Are Postal Mail-Holds Used for Fraud?
Postal Yin and Yang Out of Balance
There is no doubt Internet technology has opened up a whole new world of possibilities, revolutionizing the way society conducts business. The cyber revolution has revitalized the business of the United States Postal Service as well, opening up new opportunities for revenue generation, plus streamlining countless processes. Ten years ago a postal customer could not schedule a mail pickup, could not see what was going to be in the mailbox that day, track a package in real time, or input a change of address order from home. Most mail-related tasks still required the drudgery of filling out a form at the post office.
The online overhaul of the past few years has made life and work easier for both postal customers and employees. However, as we have seen with the explosion of Internet technology in countless other industries, the supernova of positive change creates a sinister shadow. The good and the bad orbit each other in a Yin and Yang figure that is not a symbol of balance, but more the image of a wheel threatening to go off the rails. For every technological benefit that clever, benevolent minds can implement, some equally clever but malevolent, twisted brain will figure out how to use it toward an evil end.
Financial institutions get hacked, social media giants get hacked, everybody gets hacked these days. Bank account passwords, social security numbers, etc., are laid bare there before the evil eyes of thieves, who run with an innocent stranger's identity to skim funds or take out loans. In the past, this illicit procurement of personal information did not require a sophisticated knowledge of computer programming. Every letter carrier has stood before a neighborhood delivery and collection unit rendered into a useless metal box, its gaping, demolished door flapping back and forth in the breeze, a testament to the fact that identity theft only takes a crowbar and the brute force to use it. But now, with the automation of age old postal processes, the tools to pry open the vast vault of personal data have grown more sophisticated, and more effective.
This article deals primarily with the time-honored institution of the mail-hold, or vacation hold as it is often known. Postal customers on their way out of town for a few days will fill out a hold request to keep their unretrieved mail from the hands of thieves, or even unreliable family members. But by automating the vacation hold process to make it easier for mail recipients, has the Postal Service unwittingly boosted business for those very mail thieves it was intended to protect against?
Small Margin of Potential Compromise?
The current outbreak of mail-hold abuse is not the first instance where cagey criminals have subverted a postal process for nefarious purposes. The automation of the US mail has automated the pilferage of postal products in lockstep, with every new phone app and website feature to roll off the line. Mail forwarding is one such glaring example. In my own experience as a letter carrier, I have had several instances of customers complaining that their mail is being forwarded to somebody they don't know, without their permission. Of course, the postal service sends out a verification letter to confirm the forward, but more often than not these are tossed aside as junk from an unknown origin. Typically, by the time the victimized customer realizes their mail is a no-show, they are already missing several sensitive items.
37 million change of address requests are filed every year. Postal spokesperson Karen Mazurkiewicz, inundated by complaints about fraudulent forwards, referred to this vast data repository in claiming that the crime constitutes a small margin of potential compromise. The fact that I have already encountered it on a few occasions, however, indicates that the problem is more common than Postal Service spokesholes are willing to admit.
Another fertile breeding ground for fraud is Informed Delivery, a process implemented a few years ago to allow postal customers to see in advance what mail will be arriving that day, via an email that displays images of letters and packages. Seems like a nifty and useful function that enables one to run home and retrieve the stimulus check before the bad guys beat you to the box, but it also has an unforeseen downside.
An alert disseminated by the Secret Service warned of how thieves take advantage of Informed Delivery for ill gotten gain. "... The internal alert — sent by the Secret Service on Nov. 6 to its law enforcement partners nationwide — references a recent case in Michigan in which seven people were arrested for allegedly stealing credit cards from resident mailboxes after signing up as those victims at the USPS’s Website." By enrolling for Informed Delivery at addresses who do not receive the service, these resourceful criminals were able to eliminate the guesswork and footwork of hitting every mailbox on the block. Instead, they could pinpoint their focus on residences seen on the app to be receiving credit cards or other financially sensitive instruments. In so doing, these crooks managed to rack up 400,000 dollars of fraudulent charges on their victims' accounts.
Moral of story? - Prying eyes are watching you. If you don't have Informed Delivery already, get it before the thieves do, so that their one stop shopping spree does not take place in your mailbox. I have it exactly for that purpose, not so much so I can read the daily-generated message, but to keep unwanted, predatory eyes from peeping inside my mail receptacle.
Law of Postal Information Systems - For Every Positive Action, An Equal and Opposite Criminal Reaction
So we see that for every action of the Postal Service to implement a useful online tool for its customers, there is an equal and opposite reaction in the underworld of the unlawful to exploit its weaknesses. And this brings us around to the Postal mail hold as a source of potential fraud. Is your ability to conveniently fill out your vacation request from home or your phone actually doing the opposite of its intended purpose, by allowing larcenous lowlifes to steal your erroneously detained mail?
The anecdotal evidence I have accumulated as a USPS letter carrier makes me guess yes. Just in the past two weeks I have encountered two false mail holds. In both cases, after a week or so of detaining delivery, the residents came into the Post Office to complain.
One of these instances involved a family member trying to halt his own correspondence, perhaps without knowing that a vacation hold stops mail for the entire household, not just an individual. The second mail hold, however, was generated by a person the homeowner didn't know. This mystery individual, who the head-scratching customer speculated may have been a friend of his roommate, even ordered several packages. I do not know what the ultimate identity of the mystery mail holder turned out to be, but both of these cases made me to speculate upon how easily mail holds can be used for illicit purposes.
The first case demonstrates that a vindictive relative could easily use a mail hold as a weapon in an ongoing family feud. A disgruntled son or daughter might be looking to get even with Mom, Dad or Grandma by holding their mail, or even stealing their checks. It would certainly be possible for a person with the same last name as a check's payee to do this, particularly if they were a junior and the first and last names both matched. I am not saying this is what happened here, it was probably just an honest misunderstanding of the mail hold process, but don't tell me other people elsewhere haven't tried.
The second occurrence is more of a conundrum. Why would a legitimate friend of a roommate need to put in a hold to receive mail at his house? Couldn't he just say "hey buddy do you mind if I have a package sent to your place," then swing by to pick it up later? This is a common enough practice - people don't want their husbands or wives to see their birthday surprises, so they have it shipped elsewhere. But you don't need to stop your buddy's mail to do that, which leads me to believe something sketchy was going on. The fact that the resident did not know the mail holder makes me conclude that someone in need of a physical address hijacked this house's mail for a few days, then maybe waited a little too long to pick it up at the post office.
Whatever the case, the incident exemplifies the multitude of ways a mail hold can be used for malfeasance. Don't think that your professional and amateur shysters out there have not thought about and attempted to use them. Although sticky-fingered family members and perhaps the homeless have certainly tried to abuse the mail hold, there is a high probability that identity theft is the leading reason for the tool's exploitation.
On June 24, 2020, in fact, the Postal Inspection Service in Tom's River, New Jersey, reported an investigation into fraudulent mail holds, where stolen personal data was used to apply for credit cards. This very recent episode confirms the existence and seriousness of the problem, and suggests that it may be the new trend among identity thieves. Could it be that mailbox marauders, deterred by the increasing difficulty of getting a victim's mail forwarded to them, are turning to loopholes in the mail hold as a work around?
A Mail-Hold Experiment
It turns out that the ostrich head in the sand approach to cyber security wasn't working so well for the Postal Service. Its small margin of potential mantra wasn't really soothing customers frightened by the specter of identity theft. In response, the organization finally broke down and implemented measures designed to prevent hijacked holds. Eric Zorn, writing in the Chicago Tribune, says that in October 2019 the USPS began "... requiring customers to create verified accounts with usernames, passwords and personalized security questions before they can order vacation holds."
Are the new security measures effective? At the risk of putting myself on a permanent mail-hold probation, I decided to go to USPS.com and try to stop my own mail with a different identity. I used my pen name, not my real one, and a phone number that did not belong to me. It distresses me to report that I succeeded, in spite of the new security measures. Furthermore, the process was embarrassingly easy.
I was really hoping I would be wrong. I was really hoping that the Postal Service had nailed this down, done the digital door slam, doused the enemy at the gates in boiling oil. But alas, they have not.
Now, don't call the cops or the Postal Inspectors. The vacation hold was placed on my own mail, for my own address. Technically, I don't think you can get arrested for stealing your own stuff. Maybe I'm wrong about that, but the Postal Service is more than wrong if they think they have prevented mail hold fraud with these bush league security efforts.
Confirmation Code? Can We At Least Require a Confirmation Code?
Of course, I already had a USPS.com account, so I had to get a new one. By not allowing me to create a duplicate account for my address I could have been nipped in the bud early, but I cleared this first hurdle without even brushing my toe against the top.
From there I moved quickly, easily, and shamelessly through the steps, feeling like a criminal mastermind. Then I arrived at the place I thought would be an insurmountable roadblock, a castle moat filled with starving, snapping alligators. Here I was going to come to a screeching halt, be given the old heave ho, knocked dead in my tracks.
The program was prompting me to input my phone number. I paused a moment to consider, before thinking that using my own number would interfere with the validity of the experiment. What if the program recognizes your phone number from your other account and lets you slide through on that basis? I thought about asking a friend if I could borrow his number for the experiment then stopped myself, thinking he might get weirded out, believing me to be involved in some evil identity-snatching ring, which I was. So I called my oldest son instead.
His is the only phone number on the family plan that doesn't have the same prefix. He is also the only one who at least pretends to be interested in the stuff I am writing about. Still, I was rather surprised that he answered the phone, that in itself being an anomaly that bears investigation. "Hey I'm writing an article about mail hold fraud," I told him, "and I'm going to use your phone number to set up a bogus account. You're probably going to get a confirmation code. Can you please text that to me?"
Judging by his permissive attitude, I think I could have told him I was going to pull his toenails out with a pair of pliers, as an experiment. "Yeah sure, go ahead," he said.
The reason I was expecting the application to send a confirmation code, Captain Obvious, is that everybody age 6 and up knows that this is what happens across the width and breadth of the Internet, every time a user tries to access an app on a new device or change a password. Microsoft, Google, Facebook, all the big, respectable giants do it.
But not the Postal Service. Simply by inputting my son's number, I got through. I cannot guess why the process even required a phone number if it wasn't going to be used for security verification purposes. It was like the Postal software development squad was saying Hey the other guys use a phone number and it sounds cool, let's do it too, without considering the rationale behind the move. Really, it was if a bunch of apes were sitting around a dark screen to mimic human TV-watching behavior, without any among them thinking to turn the power button on.
A Few Solutions From My Tiny Postal Pinhead
But I was in. I had done it. I had successfully pole-vaulted the vaunted small margin of potential. All that was left was to set up my mail hold, which I did for the fourth of July weekend. So unless the Postal Inspectors batter down my door sometime soon, or slap the cuffs on my son for using his phone number for malicious purposes, I guess my experiment was a success. Or a failure, depending how you look at it.
Now I need to throw out the question of what you, as a vulnerable postal customer, can do to avoid getting splattered by this fertile fruit, bursting ripe on the vine for identity picking. The answer is nothing. It is entirely out of your hands, and completely at the mercy of the people who control the program. Then again, perhaps you're smarter than me, maybe you have already thought of a way to protect your mail from being hijacked. If so, share it with us, because I am completely stupefied, mystified really, by how easy it was for me to set up a bogus "verified" account. If a model citizen like me could do it, I'm sure an experienced random thief could do it better.
It appears that we, the at-risk public, sit here helplessly exposed, like a rabbit on a rope in a den of wolves. But there are a few easy things the Postal Service could do to decrease the small margin of potential for mail hold fraud. I'm no cyber genius, heck I barely even understand the appropriate texting abbreviations, but some methods occurred to me almost instantly. So I'm sitting here all SMH, wondering why the software development gurus at postal HQ didn't think of them.
First of all, customers could set up their accounts to opt out of mail holds. This could also be done for Informed Delivery and address changes. Maybe opting out should be the default state, so one has to uncheck the "opt out" box before requesting any of these things. As an extra layer of security, changing the "opt out" should demand a verification code, via the phone number or email listed on the account. No code, no hold, no exceptions. Additionally, the application should have to recognize a device. If a customer sets up the account by phone but wants to do the hold from a laptop, they have to go through the verification code procedure again. Pain in the ass, but it nails shut some gaping holes in the identify theft defenses.
Of course, the success of these fixes is contingent on allowing only one postal account per customer. This in itself would eliminate a lot of the vulnerabilities, though not all. I couldn't have created my bogus account had this procedure been in place, and it would have shut out most of your entry level, minor league, not quite ready for prime time thieves. Someone wants to do an individual forward from a residence on an account that is not registered to them? Tough titty said the kitty. Either they can get the account holder to do it, or go stand in line at the PO with driver's license and some kind of proof of residence in their flighty hands.
Postal Cyber Maginot Line
So I'm sitting here a little smug, me just a grunt mailman thinking of all these things without really straining my little pith-helmet covered pinhead. I'm sure the programming geniuses at 1 L'enfant Plaza could come up with some much more sophisticated techniques, if they really tried.
So let's start trying. You can't hold the rabid identity wolves back with a sign that says small margin of potential. These street smart old dogs will pee on your sign then turn to eat you. And you can't just implement half ass measures and say the problem is fixed. No, you need a full moon effort, a 100 percent gluteus maximus on this problem.
In spite of its cyber vulnerabilities, the Postal Service is consistently voted the most trusted government agency. Let's start justifying that love. The thieves are running roughshod over postal customers, snatching their identities like taking candy from a baby. We're stopping the crowbar crowd by putting up new, impenetrable CBUs, tighter than Fort Knox, now let's turn our efforts toward plugging the holes in this Maginot Line of cyber defenses. If you don't know what the Maginot Line is, look it up. It didn't work either.