Ineffective Package Tracking Facilitates Fraud

This article discusses an e-commerce fraud technique in the UK. Because the Royal Mail only tracks packages to the postcode—and not to the address – it’s possible to commit a variety of different frauds. Tracking systems that rely on signature are not similarly vulnerable.

Posted on September 25, 2019 at 6:01 AM13 Comments


Fraud Guy September 25, 2019 7:12 AM

Signature based systems are more secure, but are not customer friendly as they require them to be home to sign for the package.

Postman Pat September 25, 2019 7:28 AM

For those unfamiliar with the UK postcode system, it is pretty fine grained. From Wikipedia:

“The postcode unit is two characters added to the end of the postcode sector. A postcode unit generally represents a street, part of a street, a single address, a group of properties, a single property, a sub-section of the property, an individual organisation or a subsection of the organisation.”

As you see, it can be more accurate than a standard address. Here in Australia a postcode usually represents a whole town. Sometimes two towns. No, I have no idea how that works either.

Greg September 25, 2019 8:05 AM

Seems like it’s analogous to the ZIP+4 system in the US. Those additional 4 digits narrow it down quite a bit, but not to individual addresses in a dense area.

JonKnowsNothing September 25, 2019 9:29 AM

The UK post code system must be pretty good at IDing folks.

iirc baddy

A while back, their NHS health system with all of that juicy data on folks, was force-digitized and some Big Dude Companies promised to honor patient privacy in exchange for the contract and access to the raw data. The so-called-anonymized data had a 2 digit post code attached to the data.

Took those Big Dude Companies about a nano-second to direct map a huge segment of the population and of course ID the data sets too.

Post codes are great targets, better than city names ’cause there are often more than one city or area with the same name.

Asking for the City of Paris might not take you France.

Jon September 25, 2019 10:06 AM

If anyone ever bothers to check a signature against one on file. I guess it provides plausible deniability, if wildly different. But who cares? They haven’t cared with credit cards for a decade or more. J.

Impossibly Stupid September 25, 2019 10:49 AM

Coincidentally, the topic of encoding locations has recently come up in sci.crypt, too. Back in 2016 I blogged about a couple different methods, including a breakdown on why what3words is such a terrible system; shame on the Guardian for credulously pushing them just because they’re British. There’s no reason to adopt a closed standard just to represent a couple numbers.

And while local postal codes are indeed outdated, it’s hard to blame the Royal Mail for what eBay does with the imprecise tracking data they may provide. Even if they send something to the correct address and require a signature, fraudsters can still use an empty box or substitute a broken product. You can’t expect a mail carrier to sit there and inspect the items with knowledge of what “should” have been sent. They do delivery, not escrow.

Fazal Majid September 25, 2019 1:00 PM

Tracking fraud by package delivery agents is widespread, i.e. they will mark a package as delivered even if it isn’t and they are running late, because they risk being fired or other financial repercussions if their numbers drop. I’m surprised more carriers don’t require them to take a photo of the package as delivered, if only to prove delivery actually occurred if the client disputes it.

Zaphod September 25, 2019 3:08 PM

Last Christmas my delivery driver kept ahead of schedule by not stopping for lunch – he opened my Fortnum & Mason package and ate half my family size pork pie.

Turned out ok as F&M refunded the entire cost of order – considerably more than the pie and let me keep all the items.


lurker September 25, 2019 8:02 PM

The big A has twice this year shown me items tracked as “shipped”, then “checked into [A or Carrier] facility”, then no movement until 12 days later it turns up in my mailbox the far side of the ocean. And it’s not that A can’t track offshore: I frequently track items going thru Customs at this end, and going onto a local courier for delivery

Eugine_Nier September 25, 2019 11:19 PM

Jon is correct. Given that it takes an expert to verify them, and they’re ridiculously easy to fake with modern technology, signatures are for all intents and purposes an example of security theatre.

A Nonny Bunny September 28, 2019 2:56 PM

Tracking systems that rely on signature are not similarly vulnerable.

A lot of my packages are “signed for” by the postman as he leaves them behind unattended.
It works better in theory than in practice.

Melanie Chorisglossa September 29, 2019 8:30 AM

Given the number of postal packs a pair of sf fans receive, I can be surprised the haven’t had worse happen than just 3 packages go missing over a 14 year period living in Western Europe (not the UK). (Mind, a majority of those packages arrive when someone is here to take them, but not always – that’s two of the three that disappeared…)

That said, the most egregious has been the one supposedly confirmed with my “signature”, supposedly done on one of those screen thingies… supposedly delivered on a weekend when in fact only Dear Hubby was home, and I was away at a major weekend event.

It’s a small thing, but after that, my approach has become signing my name, then signing through it with the date of delivery.

I’ve actually had someone get mad at me for that… but only once in about 5-6 years since making this my go-to method.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.