SALT LAKE CITY (ABC 4 News) – The United States Postal Service will deliver hundreds of millions of packages this holiday season. Criminals, however, are finding new ways to steal your packages.
This time, exploiting a service that allows you to see what’s coming in the mail before it actually comes.
It’s called “Informed Delivery” and criminals are using your information to sign you up without you even knowing. The service emails you scanned images of your mail the day it’s supposed to be delivered.
It’s the sign up process that some cyber security experts are worried about.
“From a cyber security perspective, the way that they validate new accounts is inherently weak. They ask you questions to answers that you already know. That only you should be able to know,” said Aaron Sherman, Senior Director of Cyber Threat Intelligence at Braintrace.
The problem with the sign-up process is most of that information is already online somewhere.
“All that information about previous addresses and houses is already available on the internet and the dark web. So, criminals have access to that information and they can authenticate as you,” said Sherman.
With just a few clicks, Sherman showed ABC 4’s Kara Murphy just how easy it was to get her information and sign up as her.
So how can you protect yourself? Sherman says there’s one sure way.
If your credit is frozen, they’re not going to be able to get that information from the credit bureau to be able to ask you. So if it’s frozen, you’ll be 100 percent protected from any service like this,” said Sherman.
The United States Postal Service says you can also protect yourself by calling them and requesting that no informed delivery accounts be allowed for your address.
When sent an interview request about Informed Delivery, USPS sent ABC 4 this statement:
The incident reported last week was not a breach of customers’ data. It was a system vulnerability, which was quickly mitigated by the Postal Service. We have no information to indicate that any customer data was exploited before we mitigated the vulnerability.
Computer networks are constantly under attack from criminals who try to exploit vulnerabilities to illegally obtain information. Similar to other companies, the Postal Service’s Information Security program and the Inspection Service uses industry best practices to constantly monitor our network for suspicious activity. Any information suggesting criminals have tried to exploit potential vulnerabilities in our network is taken very seriously. Out of an abundance of caution, the Postal Service is further investigating to ensure that anyone who may have sought to access our systems inappropriately is pursued to the fullest extent of the law.
Finally, and contrary to some media reports, the Postal Service is not aware of being contacted about this issue a year ago. Any information security incidents or suspicious activities should be reported to the Postal Service CyberSecurity Operations Center at or 866-877-7247.