The USPS Informed Delivery Service as a Phishing Data Source
by ~Me
In 2017, the U.S. Postal Service announced a new program called "Informed Delivery."
This program would provide access to images of mail pieces being delivered along with tracking information for that specific address. It is limited to those pieces that are of letter-sized mailpieces and processed through USPS automated equipment.
To create an account, you go to informeddelivery.usps.com.
You start by entering an address, accepting terms and conditions that look like something from Microsoft, "warrant and represent that I am eligible to receive mail" at this address, and create your account.
Account creation is the standard process: ID, password, security questions and answers, email address, phone number, and opt-in for communications from USPS and partners. They validate the email address through the common process of sending an email and having you sign into a specific URL.
What is not included in the process is any actual validation of your identity, name, address, or phone number. In other words, anyone can sign up for the service for any physical address using any email. There is nothing preventing "me" for signing up for the Informed Delivery service for "your" house.
I signed up, not because I want to track the mail coming to my house, but because I wanted to prevent anyone else from grabbing it. One nice feature is the ability to flag non-receipt of specific pieces, but I have no information about what USPS actually does about the reports. After having the service for a bit of time, and checking it only infrequently, I started thinking about the information that could be derived for social engineering from this source.
Since I already know a lot about the mail I receive, I worked with a trusted friend to access their information. They set up the account but provided access. I spent the next eight months summarizing and logging all the mail items they received to determine what I could learn about them.
What Did I Learn?
I learned a few interesting facts about the service itself:
- Newspapers and magazines are not scanned.
- Full-sheet (8.5 x 11 inches), even first class, are not scanned.
- Online only provides information for the last seven days (including today, even if Sunday).
- About ten percent of images have "bleed through" where you can read some of the contents through the envelope.
- The online service will report: "There are 3 mailpieces for which we do not currently have images that are included in today's mail." This information is not included in the daily digest email.
- The USPS recognizes certain advertisers and will include a URL for that advertiser or in competition.
The last bullet is a little scary.
Somehow USPS is interpreting the mail you are receiving and connecting that with web content. I do not know if USPS is OCR-interpreting corporate names or just simple image recognition based on feeds from those advertisers. I only hope that data is not leaking in the other direction.
The above SiriusXM envelope is a good example of the bleed through.
I used this as an example because it is safe as an advertisement - it discloses no information about my friend other than that they owned a satellite radio atone time and the account has expired. While the SiriusXM information is totally benign, other examples of bleed through leaked more sensitive information.
I learned many things about my friend.
I learned that most of the couple's debt was individual - they had their own credit cards. They had several cards, each from different providers - and different affinities. This was easy to figure out from the envelopes - the affinity and provider are often on the envelope, and the creditor name is in the address window.
Their big credit was joint names - like home and vehicle - but with different banks. Their automobile and home insurance policies were with the same company.
They seem to be credit-worthy, in that they get a lot of advertisements for credit.
Based on this envelope, an advertisement for high-yield savings accounts, American Express thinks they have some money to place in savings - and be willing to bank online.
Based on the affinity cards, magazine subscription statements, and memberships, I know a lot about the interests, hobbies, and favored causes.
Based on this envelope, a discount voucher for Fly Fisherman (magazine, I presume), I conclude they have some interest in the outdoors, possibly fly fishing in particular.
I also know that there was some change with their cellular service this year - they no longer receive statements in the mail. The exact change is not obvious - they could have switched to electronic delivery or a different provider.
They seem to have a few investments, based on the different mailings they get from one financial advisor firm with different fund names on the envelopes. They also seem to have multiple investments - like 401(k) - and accounts at multiple banks. I even know the name of their actual financial advisor and their assistants.
I know the names of some of their closer friends - based on the receipt of cards. Cards are easy to figure out based on size, pretty envelopes, and hand-written addresses.
I also know a bit about their medical conditions - at least the specialties of the medical professionals they visit (and how often).
I know who they work for - based on envelopes with the corporate name and tags along the line of "Important benefits information enclosed," "Your 401(k)," "Important Tax Information," and similar.
I also learned a bit about their tax situation. They get the real estate tax statements and get refunds on their income taxes. How the real estate taxes are paid or how much the refunds are, I do not know.
Based on the advertisements they receive, I can even conclude that they have a pool and a lawn, that they are over 50 years old, and that they have a bit of a lead foot (one item was a citation from an automated speed camera) - but not a lot of a lead foot because there was only one in eight months.
Granted, that is a lot of time to invest in research. But with the ease and low risk of that research, it is possible to have multiple targets at one time.
How Could I Use This Information?
The value of this information comes if I want to know what kind of accounts they have.
It doesn't make sense to try to phish someone about a Chase credit card when they carry one from Bank of America. The same goes with regular bank accounts: someone who banks at TD isn't going to respond to a phish from Santander. Phishing over the phone is also enhanced because I know names of people who are important to my friend. I know the name of financial advisors, insurance agents, and close family/friends (based on holiday/birthday cards).
This information also has value if I wanted to mailbox-dive or porch pirate.
I can watch for specific checks (like from the IRS) or packages. Enough information is available to provide a cover story for the porch pirating - "I'm here to retrieve package with tracking number 123XYZ which was miss-delivered, here's the package."
Of course, all this information (and more, since not all mail ends up on Informed Delivery) is available by looking in someone's mailbox. But it is a lot more effort to go to a physical location on a regular basis and the risk of detection is much higher.
Disclaimers
I reviewed the disclosures in this article with the recipient.
I have to conclude this article with a few disclaimers: It is illegal to misuse this service to access information about someone else. It is illegal to dig through someone's physical mail box. And, of course, it is illegal to use this information for social engineering and phishing purposes.