Various Vulnerabilities in the UPS Shipping System

by Dufu

Everything you read here is total fiction.  Or at least that is what I am claiming, so that if UPS tries to track me down, I can say it was a work of creativity and not an admission of guilt.

What you do with this information is up to you, but as I always teach those around me, "Keep hacking.  Keep it moral.  Teach others.  Become a leader of the ignorant, not their enemy."

I have debated for a while as to whether I should write this article.  Although UPS can, and may very well, fix the issues I bring up here, it will probably translate into higher costs for everyone who uses their service.  It may also cause some serious service disruptions as their own employees adjust to the fixes, because their system is highly standardized.

Shipping Weight and Size Loophole

If you call a UPS representative and ask them what you should do when shipping a package of unknown size and weight, they will generally tell you to make the best guess you can.  This is because the conveyor and human inspection system is supposed to catch oversized and overweight packages and automatically reclassify them and back charge the sender accordingly.

Most UPS representatives will tell you that the back charges for a mislabeled package will arrive on your next bill automatically.  This is not necessarily true.

Here is my situation and what I have learned...

I send a good number of UPS packages on a regular basis.  Not Amazon's level of shipping, but generally more than the average business.  Often, my customers need to send an item back to me.  Sometimes I know what it is, and sometimes I don't.  Most of the time, I have no clue how their shipping department or shipping drone will package the items.  Will they put a two pound part the size of a soda can into a box that is 18" square with lots of padding?  Sometimes they do.  At other times, they simply put the part into the large box and let it rattle around in transit.  Rarely, they properly package it.

In any case, guessing the weight and size are virtually impossible.

What I Do

Since I never know how the item will be packaged when coming back to me, I never know how much it will weigh or the size of the box.

Yet I am willing to pay the return shipping for my wonderful customers.  I could provide my UPS account number to the customer and let them simply fill in the details on their UPS shipping screen, but that's no fun and it exposes my account number to an untold number of potential threats.  What I choose to do is create a shipping label from me, to me.

I'm in the Northeast.  My customer may be in California.  Regardless, my shipping label says the package is going to travel zero (or very few) miles and not cross any UPS zones other than my own.  I also leave the size blank and set the weight to show one pound.  This generally translates into roughly a $5 charge for me, per box, on all returns.

What I Expect

I expect my customer to print the PDF I send to them, stick it on the pre-packaged box and hand it to a driver.  I expect that somewhere along the way, UPS will see the error in size, weight, and origin, and bill me appropriately.

What I Get

In twelve years of shipping things on a daily basis, not a single back charge has ever been applied to my account, until two days ago when they re-rated a package for the very first time to accurately reflect the weight and origin.  I'm not sure if this is a new trend for them or just a coincidence, but I thought it worth mentioning since it pretty much makes this portion of my article useless if it is a system-wide, reliable change in their policy.

Somewhere around one package a month is shipped back to me this way.  I have shipped 70 or 80 pound packages back to myself, with thousands of dollars in additional insurance coverage, and yet nobody has noticed the extra size, weight, origin, etc.  Note that anything over 70 pounds is supposed to come off the conveyors and go into a manually sorted and handled process.  I'm not sure if that happens or not with my stuff that is over 70 pounds, since the label indicates a single pound package, but I'm sure the drivers notice!  I have shipped numerous packages from the same customer back to myself, all with the same low weight designations.

Do I feel guilty about never having been properly charged for these returns?  Only enough to keep me from shipping all my stuff out that way in the first place.  Imagine if all my packages were labeled at one pound and no size provided.  I'd make a killing on my shipping costs, and I'm sure UPS would either take a very long time to catch on or maybe never catch on.  But I'm a non-malicious hacker so I can't do that.  It would simply be stealing to me, and I hope to you, too.  Malicious hackers have caused more damage to our image over the years than anything else, in my opinion.  But I digress.

If I could more properly estimate the weight and size of my returns, I'd do so.  Until I can, I'll keep doing what I do.  After all, the UPS representative told me it would work out okay that way.

Now, keep in mind that there is yet another potential exploit of the system here.  What if you changed your shipping and billing address to one a block away from the destination each and every time you sent a domestic shipment?  You could change it back right after processing the shipment and UPS would charge you for a local, one zone shipment, even if you were shipping from Oregon to Florida.  I'll let you digest that for a bit.  If you can't follow me on that one, then I suggest you start over at the top and re-read what I've already said.

Tracking Number / Account Number Vulnerability

There have been a few articles written over the years on UPS tracking number structure and all that is related to that.  What I have yet to see is an article written about how to exploit the system based on the information provided in the tracking number, at least to a degree that most people can benefit from it.

Every UPS package you receive contains a decently long tracking number.  Typically, they start with 1Z.  If they are international, they often start with something else.

If you ship or receive a lot of packages, or track everything you send or receive, you will notice that UPS has one of the longest tracking numbers in the industry.  That's just semi-random information for you and for the folks to discuss in future articles.

Back to your specific package.  My best guess is that the first two digits designate the originating location or country.  Someone wrote about it once, but I've already forgotten that info because it doesn't serve my curiosity very well.

The next six characters of the tracking number are where the treasure is.  This is the sender's UPS account number.  The digits after that are almost always unique and change from package to package.  There are reports that people who keep detailed logs of tracking numbers have shown that old tracking numbers are sometimes recycled.

So, you may be asking yourself, What good does this do for the average person?"  The truth is that the average person can set up a UPS account on the web with a credit card and be "in business" immediately, as far as UPS is concerned.

A malicious hacker could easily use stolen or maybe even fake credit card numbers, fake addresses, and various other fake information to set up an account.  This would get them nowhere unless they want to hit that fake or stolen credit card with various UPS charges, right?  Wrong!

Here is how nowhere can turn into somewhere for someone determined to steal services.  Once you have someone else's UPS account number, you are only one step away from using that account number for your own shipments.

All you need to use someone else's UPS account number is the account number and the billing ZIP Code for that account number.  When shipping a package, you simply use the pull down box that says, "Bill Shipping Charges to:" to choose "Bill The Receiver" or "Bill Another Third-Party."

How you get their ZIP Code is ultimately up to you.  You could try the one on their return address (go check the package you originally got the tracking number from) or you could browse their web site.  If you want to test your super elite social engineering skills, you can call the target company and ask for their accounts receivable contact and get the ZIP Code from them.  UPS has also been known to hand out this information to a corporate employee "working off site at a client" with a need to ship a package late in the afternoon in an emergency situation.

My moral compass and alarm are buzzing, so let's get one thing straight.  It's stealing to do what I have just described.  However, if bringing this vulnerability to light causes UPS to change their system or implement some controls to limit this vulnerability, then this article will serve its purpose.  It will hopefully bring better security procedures into play for people like me who use UPS all the time.  I realize that my account number is out there for everyone to see every time I ship a package.  I would welcome the change!

While I do not condone stealing service this way, I have actually had legitimate need to make use of this exploit when a customer tells me to ship to them on their account.  It comes in handy when they fail to tell me their account number or appropriate ZIP Code.

This vulnerability seems to work for Canadian accounts as well, but I have not had the need to fully document it yet.  I have no idea whether it will work in other geographical locations.

Insurance Scamming

This is where I am most worried that someone will come along and scam UPS out of their hard-earned cash.  It is also where I see their largest vulnerability, so it is worth sharing.

In my personal and documented experience, UPS will lose approximately one out of every two envelope-sized packages.  In other words, if you take a letter-sized envelope, stick a note or hand drawn picture inside of it and slap a shipping label on it, there is a 50% chance of it disappearing in transit.

$100 of insurance coverage is free, and you can doctor up an invoice for the "product" they lost.  Call it a Dufu cleaner or whatever.  When they lose it, you are due $100 plus a refund of your shipping costs, and they almost always pay it.

Be creative here and think with me.  Insure it for a few thousand dollars and the game changes - for you more than for UPS.  If they lose it, they pay you, presuming you provide that most important invoice.  Note that they do not cover specialty items like artwork, which could be the subject of a whole different article, I suppose.

At some point, the UPS system probably handles high value packages differently (can you picture hand carried, guard monitored packages?), so if you are an idiot and thinking of stealing from UPS via this vulnerability, expect that the $50,000 insured envelopes you send out, fifty at a time, will all be delivered perfectly.

A final small tip for this exploit: UPS allows you to interrupt the delivery process for a package and have it re-routed.  I suppose if you shipped from southern California to northern Maine and then on day three asked that it be sent back to California, you could greatly increase the chances of the package disappearing.

Packaging Tips and Thoughts

UPS is about as evil as they get when it comes to damaged items and paying claims to their customers.

You can do exactly what they tell you as far as packaging goes, and yet they will almost always claim that the box was not brand new, the padding was insufficient, the tape you used was too old, etc.  It's probably standard procedure for them to deny a claim before they pay it in the case of merchandise damage.

My advice to all shippers is to overpack your items.  When you think it's packaged well enough, go one step further.  Take photos of the packaging process, including the box rating.

Anything you can provide to prove that you took care of documenting your process before they damaged the goods will work in your favor tremendously.  To try to clear it up and provide proof later shows that you are not at their level of "damaged package negotiation" ninja fighting and the representative will write you off as a UPS newbie.

The bottom line is that if they damage it, give them hell until you are either out of hope and strength or win your case.  They won't hesitate to bleed you dry emotionally while trying to squirm out of paying for the damaged merchandise.  Provide them with an overabundance of proof and documentation.  Be prepared to appeal their decision at least once.

Another quick tip is to always track your packages.

They are often delivered late due to one reason or another.  If it is not weather related, and you are not shipping during the Christmas holiday season (and a few other random and unexpected reasons), then you get a full refund of your shipping costs if it shows up late.

Insurance costs are not refundable in these circumstances.  I always put my initial claim in via the UPS e-mail interface found at www.ups.com/upsemail/input?loc=en_US&reqID=WSP.  I do this because, if I ever really have a big mess to clean up with them, there is an electronic record of what I sent.

Random Thoughts and a Great Tip for Travelers What I Dream About

Sometimes I wonder what would happen if I stuck the same exact shipping label on ten different packages and sent them all off on their merry way to some destination.

My guess is that, because the scanning of the label triggers the billing, I would get billed for a single package transit and delivery.

However, if they were spread out over a few days so that the delivery of Package #1 happened before the pick-up of Package #2, then I assume I would be billed for the same package more than once.  This could lead to some very interesting discussions with the UPS service representative who receives my e-mail or phone call a few days later asking about duplicate billings.  Hypothetically, of course.

A great tip for travelers is to print up a dozen or so shipping labels to you, from you, with a one pound weight designation.  That way, if you buy something that you really don't want to carry home on that plane, in that car, or on that motorcycle, you can slap that label on a properly re-packaged box, hand it to the UPS driver or drop off location of your choice, and wait for it to show up at your home or office.

There is no need to carry that chrome-plated machete on the airplane back from Los Angeles or that vase back from Graceland.  Just plop it in the box and packaging of your choice, slap the label on, and pray UPS doesn't lose or damage it in transit!  Make sure to insure each and every package for $100 (free), or more if you think you may buy some high value items.

I always wonder if the stuff that I ship crushes other people's holiday gifts or merchandise.  I mean, if they can't figure out how to back bill me for a 70 pound box that has a one pound label on it, can they figure out that it needs to be at the bottom of the pile?

Random Observation

I've shipped to and from every state except Hawai'i.

UPS rules the NYC area and most of the Northeast.  They probably rule most of the Chicago area (auto country) and a good part of Canada near that area.  It seems that FedEx rules a good part of the rest of the country, including the far west, and DHL is the king of international shipping.

I hope this article is useful for you.  Please don't be an idiot or a thief.

I'll say it again, "Keep hacking.  Keep it moral.  Teach others.  Become a leader of the ignorant, not their enemy."