Last year (in fact almost a year ago exactly) we told you about the U.S. Post Office’s new ‘Informed Delivery’ service. For those of you not familiar with the USPS Informed Delivery service, well, count your blessings. Because the postal service has experienced a serious breach, making the personal information of all 60 million plus Informed Delivery vulnerable.
From the Post Office’s website: “Informed Delivery is a free and optional notification service that gives residential consumers the ability to digitally preview their letter-sized mailpieces and manage their packages scheduled to arrive soon. Informed Delivery makes mail more convenient by allowing users to view what is coming to their mailbox whenever, wherever – even while traveling – on a computer, tablet, or mobile device.”
What this means is that not only did the exposed database contain your email address and/or your mobile number (because you can get the Informed Delivery messages sent either by email or by text message), but it also contains your street address.
Because (presumably) the Post Office is part of the United States government bureaucracy, the Secret Service got involve and, in fact, that’s part of how this story came to light.
According to Krebs on Security, the Secret Service disseminated an internal memo a couple of weeks ago to all of their law enforcement partners, detailing how criminals are exploiting the Informed Delivery service.
The Secret Service said that criminals had signed up for Informed Delivery service, using the name and address of their potential victim in order “to identify and intercept mail, and to further their identity theft fraud schemes. Bear in mind that the Informed Delivery messages include images of the front of each envelope – envelope images that were being delivered right into the hands of the bad guys.
The Secret Service went on to say that “Fraudsters were also observed on criminal forums discussing using the Informed Delivery service to surveil potential identity theft victims.”
Just this past September seven people were arrested in Michigan for creating Informed Delivery accounts in the name of, and with the address of, their target victims. Then when they got the message from the Post Office that an envelope from a credit card company was being delivered to that address, they stole the credit card.
According to the Michigan District Attorney, the defendants created the Informed Delivery accounts “for the purpose of stealing mail and obtaining credit card account numbers assigned to other persons to purchase merchandise and stored-value cards (gift cards) from retailers”
This was going on before the USPS data exposure (or at least before the data exposure came to light), now throw in the data of 60 million user accounts being potentially exposed.
That said, this vulnerability was initially discovered by someone doing research (who wishes to remain anonymous) and it’s unclear whether the security hole was patched prior to actual bad guys grabbing any of the data.
The researcher determined that they were able to log into the Informed Delivery system, and then do a search query against the user database. The thing is, the system accepted what are known as ‘wild cards’ (typically an asterisk) so that someone could search for “S*” and get all names starting with ‘S’.
The researcher says that they reported the flaw to the Post Office over a year ago, and it has only just been patched, so it’s not unreasonable to assume that your personal information may have fallen into the hands of someone wanting it for nefarious reasons. It wasn’t until Krebs contacted the USPS about the matter, this month, that the post office took care it, meaning that the flaw was wide open for at least a year.
Remember the post office’s jingle? “We’re the postal service, we deliver for you.”
We’re thinking it may be more apt to sing “We’re the postal service, we deliver you”… into the hands of identity thieves and other criminals.
|Get notified of new Internet Patrol articles!