Maliciously Changing Someone's Address

Someone changed the address of UPS corporate headquarters to his own apartment in Chicago. The company discovered it three months later.

The problem, of course, is that in the US there isn't any authentication of change-of-address submissions:

According to the Postal Service, nearly 37 million change-of-address requests ­ known as PS Form 3575 ­ were submitted in 2017. The form, which can be filled out in person or online, includes a warning below the signature line that "anyone submitting false or inaccurate information" could be subject to fines and imprisonment.

To cut down on possible fraud, post offices send a validation letter to both an old and new address when a change is filed. The letter includes a toll-free number to call to report anything suspicious.

Each year, only a tiny fraction of the requests are ever referred to postal inspectors for investigation. A spokeswoman for the U.S. Postal Inspection Service could not provide a specific number to the Tribune, but officials have previously said that the number of change-of-address investigations in a given year totals 1,000 or fewer typically.

While fraud involving change-of-address forms has long been linked to identity thieves, the targets are usually unsuspecting individuals, not massive corporations.

Posted on May 18, 2018 at 6:20 AM • 33 Comments

Comments

echoMay 18, 2018 7:44 AM

In the UK this is an old scam. People used to apply for credit cards and whatnot and have them sent to an address which had been redirected. From what I remember checks were introduced to put an end to this. Limited proof is required which makes identity potentially spoofable. If I recall there has also been the odd case of telephone lines being intercepted to spoof a bank when crooks were purchasing high value items such as gold and the company wanted authentication of a bankers draft.

In UK law is there is no defined identification docmuent which means if a citizen wishes to be awkward and is happy going to court this can become very interesting. Passports area funny thing too. I need to check if the law has changed but , basically, a citizen is free to leave or enter the UK without any form of passport. Passports themselves are a fairly recent invention. Within Europe travel was possible across borders without any form of identification until the idea of the modern state began to assert itself. In the UK Oliver Cromwell introduced birth certificates to aid with people knowing their lineage and the welfare of women. Of course, from another angle this was feature creep on the Thomas Wolsey doctrine of "All ur data belong to US" of which RPIA and similar efforts including GCHQ via its annual request getting its mittens on your BBC and NHS data and anything not locked down or lost half way through local government pay negotiations.

May 18, 2018 7:44 AM

In Portugal everyone has a citizen card with biometrics which serves for authentication (everybody has a unique citizen number from birth) and also has the citizen's official street address.


echoMay 18, 2018 8:06 AM

@Zé

The continental view is very different. In the UK we have the right wing "Magna Carta" fantasists up in arms every time citizens documents are raised.

UK law on documents is a bit murkey. Essentially government hides behind "historical documents" in court when really what government means is they have "possesion" and "bigger guns" so they belong to them "Neee ner". This does lead to unchallengeable innacuracies and other human rights horrors mostly to uphold a dogmatic view or protect a job titles career interests.

I expect Clive may remember the Finland Revenue scam (and prefilled deposit forms in banks). Classic!

Impossibly StupidMay 18, 2018 8:15 AM

The problem, of course, is that there isn't any authentication of change-of-address

What is there that can be authenticated? It's a physical location, not an individual account you have set up. They send a notification letter to the old/new physical locations. It then falls on whoever has secured that location to finalize the authorization. People need to suggest a workable alternative before they start making a fuss.

FrancMay 18, 2018 8:51 AM

LOL,

Checks... he intercepted checks. Why are businesses sending checks? Just transfer the bits direct :)

Clive RobinsonMay 18, 2018 9:25 AM

@ echo,

Limited proof is required which makes identity potentially spoofable.

It used to be a proof of ID and a proof of residence, such as a utility bill.

Now most utilities have gone on line, and they require no proof of residence to put your name on the bill.

In the past that would have stopped the scam because the bill would be sent by post thus would in theory get caught by the householder...

However utilites now allow you to print out the bill and thus the Post Office will except the bill you print out wherever you might be as the scammer (could be a random public library or Internet cafe or open WiFi).

Thus the scammer can change the bill, print it out, be down the post office and get the mail divert in their name within an hour. The letter from the utility might not go out for a week or two, thus the scammer gets the diverted letter...

The thing about most address related security is it's all based on very weak security in quantity rather than a stronger single source.

As for the photo ID the UK is required under EU law to use "equivalence" at the individual level or get prosecuted for discrimination.

Thus with strong authentication required for UK drivers licences (actually stronger than passports), the UK drivers licence is deemed acceptable for UK Photo ID. However some EU countries have little or no security on drivers lixences (just as it used to be in the UK). Thus with the "equivalence" a scammer can go to one of the weak security drivers licence countries, make a fake application safely get a genuine drivers licence bring it back to the UK and be entitled to use it as strong ID photo authentication...

A loop hole that has been estimated as having been used by over a million "new EU country citizens" in "old EU countries"...

The recent influx of "middle east refugees" into "old EU countries" has more recently provided another loop hole... Which has atleast been recognised as a method being used by terrorists.

But rumour has it that no changes have been made yet because of the influance of "Mummy Merkel", who wants more refugees to come to Europe... Now I can not say one way or the other if it is true or not. But the need for imagration into Europe to make up for the falling birth rate, actually makes both political and fiscall sense. What does not make sense is not having a properly working system to detect "Disposable DNA" trying to abuse the system to get terrorist into the EU, regardless of if they are radicalised EU citizens, or radicalised citizens of other nations slipping in with genuine refugees...

The whole process is a compleat mess and has never been thought through by either politicians or bureaucrats untill the problem was well and truely in existent with god alone knows how many people of ill intent (ie not just terrorists but criminals etc) having slipped in...

vas pupMay 18, 2018 10:57 AM

The only thing to fight this is penalty which make cost-benefit analysis is favor of not doing such fraud, and I mean financial penalties first.
All US mails are scanned and images are stored in DB. Moreover, on the mail are other features (like fingerprints)to identify culprit.
Recently,it was good action on FTC side to impose huge (millions $ fine) on telemarketer for caller id-spoofing in particular and robocalls.
Good job!
I guess when Postal Inspector really find culprit of the scam, it should be make public as much as possible to serve as deterrent. Moreover, I'll suggest put on USPS site photo of the culprit (bleep political correctness), so everybody know 'who is who'. I guess that should be very effective for security for all. Scam masters like acting in the dark. Put them into spotlight!

For improvement of Form 3575:
(1)information should NOT be passed to any private business. You'll get a lot of junk mail thanks to current USPS policy. Period. You should have the right to OPENLY opt-out of any sharing.
(2)start open competition on USPS site for the best suggestion how to improve verification of the identity on Form 3575 with prize of $1000. We have a lot of creative folks around.

echoMay 18, 2018 11:18 AM

@Clive

I'm not sure if I'm remembering properly but don't some UK business place in their identification indentification requirements that a drivers licence is not accepted as proof of identity?

UK policy is a mess in many areas!

willisMay 18, 2018 11:24 AM

More than 40 million Americans formally change addresses every year with USPS.

Hundreds of companies then acquire that information through a database known as the 'National Change of Address Linkage' (NCOALink), which contains more than 160 million change-of-address records. Those entities, which are licensed by the USPS, then sell the information to direct mailers and other advertisers worlwide.

Federal Auditors found that the 515 companies with licenses to sell that information have little oversight from postal officials. The Postal Service is supposed to do security checks on them, but the agency had “never performed site security reviews of licensees’ environments,” auditors wrote, and does not ask the companies to submit security plans when they apply for licenses.

The companies stored some postal customers’ home addresses on databases shared by other companies. They also did not disclose the other businesses with which they share customer information, auditors wrote.

USPS address-change system is full of security deficiencies.


k15May 18, 2018 11:40 AM

What is the organization that's looking out for security flaws in the U.S.P.S. before they get exploited? If we will now be using the postal service for voting, it seems like a good idea, to be a little more alert to such things.

djMay 18, 2018 11:43 AM

USPS has been very inconsistent in sending out change of address notice/confirmation letters. Either that or they have been very inconsistent in delivering them.

Since 1995, not one of the change-of-address forms I submitted ever resulted in a confirmation notice sent to both the old and new addresses, but just one or the other. At least thrice, none at all were sent.

So, this must merely be Business As Usual.

AJWMMay 18, 2018 11:47 AM

It's not entirely true that there is no authentication. The post office will (sometimes?) send a letter to the old address asking for confirmation/denial. (One was sent to my house when my daughter moved out.) The problem is that it's default-confirm ... if you don't reply in the negative, they take it as good.

In a big organization I can easily imagine that confirmation going astray because some mail-room clerk didn't know what to do with it.

vas pupMay 18, 2018 12:06 PM

@willis:
Do you think the sound idea is to mapping somehow USPS passport service with change of address service?
Usually you are not changing address very often, so once a while you have to stop by post office (forget all electronic technology), get for payment of let say $3 numbered form, fill it out and submit to postal clerk with your id. After verification of identity, you form is going for actual processing. That is just small fee to save you out of possible scam and simultaneously to fund USPS with additional money for such service.
I agree with @ Impossible Stupid:
"People need to suggest a workable alternative before they start making a fuss."

k15May 18, 2018 12:11 PM

The postal service is considered "critical infrastructure", is it not? If it is, WTF does it have un-handled security flaws? If it isn't, WTF.

Doug BartonMay 18, 2018 12:52 PM

This is easily fixed by requiring an affirmative response to the notification letter for the COA to go into effect.

HMMay 18, 2018 1:18 PM

@ Doug Barton, re: "easily fixed by requiring an affirmative response to the notification letter for the COA to go into effect."

The problem is: what if you move to the other side of the country and don't submit the change-of-address request until the last minute. Then the confirmation request goes to the new owners at the old address; what if they forget/fail to send this in and you then don't get any mail? Or you move temporarily so there's nobody home at the old address to respond to the confirmation.

This is similar to change-of-email requests, i.e. what if you no longer have access to the old email address?

seen it doneMay 18, 2018 1:28 PM

Happened at Christmas. Called the 800 # as was told I had to go to the local post office to stop forward, computer systems are not linked. Then at post office was told a 17 day forward should have never happened. Still have never heard anything fro Postal Inspectors.

Brooks DavisMay 18, 2018 9:47 PM

There is also no real recourse if the post office misprocesses your change of address. Even when they fix it, the “new” address has been applied to many things (including bank and retirement account) and the correction doesn’t match. When we moved to our brand new house, someone entered a 2 where there should have been a 3 (probably because it took >6 months for our address to validate with any reliability) so our neighbors got quite a bit of our mail until we filed another change of address from the wrong address to the right one. If we’d shared a name with someone there it probably would have been impossible to fix.

Rj BrownMay 19, 2018 7:42 AM

What everyone here is missing is that a change of address without notifying the post office is a great way to shake off postal spammers. Instead of telling the post office your new address, you only tell those parties from which you desire to receive mail. The post office has nothing to do with it that way. Of course, if you *LIKE* spam...

moopsMay 19, 2018 5:17 PM

The only thing to fight this is penalty which make cost-benefit analysis is favor of not doing such fraud, and I mean financial penalties first.

I don't think that's true at all. The first and easiest step is to change the protocol to be a little more secure

1. user logs on to USPS website change of address form and makes a request and is asked to give a 4 digit PIN value for later use. Or fills out a form at the post office and drops it in the mail slot right there.

2. USPS mails that address with a COA form and a random number in the form or a bar code or other machine readable form.

3. You fill in your new address and write your PIN number and mail it back. USPS verifies the PIN and the random number and execute the change of address.

Not perfect, and it would take a tiny amount of better software at USPS. The attacker would need to submit a COA request and intercept this specific mail to the victim. Or compromise the USPS COA system. It would take about a week longer to change your address this way. Doesn't need any crypto.


Given that the stolen items in this case would be physical mail items it should be pretty easy to apprehend perpetrators of this fraud. At some point the criminal has to be physically accessible.

Mike StandMay 20, 2018 8:26 AM

Interesting to note that Clive doesn't appear to be too fussed about the distinction between immigrants, refugees, illegal immigrants, and terrorists. One might imagine the distinction to be important, particularly for someone with his background.

Impossibly StupidMay 20, 2018 9:30 AM

@moops

Your essential "verification" procedure was already given by Doug Barton and deconstructed by HM. The use case of a person losing access to the old location needs to be covered. That's really the only major difficulty here: devising an authentication/authorization scheme for an asset you no longer control.

Clive RobinsonMay 20, 2018 4:17 PM

@ Mike Stand,

Interesting to note that Clive doesn't appear to be too fussed about the distinction between immigrants, refugees, illegal immigrants, and terrorists

Well the question you should be asking yourself is, "Is it actually relevent to make a four way distinction when those framing the argument only make it two way?" Especially when it does have atleast a fifth group which are those that are "expelled" from their country for some reason or another...

Further you should be also asking "Is there any real difference between an immigrant and refugee when they are standing on the high street in your nearby town?"

The answer to that is probably not. In the main people tend to want to do similar things, which is make a life for themselves and their familes peacfully.

Whilst their are exceptions as you would expect generally they form a small part of human migration. Further when people do move from place A to place B it is to do with making an improvement in their and their families life. That is an immigrant generaly makes the choice for themselves without changes in place A, a refugee however tends to move due to changes in place A, such as civil or other war. But when they get to place B they both tend to want the same thing which is to improve life.

Now I'm far from clear what the purpose of your post was, but as far as I can remember "Mike Stand" is a new handle around here, but you appear to belive you know something about me which suggest the DNA behind the handle has been here for some time, and I'm guessing not as a lurker.

PatriotMay 20, 2018 4:44 PM

"Someone changed the address of UPS corporate headquarters to his own apartment in Chicago. The company discovered it three months later."


Notice your own reaction to the first sentence: it is kind of funny, right? The second sentence comes as no surprise and brings no worry. In our world, big systems do stupid things--which we actually sometimes enjoy--as long as it does not hurt us as individuals. ie. ME But when two 9-11 attackers got their U.S. passports sent to their homes--presumably in Saudi Arabia-- after their identities were published and available to almost everyone on earth, that was not as funny, but still no one really cared much.


"The problem, of course, is that in the US there isn't any authentication of change-of-address submissions: ..."

That sounds like a problem that could be solved with public-key cryptography. But this is not going to happen in the U.S. because it is gloriously, pleasantly dysfunctional. The little guy can still stick his tongue out at the Leviathan.

The U.S. is not going to solve this kind of problem, but a country like China already does. First, they think through things like this, and then the end-users, the people, don't play games with the Leviathan because it has the power to terrify--or, as Thomas Hobbes put it, "to keep all in awe."


"The whole process is a complete mess and has never been thought through by either politicians or bureaucrats until the problem was well and truly in existence with god alone knows how many people of ill intent (ie. not just terrorists but criminals, etc.) having slipped in..."

These days, not taking people of ill intent seriously is akin to having one foot in the grave. But where should society draw the line? Should people who make graffiti be punished severely? Should hackers who crack jokes and put them on servers be imprisoned?

What is the Leviathan? It is an imaginary body, a virtual corporation, an assembly of little homunculi: it is the boss, the titan of the unified Internet, the recipient of the will of the end-users who have given their consent and are made one in the single will of Leviathan. It is looking at you just like the figure in the frontispiece of Hobbes's "Leviathan, or the Matter, Forme, and Power of a Common Wealth, Ecclesiasticall and Civil" (1651).

Importantly, Leviathan towers over the landscape and sees everything. Leviathan has two arms: one carries a sword, which is his very real power to punish and terrify you, and the other controls a crozier, a bishop's staff, which symbolizes his power over the information you are given.

So, let's hope that Leviathan will exercise mercy, the most appealing act of his sovereignty; that his wisdom will be at least as deep as the inertia that used to stabilize the Anglo-Saxon world.

Ignazio PalmisanoMay 21, 2018 11:02 AM

@Clive

Considering the ease of getting a passport on the black market (old documentary on BBC, the journalist managed something like 20 out of 25 then-EU members, less than a grand each), in some cases the counterfeit being made with an authentic blank passport - the corruption went high enough for that - I doubt 'new' citizens and terrorists need to go through complex scams.

Also, many of the terrorists responsible for attacks in the last few years, whatever their religion, have been found to be EU citizens or legally immigrated. I have the nagging feeling the numbers going through refugee channels or driving licence scams have been inflated for other nasty reasons.

Clive RobinsonMay 21, 2018 4:00 PM

@ Ignazio Palmisano,

Also, many of the terrorists responsible for attacks in the last few years, whatever their religion, have been found to be EU citizens or legally immigrated.

Yes many EU citizens who shall we say migrated to the ME to join ISIS and the like, have found that returning home is not as easy as it once was. Thus some have taken up false identities or hidding as refugees to get back.

The question is what will they do in the future...

Which brings us to your nagging feeling,

I have the nagging feeling the numbers going through refugee channels or driving licence scams have been inflated for other nasty reasons.

In the UK certainly as part of Brexit hysteria, but also in other Northern European Countries as well "political mileage" has been made and the far right were at one point making gains.

But the fact remsins that nearly all recent terrorist attacks in France were carried out by much earlier immigrants to Belgium, where they were effectively "dumped" into what became ghetos. Likewise immigrants around Paris got dumped into "sink hole estates" and became rioters and criminals.

Thus the question arises as to why this was alowed to happen, and what will become of the more recent streams of migrants/refugees especially as work appears to be scarce even for natural born citizens in that age range.

But there is an important question you rareky if ever get to hear, which is what is going to happen to the countries they have left?

If all your proffessionals and skilled workers emigrate to the West one way or another what will this "brain drain" do to not just the country but those left behind?

Look at it this way, without doctors and nurses there will be little or no health service, and people will more easily become infirm and early mortality figures will rise... This in turn will encorage further migration.

Without being nasty, for those countries and the remaining citizens to in effect turn themselves around they need those migrants back.

It's a real quandary because migration in it's various forms can be seen as harmfull to both countries. That is the country they leave and the country they migrate to. However there is a subtext to this, when ciuntries become industrialized the birth rate almost always drops, thus there is insufficient young workers to earn excess income to pay for those who wish to retire early or even at all.

There are no easy answers to the mess that is caused by the way governments behave for various short term reasons. Likewise there are few people with realistic ideas of how to resolve the longterm issues either.

For instance in the UK we now have compulsory company pensions. However history shows us they are actually the worst possible way to fund retirment. And to put it politly many pension firms are little different to "bank criminals" in their outlook. When pensions were optional the companies made small efforts to be competitive. Now it is compulsory they have effectively formed the equivalent of a cartel with all it's down sides. Anoyingly we have seen this happen before with insurance for drivers on the public highways, and in the US and other countries with health care provision. In effect the law makes the cirizens hostages to the robber barrons who are the insurance and finance industry.

echoMay 21, 2018 4:56 PM

@Clive

I agree a signficant part of the problem is economic. The economic disparities are not so obviously as huge in the UK as some places but there are tilts in some areas such as local banking provision and concentration of resources around wealthier areas.

In the US I note one current case is the FBI using survellience of social media to target a black man who was a political activist.

I'm personally not that bothered by post-industrialisation population drops. Fewer and fewer have been doing more and more for ages. The issue seems less about money but who gets it and how much. This raises questions about lifestyle and quality of life and what jobs are valued. Given so much "make work" jobs and duplication and nonsense I imagine a lot of resources can be repurposed without any economic cost. This does seem to be the gist of arguments in some of the greener quarters.

Mike StandMay 22, 2018 3:44 AM

Yes, I am a long-time reader, and a very infrequent commenter. So long that I couldn't remember my handle (pre password manager). Maybe it used to be Mic Stand (uncle mic stand: old Radio Active joke). Or Anna Daptor. Or another of that ilk. Don't have the time to do a proper search though. Mind you, I never hid my real id from Bruce /the mods.
If this handle vanishes, I forget again, and another appears six months later, then you'll just have to try lexical analysis.

Ed R.May 23, 2018 3:27 AM

@echo
I expect Clive may remember the Finland Revenue scam (and prefilled deposit forms in banks). Classic!

Now I am curious, what was the "Finland Revenue scam"? Or did you maybe mean "Inland Revenue scam"?

Joe AMay 23, 2018 9:17 PM

I seem to remember a similar story about a Florida man who'd file "real property transfer" papers to transfer homes to himself, then get the real owners kicked out. Apparently the courts never authenticated the man as the owner, and just accepted the transfer request.

I couldn't find that story, but I found yet another example of a similar attack in the UK, which uses a centralized "land register" to keep track of property ownership.

Chris HMay 25, 2018 4:22 PM

This particular scam should have been easily stopped at any number of points in the cycle:
1. Whoever processed the change-of-address card should have looked up the address, realized that it was a corporate headquarters, and red-flagged the card for investigation.
2. Whoever delivered the mail, and their supervisor, should have figured out that it was highly irregular to get large volumes of mail addressed to UPS delivered to a small apartment.
3. UPS should have detected significant loss of multiple sensitive documents and other items in the first two weeks, and asked USPS about it.
4. UPS is a mail delivery company. They could easily ship any sensitive documents themselves.

Letting this go on for three months took incompetence on many levels. In particular, why not sue USPS for not detecting such an obvious fraud?

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.