Just in time for the holiday season, the U.S. Secret Service issued an alert that cybercriminals were using the United States Postal Service’s (USPS) Informed Delivery Alert to obtain information supporting identity theft and other forms of fraud. Krebs Security reported the potential information leak issue a year ago, however the USPS provided no public response until November 2018.
The delivery alert mechanism is a tool to inform customers that their packages and letters have reached its destination. The online portal is also a way for users to see what mail is on the way before it gets to their mailbox or doorstep. The question we need to ask is why did it take so long for the Government to react to the cyber vulnerability? With the information of several million people to be at risk, why didn’t the U.S. Government care more?
The USPS’ web browser allowed anyone using the system to apply wildcards in search parameters and move freely without authentication points. This is network security 101. The security flaw was said to have affected 60 million users and their private data including emails, social security number, username and ID, account number, and contact information. The access to information in the database was easily accessible to seasoned hackers. These types of threats not well understood by the public, but real a failure in the eyes of most cybersecurity professionals.
Creating an Informed Delivery Account
In order to create an Informed Delivery account, you are required to enter basic information such as your name, address, and e-mail. And, like creating most other accounts, you must verify that you really are who you say you are. This is a basic component of authentication. Of course, the USPS realizes that anyone can claim to be somebody they’re not, so to verify your account you are instructed to answer a few questions related to your background. This might include past addresses, knowledge of the city you were born and potentially the model of your first car.
The issue is this information can now be found on the internet with the help of our good old friend, Google. Facebook is another great place to fill-in the pieces of someone’s life if you are trying to be them. Hackers also have specific information from previous hacks like the Equifax breach. Access to all this information makes normally private data, the public knowledge of everyone.
With access to the information that hackers glean from the USPS site, the world becomes the hacker’s oyster. They can use the obtained data as their tools and mine riches in your name. Worse, they can use the profile to steal directly from you with real great impersonation techniques. For instance, your highly sensitive information allows hackers to easily sign-up for credit cards. Some hackers even go through the process of waiting at your mailbox for the new credit card to arrive. Sometimes they even get the card in their name as your authorized user.
By utilizing the “real-time” technology that information delivery accounts provide, scammers avoid being caught. They don’t need to leave files and clunky call home software on the USPS portal. They become a part of the normal workings of the system.
A Year in the Making
How can people reasonably expect that it is safe to insert information into a Government system, if when notified of an issue, the Government does not take swift action to resolve it. It is not clear how keeping this information under wraps has benefited USPS or its customers. Undermining the trust of an institution and its systems is the fastest way to lose customers. This is something that the USPS can ill-afford to do as they run large deficits every year and need every customer.
The USPS is a critical part of our daily American lives and just as we believe mail will arrive that is sent, we must believe our information is secure. We trust in the USPS as honest broker and organization that will get the job done under all circumstances. The lesson is even when hackers do gain access it is critical that the same type of integrity, we expect in mail delivery is maintained in information management. Failure to inform and failure to act is behavior that assures we eventually lose faith in the service.
It is a new world in the information delivery domain there will soon be two types of businesses. The first is those we believe can protect our data. The second is those we can’t trust with life altering information. As our world is now digitized, this means you will not be in business long if you fall into the second category.
We recommend creating your own personal account under your name and address. If you do this, if any hacker tries to use your credentials s/he is unable to do so because the name has been already used. We can’t say scammers won’t figure a way around this, but hopefully the USPS will step up their game before it is too late. It remains to be seen if the USPS can improve their delivery of cybersecurity results. in the way they have not been able to cost effectively speed the delivery of your mail.