Maliciously Changing Someone's Address

Someone changed the address of UPS corporate headquarters to his own apartment in Chicago. The company discovered it three months later.

The problem, of course, is that in the US there isn't any authentication of change-of-address submissions:

According to the Postal Service, nearly 37 million change-of-address requests ­ known as PS Form 3575 ­ were submitted in 2017. The form, which can be filled out in person or online, includes a warning below the signature line that "anyone submitting false or inaccurate information" could be subject to fines and imprisonment.

To cut down on possible fraud, post offices send a validation letter to both an old and new address when a change is filed. The letter includes a toll-free number to call to report anything suspicious.

Each year, only a tiny fraction of the requests are ever referred to postal inspectors for investigation. A spokeswoman for the U.S. Postal Inspection Service could not provide a specific number to the Tribune, but officials have previously said that the number of change-of-address investigations in a given year totals 1,000 or fewer typically.

While fraud involving change-of-address forms has long been linked to identity thieves, the targets are usually unsuspecting individuals, not massive corporations.

Posted on May 18, 2018 at 6:20 AM • 24 Comments


echoMay 18, 2018 7:44 AM

In the UK this is an old scam. People used to apply for credit cards and whatnot and have them sent to an address which had been redirected. From what I remember checks were introduced to put an end to this. Limited proof is required which makes identity potentially spoofable. If I recall there has also been the odd case of telephone lines being intercepted to spoof a bank when crooks were purchasing high value items such as gold and the company wanted authentication of a bankers draft.

In UK law is there is no defined identification docmuent which means if a citizen wishes to be awkward and is happy going to court this can become very interesting. Passports area funny thing too. I need to check if the law has changed but , basically, a citizen is free to leave or enter the UK without any form of passport. Passports themselves are a fairly recent invention. Within Europe travel was possible across borders without any form of identification until the idea of the modern state began to assert itself. In the UK Oliver Cromwell introduced birth certificates to aid with people knowing their lineage and the welfare of women. Of course, from another angle this was feature creep on the Thomas Wolsey doctrine of "All ur data belong to US" of which RPIA and similar efforts including GCHQ via its annual request getting its mittens on your BBC and NHS data and anything not locked down or lost half way through local government pay negotiations.

May 18, 2018 7:44 AM

In Portugal everyone has a citizen card with biometrics which serves for authentication (everybody has a unique citizen number from birth) and also has the citizen's official street address.

echoMay 18, 2018 8:06 AM


The continental view is very different. In the UK we have the right wing "Magna Carta" fantasists up in arms every time citizens documents are raised.

UK law on documents is a bit murkey. Essentially government hides behind "historical documents" in court when really what government means is they have "possesion" and "bigger guns" so they belong to them "Neee ner". This does lead to unchallengeable innacuracies and other human rights horrors mostly to uphold a dogmatic view or protect a job titles career interests.

I expect Clive may remember the Finland Revenue scam (and prefilled deposit forms in banks). Classic!

Impossibly StupidMay 18, 2018 8:15 AM

The problem, of course, is that there isn't any authentication of change-of-address

What is there that can be authenticated? It's a physical location, not an individual account you have set up. They send a notification letter to the old/new physical locations. It then falls on whoever has secured that location to finalize the authorization. People need to suggest a workable alternative before they start making a fuss.

FrancMay 18, 2018 8:51 AM


Checks... he intercepted checks. Why are businesses sending checks? Just transfer the bits direct :)

Clive RobinsonMay 18, 2018 9:25 AM

@ echo,

Limited proof is required which makes identity potentially spoofable.

It used to be a proof of ID and a proof of residence, such as a utility bill.

Now most utilities have gone on line, and they require no proof of residence to put your name on the bill.

In the past that would have stopped the scam because the bill would be sent by post thus would in theory get caught by the householder...

However utilites now allow you to print out the bill and thus the Post Office will except the bill you print out wherever you might be as the scammer (could be a random public library or Internet cafe or open WiFi).

Thus the scammer can change the bill, print it out, be down the post office and get the mail divert in their name within an hour. The letter from the utility might not go out for a week or two, thus the scammer gets the diverted letter...

The thing about most address related security is it's all based on very weak security in quantity rather than a stronger single source.

As for the photo ID the UK is required under EU law to use "equivalence" at the individual level or get prosecuted for discrimination.

Thus with strong authentication required for UK drivers licences (actually stronger than passports), the UK drivers licence is deemed acceptable for UK Photo ID. However some EU countries have little or no security on drivers lixences (just as it used to be in the UK). Thus with the "equivalence" a scammer can go to one of the weak security drivers licence countries, make a fake application safely get a genuine drivers licence bring it back to the UK and be entitled to use it as strong ID photo authentication...

A loop hole that has been estimated as having been used by over a million "new EU country citizens" in "old EU countries"...

The recent influx of "middle east refugees" into "old EU countries" has more recently provided another loop hole... Which has atleast been recognised as a method being used by terrorists.

But rumour has it that no changes have been made yet because of the influance of "Mummy Merkel", who wants more refugees to come to Europe... Now I can not say one way or the other if it is true or not. But the need for imagration into Europe to make up for the falling birth rate, actually makes both political and fiscall sense. What does not make sense is not having a properly working system to detect "Disposable DNA" trying to abuse the system to get terrorist into the EU, regardless of if they are radicalised EU citizens, or radicalised citizens of other nations slipping in with genuine refugees...

The whole process is a compleat mess and has never been thought through by either politicians or bureaucrats untill the problem was well and truely in existent with god alone knows how many people of ill intent (ie not just terrorists but criminals etc) having slipped in...

vas pupMay 18, 2018 10:57 AM

The only thing to fight this is penalty which make cost-benefit analysis is favor of not doing such fraud, and I mean financial penalties first.
All US mails are scanned and images are stored in DB. Moreover, on the mail are other features (like fingerprints)to identify culprit.
Recently,it was good action on FTC side to impose huge (millions $ fine) on telemarketer for caller id-spoofing in particular and robocalls.
Good job!
I guess when Postal Inspector really find culprit of the scam, it should be make public as much as possible to serve as deterrent. Moreover, I'll suggest put on USPS site photo of the culprit (bleep political correctness), so everybody know 'who is who'. I guess that should be very effective for security for all. Scam masters like acting in the dark. Put them into spotlight!

For improvement of Form 3575:
(1)information should NOT be passed to any private business. You'll get a lot of junk mail thanks to current USPS policy. Period. You should have the right to OPENLY opt-out of any sharing.
(2)start open competition on USPS site for the best suggestion how to improve verification of the identity on Form 3575 with prize of $1000. We have a lot of creative folks around.

echoMay 18, 2018 11:18 AM


I'm not sure if I'm remembering properly but don't some UK business place in their identification indentification requirements that a drivers licence is not accepted as proof of identity?

UK policy is a mess in many areas!

willisMay 18, 2018 11:24 AM

More than 40 million Americans formally change addresses every year with USPS.

Hundreds of companies then acquire that information through a database known as the 'National Change of Address Linkage' (NCOALink), which contains more than 160 million change-of-address records. Those entities, which are licensed by the USPS, then sell the information to direct mailers and other advertisers worlwide.

Federal Auditors found that the 515 companies with licenses to sell that information have little oversight from postal officials. The Postal Service is supposed to do security checks on them, but the agency had “never performed site security reviews of licensees’ environments,” auditors wrote, and does not ask the companies to submit security plans when they apply for licenses.

The companies stored some postal customers’ home addresses on databases shared by other companies. They also did not disclose the other businesses with which they share customer information, auditors wrote.

USPS address-change system is full of security deficiencies.

k15May 18, 2018 11:40 AM

What is the organization that's looking out for security flaws in the U.S.P.S. before they get exploited? If we will now be using the postal service for voting, it seems like a good idea, to be a little more alert to such things.

djMay 18, 2018 11:43 AM

USPS has been very inconsistent in sending out change of address notice/confirmation letters. Either that or they have been very inconsistent in delivering them.

Since 1995, not one of the change-of-address forms I submitted ever resulted in a confirmation notice sent to both the old and new addresses, but just one or the other. At least thrice, none at all were sent.

So, this must merely be Business As Usual.

AJWMMay 18, 2018 11:47 AM

It's not entirely true that there is no authentication. The post office will (sometimes?) send a letter to the old address asking for confirmation/denial. (One was sent to my house when my daughter moved out.) The problem is that it's default-confirm ... if you don't reply in the negative, they take it as good.

In a big organization I can easily imagine that confirmation going astray because some mail-room clerk didn't know what to do with it.

vas pupMay 18, 2018 12:06 PM

Do you think the sound idea is to mapping somehow USPS passport service with change of address service?
Usually you are not changing address very often, so once a while you have to stop by post office (forget all electronic technology), get for payment of let say $3 numbered form, fill it out and submit to postal clerk with your id. After verification of identity, you form is going for actual processing. That is just small fee to save you out of possible scam and simultaneously to fund USPS with additional money for such service.
I agree with @ Impossible Stupid:
"People need to suggest a workable alternative before they start making a fuss."

k15May 18, 2018 12:11 PM

The postal service is considered "critical infrastructure", is it not? If it is, WTF does it have un-handled security flaws? If it isn't, WTF.

Doug BartonMay 18, 2018 12:52 PM

This is easily fixed by requiring an affirmative response to the notification letter for the COA to go into effect.

HMMay 18, 2018 1:18 PM

@ Doug Barton, re: "easily fixed by requiring an affirmative response to the notification letter for the COA to go into effect."

The problem is: what if you move to the other side of the country and don't submit the change-of-address request until the last minute. Then the confirmation request goes to the new owners at the old address; what if they forget/fail to send this in and you then don't get any mail? Or you move temporarily so there's nobody home at the old address to respond to the confirmation.

This is similar to change-of-email requests, i.e. what if you no longer have access to the old email address?

seen it doneMay 18, 2018 1:28 PM

Happened at Christmas. Called the 800 # as was told I had to go to the local post office to stop forward, computer systems are not linked. Then at post office was told a 17 day forward should have never happened. Still have never heard anything fro Postal Inspectors.

Brooks DavisMay 18, 2018 9:47 PM

There is also no real recourse if the post office misprocesses your change of address. Even when they fix it, the “new” address has been applied to many things (including bank and retirement account) and the correction doesn’t match. When we moved to our brand new house, someone entered a 2 where there should have been a 3 (probably because it took >6 months for our address to validate with any reliability) so our neighbors got quite a bit of our mail until we filed another change of address from the wrong address to the right one. If we’d shared a name with someone there it probably would have been impossible to fix.

Rj BrownMay 19, 2018 7:42 AM

What everyone here is missing is that a change of address without notifying the post office is a great way to shake off postal spammers. Instead of telling the post office your new address, you only tell those parties from which you desire to receive mail. The post office has nothing to do with it that way. Of course, if you *LIKE* spam...

moopsMay 19, 2018 5:17 PM

The only thing to fight this is penalty which make cost-benefit analysis is favor of not doing such fraud, and I mean financial penalties first.

I don't think that's true at all. The first and easiest step is to change the protocol to be a little more secure

1. user logs on to USPS website change of address form and makes a request and is asked to give a 4 digit PIN value for later use. Or fills out a form at the post office and drops it in the mail slot right there.

2. USPS mails that address with a COA form and a random number in the form or a bar code or other machine readable form.

3. You fill in your new address and write your PIN number and mail it back. USPS verifies the PIN and the random number and execute the change of address.

Not perfect, and it would take a tiny amount of better software at USPS. The attacker would need to submit a COA request and intercept this specific mail to the victim. Or compromise the USPS COA system. It would take about a week longer to change your address this way. Doesn't need any crypto.

Given that the stolen items in this case would be physical mail items it should be pretty easy to apprehend perpetrators of this fraud. At some point the criminal has to be physically accessible.

Mike StandMay 20, 2018 8:26 AM

Interesting to note that Clive doesn't appear to be too fussed about the distinction between immigrants, refugees, illegal immigrants, and terrorists. One might imagine the distinction to be important, particularly for someone with his background.

Impossibly StupidMay 20, 2018 9:30 AM


Your essential "verification" procedure was already given by Doug Barton and deconstructed by HM. The use case of a person losing access to the old location needs to be covered. That's really the only major difficulty here: devising an authentication/authorization scheme for an asset you no longer control.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.