, anyway.
My fiance had huge problems with it. We kept trying to put in her information, but it kept insisting it could not verify her credit card info.
A week later, there were 7 or 8 one-dollar charges on her credit card from the USPS.
Hmm, interesting... finally a good use for junk mail! A "carrier signal" from the Post Office.
You can put your mail on hold at the USPS web site with no identification at all. Not a theft, but a "denial of service" is possible.
if i understand correctly, usps provides those change of address forms to information brokers, and then your new address shows up on the stalker sites. yes you have to tell all your valued correspondents your new address, but it's worth it.
resisted the impulse to redirect jenna jameson's mail to bruce schneier.
Apparently the computers that do the mail redirecting also use a simplistic analysis of the address. My girlfriend's last name at the time was Plaster and we lived together at a large apartment complex.
We started receiving forwarded mail from "Planet 10". Apparently it was supposed to be forwarded to somebody else's apartment at the same street address but the software only looked at the front 3 letters of the name PLA and the first 19/n characters of the street "123 brookfield court" and missed the ", apt #103" part of the address.
Thus our address:
123 brookfield court........
were identical to the forwarding software and we starting getting a lot of very odd mail. Apparently planet 10 is a fictional/metaphysical planet beyond Pluto were aliens live. After seeing this mail (and properly returning it unopened) I can only imagine the wacko mail SETI must get...
Having just moved, the USPS outright told me not to use the webform, but to fill it out in their office and hand it in. Much better and safer.
Of course, I subsequently had my DSL hosed from the move (and SBC being idiots), but there you are.
I used to have a post office box and picked up my mail weekly. One time there was no mail, not even a yellow slip to indicate that junk mail had overwhelmed my box and my mail was being held elsewhere.
After a month of complaining, I was finally told the owner of the box had left instructions a month ago to hold his mail as he was going on vacation. I asked whose name was on the instructions, but they wouldn't tell me.
Then the guy handed me a month of mail.
Had I been a cop with a gun the situation would have been corrected that first day.
If only someone could steal my mail, I'm sick and tired of all the Junk.
This seems to have regional differences.
In some countries in Europe all it takes is a phone call (you knowing somoene's last 4 digits of the local social security number proves that you are that person), or a form sent via web, or a letter ...
In this case, somoene in US and without a credit card cannot change their own mailing address??
I accidentally DOS'd myself when I first moved into my current appartment. After a couple of months I was still getting mail from the previous tenents, so I started writing "Return to Sender, Addressee no longer at this address", thinking I was doing them a favour. After a few weeks of this I stopped getting mail all together. When I contacted the post office they told me they assumed everyone at that address had moved, so they stopped delivering mail. I never did get any of the mail they didn't deliver and 2 years later I am still getting the mail from the previous tenents. And I am not just talking about junk mail, but bank statements and the like. If I wanted to, I am sure by now I could have completely taken over their identities, have a dozen or so credit cards and ruined their lives. Fortunately for them I don't want to.
Not actually. In the US, you can go to any post office in person and change your address. If you want to do it online you need a credit card.
The whole mailing system lacks the equivalent of a DNS layer. You don't manually type in 18.104.22.168, you go to www.google.com. Likewise, you shouldn't have to jot down the complete, current physical address of anyone. Instead, people and companies should have unique "mail names"; you would simply put down the mail name of the person you want to send something to, and the postal service would look up their current address and send it to them.
All it takes is some rudimentary insight on behalf of the Postal Service to put this into action, and it would greatly improve the reliability of their services.
As of about 3 years ago, the USPS system for matching addressing for a forward order took the first 4 characters of your last name + the last 2 digits in the street number + the zip code. So Bill Smith at 1489 Main Street could have his mail forwarded if Maria Smithson at 189 St. Paul moves as long as they started in the same zip.
When I started to not get my bills, it took repeated calls to the local USPS branch to put in a _manual_ watch for mail to my address. And a lot of followups with companies that I do business with (credit cards, utilities, insurance, etc.) to erase late fees for bills I never received and to undo automated address updates when the vendor would update to the forwarded address without notifying me and without my consent. It took about 4 months to straighten everything out.
The USPS staff, BTW, hated the limitation in their system. You can well imagine the grief they had to put up with in an ethnic area where many families have a common last name.
Oh, the misdelivered mail never turned up. Which is simply lovely for credit card statements and other items that can be used to perpetrate ID fraud.
Last September (2005) my mother moved a few hundred miles away from what was our family home for over a decade. I moved out of the house in January 2002 and had already changed my address with every company/bank I could think of. In the 3 years I had not lived there I got a handle of things delivered to me at my old address. Now when my mothered left the house she setup a redirection of her mail and my sisters mail (who still lived at with here, although is now at Uni) to her new address. She needed her Passport and several "official" letters to prove she lived at the address as well as a credit card. My sister also needed to agree to her mail being sent as she is not a minor. After all it is illegal to tamper with the mail.
Now the scary thing? A few items of mine (only junk mail so I wasn't concerned) were also redirected to her. I had not signed anything allowing this. I contacted the post office and they were helpful however if they so strict regarding sign up to the redirection service why are they not so strict when it comes to the actual redirection of the mail!
Micah: I just moved last month and the Post Office sent one of those notices to my old address. But since I had the change of address take effect immediately, it was the first thing that got forwarded to my new address.
Overall, the USPS does a pretty good job. It's easy to pounce on the post office, but given that most cases of mail fraud happen beyond the reach of the post office, and the fact that they handle billions of pieces of mail (and 99.9999% of the time, your $.39 gets it there in one piece) it says a lot that you don't hear of this kind of thing happening much at all.
In terms of dollar amount paid for the overall security of services rendered, they're a bargain. Typical mail fraud happens outside the control of the 'service; unsecured mailboxes, people being careless with their personal information, and so on. Now, of course, they've some catching up to do to plug this hole. Hopefully, they've already begun learning from this experience.
When you change your email, you have to answer to the confirmation email you receive at your old email address before the change it accepted. The confirmation email has a token.
They could apply the same technique there. It would hinder those who don't have access to their old address anymore (did they already move?) but the special cases could undergo under a special check (What's your pet's name? :) ) before letting the change be applied.
Problem mostly solved.
Hey, they said they have systems in place to prevent this sort of thing, they just didn't say what place that is. It happens to be a broom closet in Mifflinville, PA.
But seriously, I've always marvelled that I can have a physical piece of mail delivered with a high degree of accuracy for much less than a dollar.
I'd say my hat's off to them, but I'm not wearing a hat, so these pants will have to do.
The standard practice in the UK (Royal Mail) is that they send out two confirmation letters: one to the original address and one to the new address. That way, if I received a letter saying "Your post is going to be redirected next week", I'd have a chance to say "Oi, no!" I'm surprised that this isn't standard practice everywhere. They do the same thing when the forwarding period is about to expire, which warns the original address (e.g. the new tenant) to expect extra post.
All of this makes on-line statements seem more secure to some degree, then...interesting.
We have a post office box, but have a few things that come to our home mailbox. A month or two ago, we started receiving mail in our post office box that had our street address on it. The street address had been crossed out with a pen, and the post office box number was written on the mail. I wondered about this and decided that the mailman didn't want to walk up to our door to deliver our mail; however, I decided that as long as we're getting our mail, I'm OK. The other day, our termite company called and told us that the invoice they mailed to our street address had been returned because we had a post office box! Is this not ridiculous? We pay for a post office box, so we're not allowed to get mail at our house? Am I crazy, or does this sound reasonable to anyone? Thoughts, please!
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.