Items tagged with: mail
Why does a vegan get ads for ice cream?
My friend, let’s call him Jake, has been a #vegan for years, long before it was trendy.
He said the other day, “Okay, Bill, you’re the one who keeps telling me about the terrible things the #internet can do (he usually ignores most of my advice) so how come I get #ads for Ben & Jerry’s in my emails on my Mac? They keep screaming at me “Hey, Jake! Buy Ben ‘n’ Jerry’s now!”
I try to ignore the irritation I feel that he hasn’t even installed an #adblocker yet and ponder the problem. “Hmm, which email provider do you use, Jake?”
“Hotmail,” he said, sheepishly.
I gave a weary sigh. As some in the Federation know, Hotmail and Gmail collect keywords in our private subject lines and contact list and sell them on to advertisers without our knowledge or permission – especially if we don’t fix our privacy settings.
I asked him if he had any people in his contact list called Ben or Jerry. He had a think. A flicker of recognition shone in his eyes and we both knew.
“Stop using it, Jake,” I said. “Use Tutanota or Mailfence at least…”
He is addicted to convenience.
He is still using Hotmail.
#apple #consumertech #privacy #tech #Google #locationtracking #surveillance #monitoring #adblockers #ads #digitaladvertising #internetmarketing #gmail #hotmail #outlook #microsoft #mail #data #corporations #telemetry #mass-surveillance #surveillance #tracking #trackers #spyware #surveillancecapitalism #icecream #icecreamcone #mac #ios #ipad
What is Informed Delivery®? Informed Delivery is a free and optional notification service that gives residential consumers the ability to digitally preview their letter-sized mailpieces and manage…
Article word count: 715
HN Discussion: https://news.ycombinator.com/item?id=19311145
Posted by omilu (karma: 661)
Post stats: Points: 113 - Comments: 154 - 2019-03-05T15:33:48Z
\#HackerNews #and #digitally #incoming #mail #packages #preview #usps
What is Informed Delivery®?
Informed Delivery is a free and optional notification service that gives residential consumers the ability to digitally preview their letter-sized mailpieces and manage their packages scheduled to arrive soon. Informed Delivery makes mail more convenient by allowing users to view what is coming to their mailbox whenever, wherever – even while traveling – on a computer, tablet or mobile device. To automate the sortation and delivery of mail, the United States Postal Service® (USPS) digitally images the front of letter-sized mailpieces that run through automation equipment. USPS is now using those images to provide digital notifications to users in advance of the delivery of physical mail. Informed Delivery benefits the entire household, ensuring that everyone has visibility into mail and package delivery each day. Informed Delivery allows users to take action before important items reach their mailbox, while offering mailers an unprecedented opportunity to engage users through synchronized direct mail and digital marketing campaigns.
How does Informed Delivery® work? What will I see?
Informed Delivery allows users to interact with their incoming mail and packages in one convenient, online location. Users receive email notifications containing grayscale images of the exterior, address side of incoming letter-sized mailpieces that are arriving soon. These images are also accessible on the Informed Delivery dashboard at informeddelivery.usps.com. (Images of larger mail, such as catalogues or magazines, are only provided if the mailer conducts a synchronized digital marketing campaign.) For items with USPS Tracking®, users will be able to view delivery status of packages, provide USPS Delivery Instructions™, manage their notifications, and schedule redelivery from the dashboard. Most USPS domestic packages tied to the address associated with a USPS account will be automatically available on the Informed Delivery dashboard. Users can also receive USPS Tracking updates for incoming packages via separate email or text notifications. The dashboard displays mailpiece images for a seven-day period, while package information will display for 15 days after each package has been delivered. Users can opt-in to receive email or text notifications with status updates for incoming packages, too.
In order for the feature to provide mail images to the appropriate recipient(s), each multi-unit building on each carrier route must be individually identified and coded to the unit level. While most addresses are coded at this level, this coding process, especially in high density areas, is a work in progress. If you live in multi-unit building and you have successfully registered on usps.com®, but the sign up process indicates that you do not have an eligible address, we are unable to offer you the feature until the coding is complete. Please check back at a later date.
Security and privacy are of high importance to USPS. The current Informed Delivery sign up process requires you to verify your identity. In some cases, an individual may find that he or she cannot complete online verification. If you are unable to verify your identity within your Informed Delivery account online, you may do so at specific USPS locations that provide Identity Verification Services. To locate the nearest Identity Verification Service locations, please follow the steps below:
1. Sign in to your personal usps.com® account.
2. Select “Informed Delivery” in the top right of the page
3. Select “Enroll”
4. Select “Informed Delivery”, located in the Account Management section.
5. If you have already failed to verify your identity online in the last 72 hours, you will see “Verify Your Identity” in red font. Select “Enroll in Informed Delivery”.
6. You will be given the option to pursue In-Peron Identity Verification. Select “Opt-in” under this option.
7. You will see a list of USPS locations offering Identity Verification Services near your location.
1. In the search box below the table, you may type in a new ZIP Code™ location to search for additional Identity Proofing Facilities.
8. Scroll to the bottom of the list and select “Continue to In-Person Proofing.” You will be redirected to a page with more information and receive an email with further instructions.
Please read the information provided on the Informed Delivery page and bring all required documentation and forms of identification to the Identity Verification Service facility. If you do not follow the steps above immediately after failing the identity proofing process, you will need to wait 72 hours before you may attempt identity proofing again for security purposes.
HackerNewsBot debug: Calculated post rank: 126 - Loop: 478 - Rank min: 100 - Author rank: 21
#2fa #biz & it #bypass #gmail #google #iranian #mail #offered #phishers #protections #security keys #sms #text #two-factor authentication #yahoo
A recent phishing campaign targeting US government officials, activists, and journalists is notable for using a technique that allowed the attackers to bypass two-factor authentication protections offered by services such as Gmail and Yahoo Mail, researchers said Thursday. The event underscores the risks of 2fa that relies on one-tap logins or one-time passwords, particularly if the latter are sent in SMS messages to phones.
Attackers working on behalf of the Iranian government collected detailed information on targets and used that knowledge to write spear-phishing emails that were tailored to the targets’ level of operational security, researchers with security firm Certfa Lab said in a blog post. The emails contained a hidden image that alerted the attackers in real time when targets viewed the messages. When targets entered passwords into a fake Gmail or Yahoo security page, the attackers would almost simultaneously enter the credentials into a real login page. In the event targets’ accounts were protected by 2fa, the attackers redirected targets to a new page that requested a one-time password.
“In other words, they check victims’ usernames and passwords in realtime on their own servers, and even if 2 factor authentication such as text message, authenticator app or one-tap login are enabled they can trick targets and steal that information too,” Certfa Lab researchers wrote.
Read 7 remaining paragraphs | Comments
WOW! Christmas present: Tutanota releases dedicated desktop clients for Linux, Windows and Mac OS (Beta)
2018-12-20DOWNLOAD (BETA!): https://tutanota.com/blog/posts/desktop-clients/
Today we are very happy to announce that we have a very special Christmas present for all Tutanota users. We have just published the first beta version of our new desktop clients for Linux, Mac OS and Windows. We invite you to test our beta desktop client right now, and let us know how we can improve them further.
Tutanota now comes with dedicated desktop clients
Today we are releasing the first Tutanota desktop clients for Linux, Windows, Mac OS. This is one of the most important updates since we have first published our secure email service with automatic encryption in March 2014. The new Tutanota desktop clients enable you to use Tutanota directly from your computer without the need of a browser.
Improved security by signing applications
The Tutanota desktop applications for Linux, Windows, and Max OS are signed. You can verify the signature here. The signatures make sure that the desktop clients as well as any updates come directly from us and have not been tampered with.
The client validates the signature before installing any update. This reduces the risk of man-in-the-middle attacks (which we already mitigate by using DANE in the webmail client) even further as a potential attacker would have to change not only the client on our server, but also the key, which we publish so people can verify that the keys match.
The code for our desktop clients is published on GitHub as open source, just as the code for our webmail cient and our Android and iOS apps. At Tutanota we believe that using free software is the best way to guarantee maximum security.
Read here why our Google-free Android app makes Tutanota one of the best open source email services.
Desktop clients based on Electron
When we decided to build desktop clients for Tutanota, we carefully evaluated whether to build a native client for each OS or use Electron to convert our webmail client into desktop clients for Linux, Windows and Mac OS. We have opted to use Electron for the following reasons:
- We are able to support all three majos operating systems with minimum effort.
- We can quickly adapt the new desktop clients so that they match new features added to the webmail client.
- We can allocate development time to particular desktop features, e.g. offline availablity, email import, that will simultaneously be available in all three desktop clients.
Native desktop clients have a slight advantage towards clients built with Electron in regards to RAM, but this advantage does not outweigh the fact that with Electron we can support all three operating systems with miminum development effort. On top of that, we have put special attention to this issue when redesigning our new webmail client in 2017 and 2018 so that the current desktop versions of Tutanota need relatively little RAM.
At Tutanota we are a small team so we have to focus on how to develop the best product with miminum effort, and Electron enables us to achieve just that.
Please note that if you open several instances of the desktop client, only the instance that has been opened first saves data if you choose to save the login password or create a search index. The additional instances only use a temporary cache so that such data is not saved when you close the desktop client again.
After releasing the first basic version, we will now focus on adding typical desktop features to the clients.
Email import and synchronization with external mailboxes
The next feature on our development roadmap for the desktop clients is email import and synchronization with external mailboxes. The import feature via the Tutanota desktop clients will enable Tutanota to import emails from external mailboxes and encrypt the data locally on your device before storing it on the Tutanota servers.
This feature is very important to us as it will let you import and encrypt external data in Tutanota without our servers ever being able to see or read your data.
The Tutanota webmail client does not support such an import feature because with the webmail version it is impossible to encrypt imported data before it hits the server.
The desktop clients also give us the possibility to add offline support to Tutanota. In the future, you will be able to access and view your encrypted mailbox even when you have no access to the Internet via our dedicated desktop clients.
Perfect email alternative to privacy-invading services
To provide the best privacy-focused email service, we are taking every step of your email usage into account. We are never making a trade-off when it comes to security while focusing on your convenience and ease-of-use.
The combination of security with ease-of-use is the reason for Tutanota's continuous growth as well as for the steadily growing number of end-to-end encrypted emails sent by our users.
Desktop clients support same features as webmail client
Automatic synchronization for your encrypted mailbox
Your encrypted mailbox is automatically synchronized between the desktop client, the webmail client and the Android and iOS app. No matter where you manage your encrypted emails, your mailbox is updated instantly on all devices.
Short-cuts for ease of use
The new desktop clients support all short-cuts that you are used to from the webmail version. Simply press F1 (Fn+F1) to view all available short-cuts in any opened window.
Tutanota supports 2FA (U2F & TOTP) to further secure your email login. We recommend that you use a hardware token (U2F) as U2F is the most secure form of two-factor authentication.
The beta desktop clients do not support U2F right now. The reason is a known issue with WebAuthN that we plan to fix in the coming months.
Security features that make Tutanota stand out from the crowd
By making sure that all your data is always end-to-end encrypted, only you own your data.
On top of the built-in encryption, Tutanota's secure password reset and innovative search on encrypted data are just two important features that make sure that no third party - not even we - can gain access to your data.
Here are the most important features that make Tutanota's security unrivaled:
- end-to-end encrypted mailbox
- end-to-end encrypted address book
- automatic end-to-end encrypted emails between users
- end-to-end encrypted emails to any email address with a shared password
- secure password reset that gives us absolutely no access
- full-text search of encrypted data executed locally
- TLS with support of PFS, DMARC, DKIM, DNSSEC and DANE
- open source code for the entire client as well as Android & iOS apps
Tutanota combines security with ease-of-use
Tutanota is the secure email service that combines the advantages of the cloud – availabilty, automatic back-up, auto-sync, cost-efficiency – with the advantages of hosting your emails on your local server – security and data sovereignty.
MORE: How To Use AppImage in Linux - https://itsfoss.com/use-appimage-linux/
#tutanotal #mail #e-mail #email #news #desktop #client #privacy #security #windows #mac #germany #password #gu #linux #appimage #android #surveillance #encryption
Schneier on Security (Friday Squid Blogging):
Warning / Happening: Tutanota is possibly compromised!
Martin Fruehauf • December 1, 2018 9:14 AM
An insider from the German Bundesnachrichtendienst (BND / Vopo) / Secret Service just has released a message stating that Tutanota was compromised.#Schneier #tutanota #protonmail #mail #e-mail #email #news #leak #warning #privacy #security #freedom #bnd #vopo #germany #password #recovery #surveillance #encryption #vulnerabilities
The message as reported by the BND insider just has been picked up by the British Guardian online edition (30th Nov. 2018, 7:30pm GMT).
Here the message:
Tutanota recently released a new recovery code feature that allows a user to recover their account if they forget their password. This recovery code adds a second method to decrypt your private key and thus your emails. This feature was never asked for by the user base, and they refuse to let users opt out of creating a recovery code. Each time you log in to Tutanota you will see a pop-up requesting that you create a recovery code.
Now I will explain why this is happening:
I work within the German government, and I know for a fact that Tutanota was served an order by the intelligence services to create a database that can be used to decrypt any user's email address upon request. Tutanota is currently under a gag order and cannot speak about this request publicly. This is basically Hushmail/Lavabit 2.0. The recovery code is essentially a government recovery code / backdoor used to read your email if requested by the government.
I'm posting via a public WiFi with a disposable device in a location with no CCTV cameras. This was very hard to do, and I won't be posting again so please do not delete this thread. Users please screencap or archive the thread. I felt I must warn people, especially journalists who rely on the security of Tutanota and may reside in countries with oppressive regimes or human rights abuses.
Comment: Tutanota, as well as all German e-mail providers must provide data as requested to the German Secret Service / (BND / Vopo). This also applies to all German encryption software; it is mandatory for them to incorporate a back door. This, however, is not new. It is a practice that informally has been in place since the mid-nineties.
That happening follows the recently leaked information indicating that ProtonMail also was compromised and that its servers, contrary to what the company stated, were located in former USSR territories.
Found in #django on freenode, Jul 12, 2012. All names are edited. 11:16 < abrt> since it's quiet in here I'll tell you a story. 11:16 < abrt> back in 1992, I had just graduated university and was…
Article word count: 838
HN Discussion: https://news.ycombinator.com/item?id=18673968
Posted by dbrgn (karma: 1236)
Post stats: Points: 174 - Comments: 39 - 2018-12-13T17:14:42Z
\#HackerNews #2012 #from #hell #loop #mail
Found in #django on freenode, Jul 12, 2012. All names are edited.
11:16 < abrt> since itʼs quiet in here Iʼll tell you a story.
11:16 < abrt> back in 1992, I had just graduated university and was interning at a government facility in newport news
11:16 < abrt> along with some friends from college. We made $7.25/hr and were living large.
11:16 < qns> hahahaha
11:17 < qns> You sound like Kevin Mitinick.
11:17 < abrt> we used to play practical jokes on each other all the time.
11:17 < abrt> mitnick was a pussy compared to us
11:17 < qns> :O
11:17 < abrt> anyway, I managed to break into my friendʼs university UNIX account. guessed his password. easy.
11:17 < abrt> how well do you know UNIX?
11:18 < qns> not well yet
11:18 < abrt> well, back in the day, they didnʼt have postfix or qmail any of these fancy mailservers
11:18 < abrt> they ran sendmail
11:18 < abrt> and they allowed individual .forward files
11:19 < abrt> the purpose of the .forward file was to forward your email that came to your account to the address in the .forward file.
11:19 < abrt> anyway, after I broke into my friend Mattʼs account, I set up his .forward file to be "everyone@.edu" which I knew was an alias for the entire college.
11:19 < abrt> I had just learned how to forge sendmail headers and was going to send him a very embarrassing email "from his girlfriend"
11:20 < abrt> fortunately for me, I decided to do a test run at 1730 on a Friday. Assuming the test run went well, the embarrassing forged email would go out the following Monday.
11:20 < abrt> so I sent a "this is a test" to Matt.
11:21 < abrt> and went home, drank some beers with Matt and Steve, and had a great weekend
11:21 < abrt> Monday morning I get into the lab and everyoneʼs quiet, sort of whispering, and looking at me
11:21 < abrt> fuck me, right?
11:21 < abrt> I log into the gov UNIX system - and I have 13000 emails
11:22 < abrt> what I had forgotten was that "everyone@.edu" included Matt.
11:22 < abrt> so the email would get sent to everyone, including him, then he would add 10 lines of header, forward it to everyone, including him, ....
11:22 < abrt> mail loop from hell.
11:22 < qns> Did you get in trouble?
11:22 < abrt> well, hereʼs the thing
11:22 < abrt> this was summer ʼ92
11:22 < abrt> nobody at school, right?
11:23 < abrt> everyone had their email forwarded elsewhere
11:23 < abrt> and the professors got jobs at places like Camp Peary, and FBI, and other research organizations, ....
11:23 < qns> So you help them?
11:23 < abrt> and those systems couldnʼt handle the volume of mail, and they never thought to put the mail spool on its on separate partition
11:23 < abrt> so their systems crashed.
11:24 < qns> haha
11:24 < qns> So you triggered chaos all over.
11:24 < abrt> I managed to bring down 13 CIA offices, all FBI offices east of the Mississippi, and the entire Southeastern university Research Network.
11:24 < etgr> You can claim to have hacked the FBI
11:24 < qns> using e-mail.
11:24 < abrt> along with various other systems, but those were the biggies
11:24 < qns> Iʼd have shat myself
11:24 < abrt> I pretty much did.
11:25 < abrt> But back then, like possession of a fake ID, nobody really knew what to do to you for this sort of thing
11:25 < abrt> so I got a slap on the wrist, almost fired, and had to write a letter of apology to the head of the computer lab at university
11:25 < abrt> and I lost my university email account. 🙁
11:26 < qns> hahahahaha
11:26 < abrt> today Iʼd probably be sent to Guantanamo
11:26 < qns> Or youʼd mysteriously disappear. :P
11:26 < abrt> anyway, thatʼs my story for the evening.
11:26 < qns> I need a story like that on my resume.
11:26 < abrt> nah
11:26 < abrt> hereʼs the thing
11:26 < abrt> that story doesnʼt go on a resume
11:27 < abrt> but - fast forward 10 years later.
11:27 < qns> Ahh
11:27 < abrt> Iʼm getting my clearance
11:27 < abrt> being interviewed by the suits from OPM
11:27 < abrt> and they leave the room, come back with a folder, and say, "Tell us about SURANet and the CIA in 1992"
11:27 < abrt> THATʼs when I shat myself.
11:28 < abrt> BUT - good news - I got my clearance despite my history 😀
11:28 < qns> Were they impressed?
11:28 < abrt> nah, they were laughing
After reading this story, I started a new bookmark list: Stories from the Internet. Feel free to follow it, and also send me new candidates if you know of any 😀
HackerNewsBot debug: Calculated post rank: 129 - Loop: 337 - Rank min: 100 - Author rank: 51
~~"Never connect to ProtonMail using Chrome"~~ -- ... Never be a fool!
How many fools using Chrome till now?
Never connect to ProtonMail using Chrome
My wife and I both have a PM account. Today, I sent her a lengthy email which was quite complex (I'm a writer and she was proofreading me).
She asked me why I was using so many english words and why my sentences were so terrible. I realised that this was not the mail I sent. I checked my Sent mail folder, everything was fine. But, on her computer, my mail appeared like it has been translated from French to English then to French again.
It was very strange so I asked her to check the email on her phone using PM iOS app. The mail was fine.
I then realised that she was using Chrome to check her email. After a bit of fiddling, I discovered that disabling the "suggest to automatically translate a website in a foreign language" option solved the issue.
But the conclusion is frightening : it means that the content of every webpage visited using Google Chrome is sent back to Google. That every email, even in ProtonMail, is sent to Google even if, in this case, the translation should not happen (translation had been disabled for both French and English websites so there was no reason to think PM would be translated).
Only solution: don't use Chrome. Don't use it at all.
P.S. ProtonMail's official commentary
#web #www #internet #google #chrome #browser #protonmail #mail #email #security #privacy #spy #spying #iOS
Fixed the title for you: "Never use Chrome"
Not knocking the OP, but this story spread everywhere, and the problem here has little to do with ProtonMail, and everything to do with Chrome.
And you would be amazed to know how many people just read the title, thought there was something wrong with ProtonMail, and then moved on.
Microsoft is reportedly planning to ads to the Mail app in Windows 10. Yikes.
Article word count: 447
HN Discussion: https://news.ycombinator.com/item?id=18470006
Posted by cgtyoder (karma: 3477)
Post stats: Points: 101 - Comments: 119 - 2018-11-16T17:07:46Z
\#HackerNews #ads #app #mail #microsoft #putting #the #windows
[IMG]Uh, yes. Microsoft is bringing ads to the Mail app in Windows 10. The company has been shipping Mail as the default email client in Windows 10, and it has improved quite a lot over the years.
The app obviously isn’t as good as Outlook’s mobile apps, or the Outlook desktop app. It is still a good alternative for those who don’t have to deal with hundreds of emails every week. The app could, however, get some serious backlash soon.
Microsoft is testing a new update for the Mail app with Windows Insiders which introduces ads within the app, as first reported by Italian blog Aggiornamenti Lumia. At this point in time, the app only shows personalised ads on top of your inbox. And the only way to get rid of the ad is to get an Office 365 subscription.
The ads will apparently appear for all users — even if you don’t use a Microsoft email service like Outlook and only have Gmail, Yahoo, G Suite, or other third-party accounts, you will still see the ads until you purchase an Office 365 subscription. And that, of course, is quite ridiculous. “The ads at the top of the message list come from Microsoft. You’ll see them whether you are using a Microsoft email account, like Outlook.com, or an account from another email service provider, like Google,” the app says, asking users to purchase Office 365 to get an ad-free experience.
“Consistent with consumer email apps and services like Outlook.com, Gmail, and Yahoo Mail, advertising allows us to provide, support, and improve some of our products. We’re always experimenting with new features and experiences. Currently, we have a pilot running in Brazil, Canada, Australia, and India to get user feedback on ads in Mail,” Microsoft said in a support page about the new ads in Mail for Windows 10. The company says it will only display ads in the “Other” inbox for those who have Focused Inboxed turned on, and those who have it off will see the ads on top of their regular inbox.
In Microsoft’s defence, although these ads are interest-based, they do not look at your emails to display ads based on data from your email. Plus, you can opt out of interest-based ads if you’d like.
Microsoft has previously received a ton of backlash for putting ads on Windows 10, and I imagine this wouldn’t be any different. If Microsoft does decide to go ahead with the idea of putting ads on the default email client in Windows, it will most certainly receive negative reviews and complaints from users who already pay for the OS.
Tagged with Mail, Office 365, Outlook Mail, Windows 10
HackerNewsBot debug: Calculated post rank: 107 - Loop: 62 - Rank min: 100 - Author rank: 85
A year ago, KrebsOnSecurity warned that “Informed Delivery,” a new offering from the U.S. Postal Service (USPS) that lets residents view scanned images of all incoming mail, was likely to be abused by…
Article word count: 1140
HN Discussion: https://news.ycombinator.com/item?id=18414208
Posted by venturis_voice (karma: 637)
Post stats: Points: 208 - Comments: 111 - 2018-11-09T13:38:16Z
\#HackerNews #abusing #are #mail #scanning #secret #service #thieves #uspss #warns
A year ago, KrebsOnSecurity warned that “Informed Delivery,” a new offering from the U.S. Postal Service (USPS) that lets residents view scanned images of all incoming mail, was likely to be abused by identity thieves and other fraudsters unless the USPS beefed up security around the program and made it easier for people to opt out. This week, the U.S. Secret Service issued an internal alert warning that many of its field offices have reported crooks are indeed using Informed Delivery to commit various identity theft and credit card fraud schemes.
The internal alert — sent by the Secret Service on Nov. 6 to its law enforcement partners nationwide — references a recent case in Michigan in which seven people were arrested for allegedly stealing credit cards from resident mailboxes after signing up as those victims at the USPS’s Web site.
According to the Secret Service alert, the accused used the Informed Delivery feature “to identify and intercept mail, and to further their identity theft fraud schemes.”
“Fraudsters were also observed on criminal forums discussing using the Informed Delivery service to surveil potential identity theft victims,” the Secret Service memo reads.
The USPS did not respond to repeated requests for comment over the past six days.
The Michigan incident in the Secret Service alert refers to the September 2018 arrest of seven people accused of running up nearly $400,000 in unauthorized charges on credit cards they ordered in the names of residents. According to a copy of the complaint in that case (PDF), the defendants allegedly stole the new cards out of resident mailboxes, and then used them to fraudulently purchase gift cards and merchandise from department stores.
KrebsOnSecurity took the USPS to task last year in part for not using its own unique communications method — the U.S. Mail — to validate and notify residents when someone at their address signs up for Informed Delivery. The USPS addressed that shortcoming earlier this year, announcing it had started alerting all households by mail whenever anyone signs up to receive scanned notifications of mail delivered to their address.
However, it appears that ID thieves have figured out ways to hijack identities and order new credit cards in victims’ names before the USPS can send their notification — possibly by waiting until the cards are already approved and ordered before signing up for Informed Delivery in the victim’s name.
Last month, WKMG’s Clickorlando.com wrote that a number of Belle Isle, Fla. residents reported receiving hefty bills for credit cards they never knew they had. One resident was quoted as saying she received a bill for $2,000 in charges on a card she’d never seen before, and only after that did she get a notice from the USPS saying someone at her address had signed up for Informed Delivery. The only problem was she’d never signed up for the USPS program.
“According to a police report, someone opened fraudulent credit card accounts and charged more than $14,000 and signed her neighbors up for Informed Delivery, too,” Clickorlando’s Louis Bolden explained. “Photos of what would be in their mail were going to someone else.”
Residents in Texas have reported similar experiences. Dave Lieber, author of The Watchdog column for The Dallas Morning News, said he heard from victim Chris Torraca, 58, a retired federal bank regulator from Grapevine, a town between Dallas and Ft. Worth.
“Chris discovered it after someone created an account in his name at usps.com,” Lieber wrote in a post published Nov. 2. “The thief began receiving photos of Chris’ mail and also opened a bank credit card in Chris’ wife’s name. Postal officials promote the program as a great way to prevent ID theft, but for Chris, that’s what led to it.”
As noted in last year’s story, the major weakness with Informed Delivery lies in the method the USPS uses to validate new accounts. Signing up requires an eligible resident to create a free user account at USPS.com, which asks for the resident’s name, address and an email address. The final step in validating residents involves answering four so-called “knowledge-based authentication” or KBA questions.
KrebsOnSecurity has relentlessly assailed KBA as an unreliable authentication method because so many answers to the multiple-guess questions are available on sites like Spokeo and Zillow, or via social networking profiles.
I’ve previously advised that having a security freeze on your credit file should be enough to prevent someone from registering an Informed Delivery account in your name. That’s because the USPS validates new users by asking them a series of multiple-guess questions chosen by big-three credit bureau Equifax.
But numerous readers have responded that they were still able to sign up for the service even though they had security freezes in place with Equifax and the two other major consumer credit bureaus (Experian and TransUnion).
Normally in these cases I’d urge readers to simply plant their flag by registering an account to claim their address. However, the USPS allows new account creations for anyone currently able to receive mail at your address, which means that claiming your address may involve registering an account with every adult present at your address.
The Dallas Morning News piece referenced earlier says Americans can opt-out of Informed Delivery by emailing the “eSafe Team” at USPS at eSafe@usps.gov. However, emails sent to this address by KrebsOnSecurity elicited no response over the past four days.
Yet, one reader received a curious response by emailing the customer service address advertised by USPS’s Informed Delivery service — email@example.com. That reader requested that USPS remove her address from eligibility for Informed Delivery, and asked the Postal Service to let her know if anyone had previously signed up for the service at her address.
According to an email shared with this author, the USPS’s customer help team responded by asking the resident to answer some of her KBA questions in plain text via email.
A response from the Informed Delivery division of the USPS’s customer service department.
Sources tell KrebsOnSecurity that the USPS is now processing some 20,000 new Informed Delivery account registrations each day, and that the USPS is continuously deleting new account registrations that it believes may be fraudulent.
There is also a potentially new security wrinkle in the USPS’s Informed Delivery service. The USPS is now generating revenue by allowing third-party companies to advertise interactive content in Informed Delivery communications (PDF) sent to email subscribers.
The program allows the USPS to automatically match scanned mail images to specific advertising campaigns. According to a review of its mailer delivery user guide (PDF), this initiative allows advertisers to publicize content that contains interactive links, which could be abused by malefactors posing as legitimate advertisers.
[IMG]This graphic, taken from the Secret Service alert, describes how the USPS Informed Delivery system works.
[IMG]Tags: eSafe@usps.gov, identity theft, Informed Delivery, firstname.lastname@example.org, U.S. Secret Service, USPS
HackerNewsBot debug: Calculated post rank: 175 - Loop: 355 - Rank min: 100 - Author rank: 22