Wait! There's More Less!

Wednesday, October 04, 2017

Illustration of USPS and Equifax, via Wikimedia.
It turns out that when I belittled the new "Informed Delivery" option being tested by the U.S. Postal Service earlier this year, I didn't go anywhere near far enough. I noted that it got the failing government-created monopoly into the spam business. Annoying, yes. But at least you had to sign up for that, and could simply opt out, or so I thought. That turns out not quite to be the case, and annoyance may be the least of your concerns.

Security expert Brian Krebs discusses the vast security hole represented by the new service option, which is being rolled out nationwide by the U.S. Postal service. Calling the service a "stalker's dream," Krebs notes that third parties can easily sign up to learn when mail is on the way, including any thieves who might want to know when anything worth stealing is set to arrive. This they can do simply by taking advantage of the flimsy security measures in place for signing up:
Once signed up, a resident can view scanned images of the front of each piece of incoming mail in advance of its arrival. Unfortunately, because of the weak KBA [knowledge-based authentication --ed] questions (provided by recently-breached big-three credit bureau Equifax, no less) stalkers, jilted ex-partners, and private investigators also can see who you're communicating with via the Postal mail.

Perhaps this wouldn't be such a big deal if the USPS notified residents by snail mail when someone signs up for the service at their address, but it doesn't.

Peter Swire, a privacy and security expert at Georgia Tech and a senior counsel at the law firm of Alston & Bird, said strong authentication relies on information collected from multiple channels -- such as something you know (a password) and something you have (a mobile phone). In this case, however, the USPS has opted not to leverage a channel that it uniquely controls, namely the U.S. Mail system. [bold and link in original]
Krebs notes two ways to prevent someone from signing up as you for this service: (1) creating an account before this happens, or (2) getting a credit freeze. Translation: (1) sign up for spam or (2) pay the clowns at the credit bureaus for the freeze that they may have already made necessary for you anyway.

Good thing the government ensures mail delivery for everyone and keeps such a close eye on the financial sector. Not. More could be said about this, but suffice it to say for now that I agree with "Manhattan Contrarian" Francis Menton that even more regulation is absolutely not the answer to this mess.

-- CAV

No comments: