![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
Entry tags:
USPS Informed Delivery, notes
Today I signed Qiao up for USPS Informed Delivery at his address, with his consent.
It no longer gives the option to email photos of your upcoming mail to you. Instead, you need to sign in to the site to view the photos (like I always do for my address), or use an app on your phone. I'd never thought that having it sent via (insecure) email was a good idea anyway.
[ updated, 2021/01/22: There IS still an option for "daily digest email notifications" after all. I'm not sure if it actually emails you photos of the mail though, or if it only notifies you that you received mail for the day. ]
While signing up, it gave the option to verify your identity online, or via the mail. I chose the online option, which simply involved entering Qiao's phone number. There were no knowledge-based questions at all. Then the page said the verification was successful! It didn't even text a code to his phone and require him to reply. What's to stop anyone who knows someone else's address and phone number (and suspects that they don't already have an account), from creating an account to see and snoop on their mail??
The USPS site (see below link) says that they send a paper mailing to you after you've signed up, with a code to unsubscribe in case it wasn't really you who signed up.
But what's to stop a bad actor in your own neighborhood from signing you up, then surreptitiously checking your mailbox each day til that mailing comes, and stealing it?
Krebson Security already warned about this kind of problem 2 and more years ago, and it doesn't seem like much has been done since then:
U.S. Secret Service Warns ID Thieves are Abusing USPS’s Mail Scanning Service
It seems to me the best defense is to sign yourself up for the service, before anyone else can fraudulently sign up in your name. But even then, the above report indicates that if multiple people can get mail at an address, you'd have to do it for each person.
But still, a comment by "David" on that page indicates that being signed up still doesn't stop you from being able to sign up again! "Because the USPS doesn’t allow you to reset a password for a forgotten account (instead telling you to create a new one), I was able to sign up a new account for informed delivery, even though I already had one (for the same name) in place."
Perhaps related to that, after setting up an account, there's an option in the settings for "Account Recovery". Apparently if you DO NOT manually enable this, you won't be able to recover your account when you forget the password. In this section you need to enter a mobile phone number and verify it (even though before this point I've already entered Qiao's number twice to set up the account, without it having been verified.)
Activating the Account Recovery service involves a two-step process of validating your mobile phone number and opting-in to the service.
..
As I suspected, no real action is taken when you tick that checkbox about mail not having been received, though it may help with an investigation, if enough mail goes missing on a broad scale, that they're forced to look into it:
Informed Delivery® Privacy & Security Concerns
It no longer gives the option to email photos of your upcoming mail to you. Instead, you need to sign in to the site to view the photos (like I always do for my address), or use an app on your phone. I'd never thought that having it sent via (insecure) email was a good idea anyway.
[ updated, 2021/01/22: There IS still an option for "daily digest email notifications" after all. I'm not sure if it actually emails you photos of the mail though, or if it only notifies you that you received mail for the day. ]
While signing up, it gave the option to verify your identity online, or via the mail. I chose the online option, which simply involved entering Qiao's phone number. There were no knowledge-based questions at all. Then the page said the verification was successful! It didn't even text a code to his phone and require him to reply. What's to stop anyone who knows someone else's address and phone number (and suspects that they don't already have an account), from creating an account to see and snoop on their mail??
The USPS site (see below link) says that they send a paper mailing to you after you've signed up, with a code to unsubscribe in case it wasn't really you who signed up.
But what's to stop a bad actor in your own neighborhood from signing you up, then surreptitiously checking your mailbox each day til that mailing comes, and stealing it?
Krebson Security already warned about this kind of problem 2 and more years ago, and it doesn't seem like much has been done since then:
U.S. Secret Service Warns ID Thieves are Abusing USPS’s Mail Scanning Service
It seems to me the best defense is to sign yourself up for the service, before anyone else can fraudulently sign up in your name. But even then, the above report indicates that if multiple people can get mail at an address, you'd have to do it for each person.
But still, a comment by "David" on that page indicates that being signed up still doesn't stop you from being able to sign up again! "Because the USPS doesn’t allow you to reset a password for a forgotten account (instead telling you to create a new one), I was able to sign up a new account for informed delivery, even though I already had one (for the same name) in place."
Perhaps related to that, after setting up an account, there's an option in the settings for "Account Recovery". Apparently if you DO NOT manually enable this, you won't be able to recover your account when you forget the password. In this section you need to enter a mobile phone number and verify it (even though before this point I've already entered Qiao's number twice to set up the account, without it having been verified.)
Activating the Account Recovery service involves a two-step process of validating your mobile phone number and opting-in to the service.
..
As I suspected, no real action is taken when you tick that checkbox about mail not having been received, though it may help with an investigation, if enough mail goes missing on a broad scale, that they're forced to look into it:
Informed Delivery® Privacy & Security Concerns
What action can I take if a mailpiece in today’s alert has not arrived in my physical mailbox?
Informed Delivery® provides notifications for mailpieces arriving soon - not necessarily mailpieces arriving that same day. Pieces can be delayed in getting to your mail carrier. Or, unfortunately, a mailpiece could be misdelivered. We ask that you allow several days for delivery after receiving the notification.
Unfortunately, an occasional piece of mail may fail to reach its destination. Reports of mail loss greatly concern us. Regrettably, when such instances are brought to our attention, there is no sure way of determining what may have happened. With the large volume of mail moving through our network each day, it is not feasible to trace a single piece of letter-sized mail. If the piece is not received, we recommend that you contact the sender to request re-delivery of the mailpiece if warranted. Persistent delivery issues should be reported to your local Post Office.
With the Informed Delivery feature, there is an option to report instances where you've received an image of a mailpiece, however, the physical mailpiece has not arrived in your mailbox. Users can click the checkbox under the specific image in their dashboard to indicate that a mailpiece was not received. This information is routed to the U.S. Postal Inspection Service (USPIS) and/or the Office of Inspector General (OIG) for investigative purposes. No additional action is taken; these submissions do not result in any search activity or customer response.