> "Henderson-Spruce did not identify himself on the one-page form. At first, the initials 'HS' were written on the signature line, but the initials were then scratched out and replaced with 'UPS,' according to the charges"
Come on, this guy is a genius. The fact he managed to pull it off by literally using cartoon-level forgery is nothing but remarkable.
I guess, that's pretty funny and clever by itself, but the fact that he left a trail of $58K of bank fraud pointing straight back to himself was pretty dumb. He's definitely doing time for that.
And how does the postal worker delivering thousands of letters addressed to "UPS Headquarters ATLANTA" to a dude's apartment in Chicago not think it strange and report it?
Just an anecdotal data point, but, in the year and change I lived in Chicago (relatively recently) I experienced the local USPS quality of service to be... extraordinarily lacking.
They probably use their own services for important deliveries. Besides, if USPS don't report strange/dangerous USPS delivery activities, who else would?
I guess everybody who tried sending mail (including checks, apparently) to them and never got through would suspect something is wrong and report it...
That just means the people who are supposed to ensure something like that aren't smart. Not that he's a genius.
Someone remotely close to being smart would instead route to someplace he doesn't live, for starters. And it doesn't say anything about credit card fraud, which would be much wiser rather than check fraud (in the context of breaking the law here) since there is much less recorded evidence.
disagree, this guy is just a dumbass. deposited the checks to his own account?
if you want to learn the fundamentals of social engineering or educate a person who needs to be resistant to it, read mitnick's "art of deception" book.
I don't it takes a genius to recognize the fragile parts of a seemingly secure system we live in. I'm sure there are people in every industry that know things that can be easily exploited for profit.
The change of address form at USPS is laughably unsecure. All it takes is $1 and anyone can write any address and forward all the mail for 1 year to any other address. There is no verification of ID and the only warning you get is a post card at the original address telling you the mail is being forwarded but by then it is already too late as mail is already being routed to the new address. Even if you called immediately to stop it some of your mail would end up at the new address
Postal mail is insecure yet companies and services like to rely on it as the authoritative form of notice and communication. That and also giving out info over the telephone.
On one hand we have PCI-compliance, SSL encryption, and on the other hand we have a phone call (unecrypted, easily tappable anywhere along the thousands of miles of wire) where companies expect to call me and assume it's secure enough for me to 1) know that it's definitively them and 2) not have some support agent steal my credit card information/private information.
> Postal mail is insecure yet companies and services like to rely on it as the authoritative form of notice and communication.
From another perspective though - while not "secure against manipulation", at least postal mail has federal laws with serious punitive remedies, and investigators who seem to genuinely be committed to enforcing those laws and chasing the penalties.
Most things in the real world are not "4096 bit cryptographically secured, guaranteed unbreakable before the heat death of the universe", instead they're "secured by people with guns, courts, and jails who are society's deterrence against smashing fragile windows, picking flimsy locks, and fraudulently filling out paperwork".
It _mostly_ works.
And in some ways, the "fiction of security backed by laws with teeth" works _better_. I locked myself out of my apartment recently, and my friend with my spare keys was on a trip ~800km away. So I called a locksmith, who got through the two locks on my front door in ~90 seconds. I'm _very_ glad he could, even though the tool he used is easily available on AliExpress for ~$25...
I was downloading Postal Service mp3s from Kazaa and ended up downloading some USPS disciplinary reports on accident. I shared them with a friend because I thought they were funny, and he posted excerpts on a message board. From there it somehow got to the USPSIS who tracked down my friend’s cell phone #. I eventually agreed to meet, so the inspector flew out from DC and met us at a diner in Santa Cruz. He showed us his badge and went over how I ended up with the files. The whole thing was sort of bizarre, but he was pretty friendly and seemed more interested in figuring out how the files got out than throwing the book at me or my friend.
Sure, whatever you say. One of my bitcoin-addled friends loves to claim this. I left $1000 in an account and gave him the routing and account numbers and welcomed him to take it. He couldn't do it.
Then he was not very clever. Account + routing number can be used to make a payment to any merchant that accepts ACH payments. At the very least he should have been able to pay his credit card or utilities with it, without any technical knowledge at all.
If you have a merchant account, you can take direct debits from and account using those numbers. Getting a merchant account underwritten for yourself can take less than a day, and the verification process isn’t all that robust.
Account numbers are essentially more valuable than credit card numbers. Except credit card numbers are at least supposed to be protected by a rather decent security standard. With ACH there is no such standard, you can handle account numbers any way you please, and many merchants do so very poorly. Also, the account number is written on checks that you literally hand out to people, which is pretty much the worst thing you could do with a credit card number.
Your anecdote is meaningless. Any individual can easily commit fraud with an account number, and if they put a small amount of effort into it, they could do it on a very large scale. There is no security standard that protects ACH data, only a short set of regulations that describe how committing fraud will send you directly to prison.
I do a bit of lockpicking as a hobby and often carry lockpicks because they've come in handy several times when people lost keys, etc....
Most door locks and deadbolts in the US will fall to rakes in a minute or less. I've found the Southord L-rake and Pagoda to be pretty effective. These can be had in basic versions without much of a handle from southord.com for $1.65. (A tension tool is also required; it's pretty much just a bent piece of steel).
It looks like it's called a "lock gun", that's what I found them called when I went looking for one on Ali Express. Just a little plastic pistol-grip handled tool that he selected a metal blade on and stuck in in the keyway and pulled the trigger as he wriggled it around and twisted it. The first lock took him 2 tries at the right blade and took him a minute or so, then second lock he got the right blade first try and was in in under 30 secs...
I kinda knew "ordinary domestic locks" weren't very secure agains skilled lockpickers, and I don't know if there's some hidden technique required to use those things - but I was astounded and dismayed at how quickly my two different locks fell to such an easily available tool...
It's not like the system he was cracking was very secure. It has to be regularly openable with just a piece of metal, with tolerances so that when your key teeth wear down over the years it still works.
A pin/tumbler lock can be made considerably more secure against the attacks that work very quickly than most of the ones found on houses in the US actually are. Simply using security pins will significantly reduce the effectiveness of lockpick guns, rakes and bump keys.
In short, standard pins in locks only have one place they're likely to stick when manipulated under tension: the shear line that allows the lock to open. Security pins have additional grooves machined into them that will make the pin stick at points that do not result in the lock opening. It's still possible to pick locks that have them, but it often needs to be done one pin at a time, which is usually slower and tends to require more skill.
This drives me mad. My health insurance company tries to call me on a regular basis, but because they have to verify they’re speaking with me for HIPAA, they ask for the last 4 of my social.
To which I reply “You called me. I don’t know that you are who you say you are. I’m not giving you anything.” And hang up. What moron thought this was a good idea?
The first time my insurance company did this to me, the woman who called me (from a random phone number that didn't belong to the insurance company) sounded confused about why I wasn't going to give some random person my PII. When I called their 800 number, I was on hold for 20 minutes before they finally tracked down the entry in my account explaining why they had called.
Apparently, every time I order medical supplies they call me to tell me that they've sent a Very Important Letter, but they can't say what it is. When it arrives the next day, it informs me that they've approved my request for the supplies, which by this point have already arrived a week and a half ago.
It's gotten to the point where the calls now go like this:
Them: Hi, this is [insurance company], can I have your date of birth please?
Me: Is this about the letter you've sent?
Them: ...Yes?
Me: OK, I'll keep an eye out.
Them: Erm... right. Have a nice day!
This is so awful. I once got randomly selected to be a survey participant by a government agency while I was building a path. It was on the effect on my life of an earthquake thousands of kilometres away (there wasn’t any). They claimed I was legally obliged to participate or would be prosecuted. ID was produced etc. He sat and fired random questions at me while I broke concrete with a sledgehammer for an hour. I’d give the shotest possible answer, because I was breathless and the time between swings wasn’t long. Then they did follow up calls once every week for a year at the same time each week. These were were never answered and the messages were not returned.
I have no idea why your story reminded me of this, but it triggered the same rage centre.
It's because tech has a long tail. You have to remember that there are people who still aren't online, who are technologically illiterate, who don't use email or secure messaging etc. A lot of regulated companies (especially health care entities) are MANDATED to send and receive stuff insecurely so they can make sure that Jane Doe grandma in rural Wyoming actually gets the correspondence.
I've run into the opposite situation making me hesitant to trust legitimate correspondence with my own banks. The past few times I had to take care of something over the phone, they did not ask for anything that could reasonably confirm my identity or account. One bank only asked for the last four digits of my account number. When I called another bank in response to an email alert about a fraudulent transaction, the representative asked for a phone number to text a verification code that I had to repeat back to them ("You want me to give you a ten-digit number?" "Yes"). Looking back on it, the first bank may have figured that few people will ever have the same account status problem at the same time and would ask for more information in the event of a collision, and the second one may have required me to name one of the phone numbers they already had on file (I'm used to representatives telling me a few digits of the number they're going to text based on what they have on file). But without knowing the entire workflow ahead of time, it seemed just as likely that this was a bunch of meaningless ceremony meant to give the appearance of bank-scale IT infrastructure in action so that I'd feel more comfortable revealing sensitive information later.
My credit union’s fraud department contact information isn’t listed on their website and they called me several times before I finally called the main switchboard and had someone patch me through. No I’m not giving my account information to someone who called me.
You’re the fraud prevention department for chrissakes. Act like you’re preventing fraud, not participating.
That's why I was pleasantly surprised recently when my bank called me about some fraudulent transactions, and the entirety of the conversation was: "Do you recognise this transaction?" "No" "OK, your card has been blocked and a new one is on its way".
Even if it had been a fraudulent call, they weren't asking for anything (so I didn't have to bother verifying it was legitimate), and even if they got the wrong person there is limited damage they could do.
I'd notice there was a problem when I stopped receiving mail and my current card stopped working. Even then, even if they DID get the new card, I could report any subsequent transactions as fraudulent (honestly, my mail being redirected would be a much bigger issue to me than someone having access to my card, so that doesn't add much to the attack potential).
Also, at some point, it becomes infeasible enough (that someone would have redirected my mail, hijacked my phone number or managed to change it with the bank, triggered a call from my bank, and managed to line them all up so I hadn't noticed there was a problem) and more trouble than it's worth to be worried about it happening.
I can kind of see how it happened though. People want their data protected so they pass laws that you have to check who it is and not someone else in the building who happened to pick up the phone.
I'm on a home owners board with a woman who is a paralegal for her brother's lawfirm and it amazes me how much stuff they do that they think is either secure or provides some sort of authentication (in the meat world). Kind of annoying when they want to go through all sorts of rigmarole when it doesn't actually provide the features they think.
I was recently meeting with the Head of Security for a large firm. He had a pretty decent explanation of the process to implementing security that I thought was very apt. The way he put it, there’s two over arching milestones, “liability” and “actually secure”. “Liability” is where you have checked all the right boxes to be able to aptly defend yourself in court and is the achievable goal. “Actually secure” is the pipe dream you will always strive for, but never obtain.
In college I had a Prof who was a leader in network technology and was hired as an expert whiteness for the RIAA trials for people getting busted illegally downloading music and movies. I lost all respect for him when he was working a case where an elderly lady had an open wifi connection on her home router. He never brought up the fact that it's not possible to know what was going on behind the NAT wall and that because her wifi has no encryption anyone driving by could use it.
Now that I'm older it worries me that it is very possible to go to court and be on the right side and have a judge and jury who cannot comprehend these basic concepts. I've had bosses who work in software / hardware industry not understand concepts, God forbid I ever have to defend myself in a public forum.
Well our issues are more about things like sending someone a letter, proving they got it and that the person receiving it is the person we wanted to send it to. Even with a certified letter none of those features are actually possible with the current USPS, at least not in any real meaningful way. And don't even get me started on their use of received receipts in email.
But like you said, it's all about screwing the system and I'm sure a judge would not understand any of these concepts regardless of how simple someone would make them.
We have "secure mail" here in Australia, where you have to go to the post office to pick it up.
It's actually incredibly annoying, my rental contract was sent via this method, so I have to go to the post office to pick it up, despite the fact that I actually live closer to the real estate agents office.
Why they couldn't just email it to me, I'm not entirely sure.
We have this in the US as well, "Registered Mail". It's only used for things that are very sensitive/important since it's a huge pain in the butt, both sender and recipient require verification of identity.
“Registered Mail” in the US does not require any form of verification of identity. All it does is provide extra insurance and delivery confirmation. “Certified Mail” doesn’t require identity verification either, so I’m not sure what service you are thinking of, but I’m near positive nothing of that sort exists with USPS.
Specify the person who can sign for and receive your item. Must be purchased in combination with another extra service as follows: Certified Mail, COD, Insured Mail (over $500), Registered Mail, or Signature Confirmation.
Restricted delivery doesn’t do identity verification. I can say I’m John Doe and sign as John Doe and receive the package (I’ve received restricted delivery packages before and the carrier in multiple different states never asked for ID). I’ve also sent restricted delivery mail before and never had my identity checked as OP claimed.
Edit:
Per Stamps.com [0], the USPS “may” require ID on delivery, but again, in my experience, I’ve never been asked once.
With old, physical systems, a bad person can easily mess with a single to a few people. With new digital system the bar is very high, most people are stumped. But when you do get over the bar, then you can mess with hundreds of millions of people.
Authoritative notice via postal mail is done by certified letter. That is trackable and much more reliable than the regular postal mail.
In my neighborhood I routinely get mail that is meant for my neighbors, and they get mine. I don't know if it's a sorting problem at the central office or driver incompetence but regular postal mail is absolutely not reliable.
There's a new feature they just rolled out that emails you images of the mail whenever it comes. Just as little security. You can spy on someone's mail indefinitely and they'd be none the wiser.
My favorite part of this feature is that I now get to see images of junk mail before it is delivered to my mailbox. Too bad the USPS is so serious about maintaining their leadership as the 'leading deliverer of junk mail' to offer a way for recipients to reject it since they can literally see it in transit.
If you could reject junk mail, junk mail senders wouldn't pay to, well, send it. And the USPS would lose a lot of money.
Imagine how terrible GMail's spam filters would be if spammers paid Google for delivery... Oh wait, Google literally has a dedicated tab for that! For those that find it useful (and I don't doubt it is), imagine what the alternative would be for the spammers, you'd be 100% ignoring it by unsubscribing or filtering it as spam. Now that it's corralled off, you can look at it at your leisure, and Google can keep advertisers happy by offering them a non-zero chance you'll look at their spam.
But promotions is something completely different from spam. Almost every single email you get there, you subscribed to or didn't opt-out of. And if you don't have an unsubscribe linkk in those emails, you can still create a manual filter to auto-delete them. And those senders don't pay Google to end up in promotions anyway.
It does seem really weird that somehow a business relationship between spam companies and the United States postal service means that I have to be responsible for recycling a bunch of garbage.
Once it's in my mailbox, what can I do, drop it on the ground? That's littering and a crime. Leave it in my mailbox? I tried that and the mailman eventually stuck a Post-It note on my box saying I wasn't allowed to do that.
So I'm in some sort of weird uncontracted relationship wherein I must ferry a bunch of paper from my box to the recycling bin.
1. Open the envelope and look for a pre-franked reply envelope. If there is one, stuff the junk into that and post it. Extra revenue for the postal service.
2. If it is a really persistent and annoying sender, mutilate my address and post it. This should result in it being routed back to the sender but does impose extra work on the postal service.
Oh yes, I've done #1 before. My favorite is to stuff a credit card A offer return envelope with the crap from a credit card B offer, and vice versa. Sometimes if they really piss me off, I'll throw in a few heavy things (rocks, etc) so they pay extra. A small ziplock bag full of sand fits very nicely, and weighs (relatively) a lot. I've yet to try taping a return envelope to a large box, but it seems like the postal service would accept it and charge them accordingly, right?
I used to do that until the mailman decided I didn't live here anymore...twice.
Now I apparently don't have a mailing address though the only bill I could never successfully get converted to all electronic (not from lack of trying) is the power company which messes them up every so often getting their bills returned every month.
Check out Traveling Mailbox. Same basic idea as Earth-class mail, but cheaper and targeted more towards individuals rather than businesses. I'm not affiliated, but a satisfied customer.
On the whole, the service is brilliant, and exactly what USPS should have become in the mid-90s. Mail is auto-scanned and delivered as a pdf attachment to my email. When I need something physically forwarded to me, the prices are only a small markup from what it costs to mail the package, and it's mailed promptly. On the whole, it's awesome, and I'm very happy to be a customer.
I'll give you my two big complaints:
1) The time delay. My Traveling Mailbox address is in the western half of the US. Mail has to be delivered to that address, then shipped cross country to North Carolina where their headquarters and mail scanner is. You can count on an additional 3 to 14 days after USPS thinks the mail has been delivered before a scan of it shows up in my email inbox. A couple years ago, this was much worse and less consistent; occasionally letters were 3 weeks late. However in the past 2 years or so, I've noticed the time delay has been much more consistent, centering around 3-5 business days. They maintain addresses all over the country, and there's probably only the scale and margin to maintain one scanning facility, so I don't know what TM could realistically do to address this problem. If I didn't need an address where I have it, I would have already moved my address to Sanford, NC, where their headquarters is.
2) Some banks don't like the address. Due to KYC laws, banks and financial institutions need a residential address for their clients. I'm homeless and don't have such an address, so this is difficult for me. Traveling Mailbox is nice in that they give you a street address, not a P.O. Box. To a casual glance, it looks like a normal street address, but if one researches the address online, one will find that it's a business. When I changed my address over to use my TM address as my home address, about half the financial institutions I worked with rejected the address as not being my residence and said they couldn't do business with me anymore. Some asked for a driver's license as proof of the address. I said no problem and faxed my driver's license (which has my TM address), but the institutions still closed my account without further explanation. I'm still a little salty about the hubris of the politicians who enacted the KYC laws, assuming that everybody conforms and has a permanent residential address.
I almost forgot the best part of it: I don't receive any mass mailings. Couple that with opting out of unsolicited mailings and calling all my banks and opting out of their "special offers", I get almost no unwanted mail.
I wish that for a variety of online activities, I could set a maximum bandwidth available for ads and have advertisers bid for it, to keep my system running fast. And in turn, Google (or others) could price its services based on how much bandwidth users put out for bid.
Edit: It should be obvious that you could do this with physical mail too.
In order to maintain access to (currently) free services without making one's computer unusable.
The problem I see is that the processing and bandwidth used by advertising are currently "as much as advertisers can get away with" and I think it's leading to a tragedy of the commons.
But I see no need to eliminate ads and free services either. There just needs to be a cap enforced on the resources used.
Yep. I get e-mail every few days with pictures of the mail headed for the people who now live in an apartment in another city I haven't lived in for close to 10 years.
I've tried to get it fixed online, but so far no results.
Not for me! I switched to a mail forwarding service (US Global Mail of Houston, TX) many years ago. The benefits are many-fold:
-I no longer change my address when I move (my wife and I have lived in an flipped 10+ houses in 6 years)
-I get to view full color envelope scans of all my mail at anytime and choose what to: fully scan, bundle and forward, or toss in the rubbish
-I got to sign off with notarized US Govt forms that i am "no longer a customer of the USPS"
-The only mail that arrives at my physical address is thus spam, and I toss all of it (I should rig a trash can to the bottom of the mailbox)
-The price point is well within reason
I used Earth Class Mail for years while moving around for school and work. I even put my ECM address on my resume along with my phone number. As is typical of these services, among ECM's many customers were scam businesses. If you Googled the address of some fly-by-night company to get a phone number after being ripped-off or defrauded, my resume would be at the top of the search results, along with my phone number. I regularly received phone calls from upset and confused people. Fortunately it was easy to explain the mixup.
Hey awesome! I'm glad you like it. I built that whole system from about 100 customers. I don't work there anymore but I did really enjoy making that stuff work.
I once sent a friend a temp Gmail account login to read a doc. Next thing I know most Google apps on their phone is using that login. Search/video search/location history all available without their knowledge.
If there are shared computers in a workplace, it’s amazing how many people set up their personal email on the machines mail client. It’s mystifying how some of them do it and it seems to be accidental.
Sensitive mail such as ID and credit cards often will not follow address forwarding, for this reason. Was a huge PITA when I tried to renew my driver license while in college: I had to lift the forwarding setup from my parents’ house to get it to stop bouncing back to the DMV.
I just did this yesterday and it verified my credit card billing with either my previous or new address. Probably not that hard to pass that with a prepaid card.
Actually, if you fill out the form, you can mail it in or hand it to a postal clerk and skip the $1 fee. I recently had to change my P.O. Box address and could not do it online; because the credit card used for the $1 charge has to match the old address.
I was struggling to think of a profitable, malicious use case for this but there is at least one: send someone like your landlord a check with insufficient funds in your account and put a hold on their mail, hoping they won't straighten it out until you get paid.
Landlords and vendors can do the same thing: Send you a notice of changes in terms to your contract, and then bill you and send you to collections before you have a chance to object. (Been there, done that, with a landlord who decided that "the apartment I previously rented from her" was my current official contact address. )
I have used this mail forwarding service thrice and every time I have wondered what prevents me from forwarding my annoying neighbors' mails to Denali National Park. The answer is, fear of jail time.
I would /really/ like for national ID numbers to be public, and usable //as// 'addresses' for sent items. The owner of such a national ID address could update their preferred physical location (preferably also have different delivery locations and instructions for mail / packages / 'legal documents'). Maybe even electronic delivery addresses as well.
I think the best way of preventing abuse for such a system would be to include a lookup fee for it's use (part of normal postage for mailed items).
In Denmark we have electronic national ID with one-time tokens on a small piece of paper.
You can use for: government interaction, banks, utilities, health records, and lots of other things.
They also made a digital secure mailbox, where you can receive PDFs from government, banks, utilities, doctors, etc. You can also send replies.
It sucks that all of this is point-and-click web apps without a standardized API. I'm sure other countries have similar things, but most implementations are probably snowflakes.
Whereas email is universally integrated everywhere, it's not trusted for personal sensitive information.
I hope one day secure webauthn and secure email will replace all these snowflakes. But as much as I hate to admit it, the non-standard walked gardens does do a better job, with higher security than the old paper world ever did.
Yes! This sucks... You can get text or email notifications.
Like I said, I hate these systems with passion, but as much as I hate to admit it they are more secure than paper ever was. Probably also more convenient, as things moving fast compared to snailmail.
Portugal has the same, though it's optional. And you can login with your national ID card, which is a smartcard. And for bills, you can pay them through the site.
Yes, it's absolutely a snowflake as well, but considering the low amount of messages, I'm not sure that's much of a problem.
National IDs? Lookup fees? Yikes. I like the idea, but your proposed implementation needs some work.
Let's just do what we do with DNS and let anyone register a globally unique identifier. When USPS or FedEx or whomever wants to deliver to that address, they just perform a lookup to find the physical address to deliver to. You could create different identifiers for the different sorts of things you want delivered, and if you start to get a lot of spam you could just delete it and create a new one.
And what prevents your neighbor from changing the address that the GUID points to? How does USPS or FedEx know that the person trying to edit the GUID's address is the person who owns the GUID?
The reason why it needs to be handled through national ID numbers is because ultimately, national governments are today's identity arbiters, and they do the best job of verifying identity. They're not perfect, but they're the best body for the task, and strong, verifiable identity is the foundation upon which all other security is built.
What prevents me from changing the IP that a domain points to? The registrar of that domain won't let me log in and change it without the correct username and password. No national IDs needed, or involved in any way.
Sweden has a national ID system, your address is centrally managed at the tax office, so you can get bills/invoices and the only thing a company needs is your national ID (which is your date of birth + 4 numbers)
There are downsides in my opinion, like that my address/date of birth/age/living status is /very/ public.
This would be fine if it was optional for people who wanted to be included in a national ID system. As an American living under the ever-growing surveillance network being constructed and expanded by corporate and government agencies of every type, a national ID number is not something that appeals to me in any way, even if it slightly reduces the small chance that I'll be a victim of some sort of fraud.
How would this possibly increase the already-complete surveillance of everything you do? They already know who you are, where you live, every cent you spend and where, every site you visit, every email/call/sms you do, and it's all tied back to you.
I'm genuinely curious how Americans think a national ID number would practically increase any surveillance?
To me it sounds like a win for consumers. You no longer give your home address out to every single website that requires an address, or every time you buy something online. You can update your address in 1 place when you move, and don't have to fuss around with redirects and missed mail/packages.
I'm very open to being shown what I'm missing though, as it's a hot debate lately and I just don't get it.
>How would this possibly increase the already-complete surveillance of everything you do? They already know who you are, where you live, every cent you spend and where, every site you visit, every email/call/sms you do, and it's all tied back to you.
This is simply false. I choose not to carry a smartphone, I pay with cash for virtually everything, no "social media", I often use a VPN. There are many people who voluntarily give away all of their personal data to corporations - and there are many (though far fewer) of us who don't.
Let's be realistic here, in terms of surveillance and privacy we already have a national ID system for everyone who is an American citizen. People already use SSNs for an ID, your credit card transactions, bank records, and phone calls are already linked to you. If it's opt-in only then it'll never see significant adoption. You can't require e.g. banks to use some secure identification system without also requiring citizens to use that secure identification system.
The article doesn't mention, but the USPS no longer allows you to submit a change of address from a commercial address. I tried to do this last September when my business moved and I received a letter from the USPS denying my request. This included any personal mail that was being sent to the commercial address even if it didn't have my business name.
I am not sure when the above restriction went into effect. It appears the crime mentioned in the article was in 2016, so perhaps it is recent.
This happened to me, too. I lived in a hotel, moved out, and was unable to forward my mail. My hotel room was considered to be a commercial address. I think this was in 2011.
When I was young I “hacked” the USPS to send free mail by putting the return address as the address I wanted to send to and leaving the actual address blank or as some invalid address. Then I would deposit the letter somewhere without a stamp and it would be sent across the country for free (but very slowly).
> Henderson-Spruce now faces federal charges of mail theft, which carries a maximum sentence of five years, and mail fraud, which can be up to 20.
While a lot of current government processes aren't secure, they come with pretty hefty penalties that dissuade most people from messing around with them.
> While a lot of current government processes aren't secure, they come with pretty hefty penalties that dissuade most people from messing around with them.
Do they actually investigate mail theft if it isn't at a huge scale like this? Someone got a hold of the USPS skeleton keys in our medium sized city (Oakland) and has raided the mail in our building multiple times, and we have them clearly on video for the multiple break ins, and the postal inspector in charge of the case just kind of shrugged it off as no big deal.
Postal investigators have a reputation for taking any violation of the mail system extremely seriously. It seems like yours in Oakland is breaking the stereotype. Have you reached out to his higher ups?
Same with banks/credit card companies. Credit cards are hilariously insecure, but you'll get sued/prosecuted out the wazoo if you steal someone's info and make fraudulent charges.
I would hope so but im not 100% sure - the reason is because I've had a credit card been used fraudulently in the past and I got a notification about it very quickly so could alert the bank and merchants - but the things they bought would be so easy to track to someone - e.g. Pizza delivered, online clothing sent to a house.
Pizza delivery was probably done to check if the card works and also throw the trail off, and the online clothing sent to a house was probably a shipping drop.
If I had forwarded Company X's mail to my house, I might be able to argue that I thought it was just a prank, and planned to contact their legal team about it (and give them the (sealed) mail). That is still probably illegal, but it's believable that someone might not realize that.
If I start opening the mail and cashing the checks? WTF, I don't see how anyone could confuse that for ethical or legal behavior.
As an American entrepreneur, he could have protected this revenue stream with a consulting agreement with Essential Consultants LLC. Currently this government program is in a closed beta, AFAIK.
Somewhat related to this, you can submit an "informed delivery" for any address; and they will send you photos of every piece of mail being sent to that address. For free!
I found this out on accident when I forwarded my mail somewhere else while I was traveling and they prompted me to sign up. I immediately started receiving emails with photos of all the mail going to this address.
I signed up for it for my apartment... and starting getting e-mails with images of the envelope for every single piece of mail for every resident of the whole building to me.
Huge privacy fail. (And yes, the USPS knows about each individual apartment, delivering mail into a separate USPS box per apartment...)
This also helps if you worry about the "postman who stops delivering most mail" kind of problem. Not that I've ever had an issue. I mostly use it as a "you should actually go pick up your mail today, there's something worth getting in it for a change" reminder.
There is essentially none. You could write a check out to "Mickey Mouse" and deposit it into your bank account and I doubt anyone would notice.
If there is any verification, it occurs after the fact when someone complains that a payment got lost. Then the banks start looking to see what happened.
I once received a check to “The Estate Of <<my father>>”. I tried depositing it into a regular joint bank account that was under my name and my father’s name, and they rejected it and said I needed to open an account explicitly under my father’s estate, since you c can’t deposit a check to “The Estate Of...” to an account under the name of the deceased. I did the paperwork (my state allows you to file a Small Estate Affadavit in lieu of going through probate in some cases, mine included) and deposited the check.
Then I receive another check to “The Estate Of...” and take that to the bank, and they deposit it into the wrong account. Words cannot adequately express how I felt about this...
You would normally think so, but they (the banks) likely have a different viewpoint. They could either, for deposits into accounts in the bank:
1) slow down every deposit by an order of magnitude or more in order to perform careful identity verification, when the vast majority are correct and honest
or
2) expend effort, afterward, cleaning up, the very few that are doing something illegal using the records they keep on what happened, and the fact that they can simply reverse the transactions when they do find something amiss.
For them, the cost of #2 is likely still lower than the costs of #1.
Now, the situation is different if you go in with a check and try to negotiate it for cash in hand right then and there. They will do the full identity verification at that time, massively slowing down your one-time action of converting a check into US Dollars in your pocket. This of course makes sense, there is no way to reverse a transaction that involves handing someone a stack of fifty dollar bills that they stick in their pocket. But in this case, just the one individual that did need to be triple checked before the action completed had their time extended by the verification process.
To request a new social security card online, it takes your credit report information.
Thanks, Equifax data breach.
Good news: the SSA will only send your new card to your current address as reported in your credit report.
Thanks, USPS.
So, in summary, sounds like getting someone else’s social security card is pretty easy. Admittedly there’ll be a nifty paper trail, but I’m sure that’s solvable too.
I've had a similar issue where a stranger put a hold on the mail to my house. Took me a while to figure out, and I'm still not sure why it happened. If I had been expecting critical mail such as bills, things could have gone worse than they did. Fortunately it just delayed some packages and spam.
About 20 years ago I had the bright idea of saving trips to the pharmacy by having them mail me my medicine. After it was a week late, I noticed that I hadn't been getting any other mail for a week, either. I went to the post office and learned that my mail was on a vacation hold. Another tenant living in my small building had filed a legitimate hold, and the P.O. decided that it applied to the whole building, instead of just his unit. That was the last time I entrusted anything important to the USPS.
A lot of government services have no security. Most of the time they require you to mail things in and rely on the fact that its a federal felony of mail fraud if you attempt to game them.
I see a small business opportunity hear offering a service of sending weekly letters to a person's postal address just so they can be assured that their address hasn't been changed.
You just take it to the bank. One time my friend wrote the amount in the name field and the name in the amount field and they still cashed it. They did contact me about a week later, but by that time I could have just walked away with the cash.
He probably just put it in the ATM, deposited it to his account. Eventually someone will notice, of course... but it will take weeks, longer than it takes for him to cash out his accounts.
If you are depositing into your own account you could even take it to a human teller and likely get it deposited without so much as a raised eyebrow.
Of course, depositing it into your own account creates a "paper trail" that will eventually lead to some law enforcement officer discussing your activities with you at some time in the future.
The unionized idiots that allowed this should also be investigated. I'm a little surprised this -could- be pulled off, I think it'd be worthwhile to check for inside help.
Then again, maybe the USPS is in fact, just that incompetent
Come on, this guy is a genius. The fact he managed to pull it off by literally using cartoon-level forgery is nothing but remarkable.