I’ve written lots of blog posts about electronic data breaches and identity theft over the Internet. I even published a book about how a data breach might unfold, and another one about what might happen if a nation-state really does get serious about attacking the United States over the Internet. But for anyone looking for an easy way to steal somebody’s identity, here’s a retro way to do it, with a modern twist.
The picture at the top of this post is a USPS change-of-address packet. It’s filled with ads and one form. Here is a closeup of the form.
The form asks for a name, old address, and new address. Fill it out, mail it in, and the USPS conveniently forwards all your mail to the new address.
Let’s say I want to steal from, say, John Smith, who lives in Houston, Texas. I can walk into a post office in, say, Newport, Minnesota, fill out the form, put a stamp on it, and give it to the guy behind the counter. That’s it. A few days later, mail for John Smith starts coming to me.
It really is that easy. It happened to my friend, Ann and her husband. Here is her story.
This gets better. When the credit card companies find out about John’s new address, they’ll start sending mailings to me. Paper statements have complete account numbers, which means I’ll own John’s credit card numbers. If I want John’s online banking password, I can call the bank, give them John’s new address, and maybe persuade them to reset his password. Or, maybe in a twist of irony, I’ll tell them John is a fraud victim and persuade them to cancel John’s old credit card and send a new one to me.
But relying on my social engineering skills to manipulate a telephone banker into giving me access to John’s information is risky. I have John’s address; now I need something John knows. His Social Security Number would be helpful. I’ve heard there are underground markets where I can buy Social Security Numbers, but I’m not sure where to find the best deals. No problem. Here’s the About page of a website named DeepDotWeb with lists of marketplaces, convenient category ratings, and all kinds of helpful consumer information. They’re even recruiting writers. Maybe I should sign up.
[Update from May 20, 2019. Law enforcement took down that DeepDotWeb site last week and arrested its operators. Collaboration works. Score one for the good guys. Here’s a Wired Magazine article with more.]
And what weapons does John have to fight back? The US Post Office will send a notice to John’s old address about his new address. Yep. Thanks to the USPS, stealing somebody’s identity is as easy as filling out a form.
Sooner or later, of course, the real John will find out somebody at my address stole his identity. But by then, it will be too late. I’ll live like a king for a few weeks and ruin John’s credit before robbing my next victim. Maybe I’ll use DeepDotWeb to find another marketplace and sell John’s Social Security number.
Who said crime doesn’t pay?
By the way, please don’t complain about publicizing a site like DeepDotWeb. If I could find it with a half-hour of Google searches, so can anyone else. Bad guys collaborate in underground forums all day long. Good guys won’t win by isolating ourselves from information.
Outraged? I know I am.
This should be easy to fix. When I change my US Mail address in person, I have to visit a post office and pick up the form. Why not fill out the form right there and give it to somebody behind the counter, along with my ID? At least I have to go the trouble of getting a fake ID that way. Why does the Post Office want me to mail it in later with no proof I am who I say I am?
Maybe it’s time to make noise with our government officials. I found a contact link for the Postal Regulatory Commission. Maybe if several thousand people submit complaints, maybe they’ll get somebody’s attention. Or maybe they’ll disappear into a bureaucratic black hole.
Nah. Forget all that. I want to get rich quick. My name is Donald J. Trump. My old address is 1600 Pennsylvania Avenue, Washington D.C. My new address is P.O. Box 111, Newport, MN., where I really did spend $15 in March, 2018, to rent a post office box for three months with no ID required.
For a dozen or so of Greg’s cybersecurity tips delivered to your inbox every-other-day, opt in right here.
You missed one little fact. Since the mail for John Smith is being forwarded, when the post office sends the address change notice to the old address, it gets forwarded to the new address so John is completely oblivious. Something else, why would you fill this out by hand and go to the post office when you can do it right from their website? You do need a credit card (note that it doesn’t have to be yours) to pay the $1 fee. It is cheaper than driving to the post office. I have been changing my address this way for years and appreciate the convenience. I am sure not giving them any NPI with which to verify my identity. Here’s the thing, if you don’t get any mail for a few days, wouldn’t you ask the post office what is up? I have never gone more than a day in my adult life without receiving some mail and this would immediately set off red flags as it should for anyone. So I am not particularly outraged by this item. I think if they had the information stored to verify my identity it would be more vulnerable. This isn’t much different than someone going directly to your mailbox and stealing mail. That was the original id theft methodology. There are much easier ways than capturing physical mail now.
In Ann’s case, somebody hundreds of miles away physically walked into a post office and filled out the change of address form on the spot. And then camped out at the new address to grab Ann’s mail, including paper credit card and bank statements. It took a few days for Ann and her husband to catch on, and by then, somebody had already tried to open different credit card accounts in her husband’s name. And even after they straightened it out at the post office, credit card companies and others *still* sent paper mail to bogus address instead of the correct one.
If you want to change your own address – sure – go online and take care of it. But if you want to change somebody else’s address, just impersonate them on the other side of the country. By the time all the law enforcement agencies coordinate themselves, you’ll be long gone.
Or maybe you just really want to mess with someone. And assuming you have the technical skill, there are countless ways to do that by stealing someone’s identity.