Select Page

I’ve written lots of blog posts about electronic data breaches and identity theft over the Internet. I even published a book about how a data breach might unfold, and another one about what might happen if a nation-state really does get serious about attacking the United States over the Internet. But for anyone looking for an easy way to steal somebody’s identity, here’s a retro way to do it, with a modern twist.

The picture at the top of this post is a USPS change-of-address packet. It’s filled with ads and one form. Here is a closeup of the form.

The form asks for a name, old address, and new address. Fill it out, mail it in, and the USPS conveniently forwards all your mail to the new address.

Let’s say I want to steal from, say, John Smith, who lives in Houston, Texas. I can walk into a post office in, say, Newport, Minnesota, fill out the form, put a stamp on it, and give it to the guy behind the counter. That’s it. A few days later, mail for John Smith starts coming to me.

It really is that easy. It happened to my friend, Ann and her husband. Here is her story.

This gets better. When the credit card companies find out about John’s new address, they’ll start sending mailings to me. Paper statements have complete account numbers, which means I’ll own John’s credit card numbers. If I want John’s online banking password, I can call the bank, give them John’s new address, and maybe persuade them to reset his password. Or, maybe in a twist of irony, I’ll tell them John is a fraud victim and persuade them to cancel John’s old credit card and send a new one to me.

But relying on my social engineering skills to manipulate a telephone banker into giving me access to John’s information is risky. I have John’s address; now I need something John knows. His Social Security Number would be helpful. I’ve heard there are underground markets where I can buy Social Security Numbers, but I’m not sure where to find the best deals. No problem. Here’s the About page of a website named DeepDotWeb with lists of marketplaces, convenient category ratings, and all kinds of helpful consumer information. They’re even recruiting writers. Maybe I should sign up.

[Update from May 20, 2019. Law enforcement took down that DeepDotWeb site last week and arrested its operators. Collaboration works. Score one for the good guys. Here’s a Wired Magazine article with more.]

And what weapons does John have to fight back? The US Post Office will send a notice to John’s old address about his new address. Yep. Thanks to the USPS, stealing somebody’s identity is as easy as filling out a form.

Sooner or later, of course, the real John will find out somebody at my address stole his identity. But by then, it will be too late. I’ll live like a king for a few weeks and ruin John’s credit before robbing my next victim. Maybe I’ll use DeepDotWeb to find another marketplace and sell John’s Social Security number.

Who said crime doesn’t pay?

By the way, please don’t complain about publicizing a site like DeepDotWeb. If I could find it with a half-hour of Google searches, so can anyone else. Bad guys collaborate in underground forums all day long. Good guys won’t win by isolating ourselves from information.

Outraged? I know I am.

This should be easy to fix. When I change my US Mail address in person, I have to visit a post office and pick up the form. Why not fill out the form right there and give it to somebody behind the counter, along with my ID? At least I have to go the trouble of getting a fake ID that way. Why does the Post Office want me to mail it in later with no proof I am who I say I am?

Maybe it’s time to make noise with our government officials. I found a contact link for the Postal Regulatory Commission. Maybe if several thousand people submit complaints, maybe they’ll get somebody’s attention.  Or maybe they’ll disappear into a bureaucratic black hole.

Nah. Forget all that. I want to get rich quick. My name is Donald J. Trump. My old address is 1600 Pennsylvania Avenue, Washington D.C.  My new address is P.O. Box 111, Newport, MN., where I really did spend $15 in March, 2018, to rent a post office box for three months with no ID required.

For a dozen or so of Greg’s cybersecurity tips delivered to your inbox every-other-day, opt in right here.