The life-upending flaw that USPS won’t fix

Sometime in November, someone walked into a U.S. post office and filled out a change of address form, just as tens of millions do each year to route their mail to a new address. The person signed the form, handed it in, and walked out. That was enough to set in motion a domino effect that upended the life of a former Microsoft executive several states away, as the person who signed the form effectively hijacked the executive’s home address in just a few minutes.

The fraud relies on a simple flaw in how the U.S. Postal Service processes changes of address. It’s neither new nor a particularly sophisticated technique, and has long been known to fraudsters and federal investigators. A fraudulently filed change of address form can have lasting fallout for the thousands of individuals whose mail is hijacked and rerouted every year, with criminals able to obtain bills, credit cards, and other sensitive information that can be used to raid bank accounts or make fraudulent purchases.

What is more baffling is that there seems to be an equally simple fix. But while USPS acknowledges there is a problem, it wouldn’t say how it plans to close the loophole that allows fraudsters to cash in on someone else’s identity.

The former Microsoft executive, who asked not to be named but agreed to tell his story to TechCrunch, is not naive to cybersecurity and privacy threats. But by his own admission, the former executive said he did not know it was so easy for someone to maliciously change his address without his consent, let alone open the doors for criminals to raid his accounts or potentially rack up thousands of dollars in fraudulent purchases. All of this, he says, is because of a simple paper form that gets handed back to the post office without much of a second thought.

USPS processed some 36 million changes of address in 2021. There are two ways to change an address. Most people fill out the form online by providing their old and new address, then pay $1.10 for the convenience of speed. The other way — still used by a significant minority of folks — is by filling out the paper form at a local USPS post office.

Neither online or paper form requires the person to present proof of their identity. The online form, at least, requires a small payment, which is by no means verification of a person’s identity, but it leaves a digital paper trail that makes it ultimately traceable to someone. But USPS relies almost entirely on the system trusting the person signing the paper form, whoever they might be.

After filling out this form, there are no guarantees that USPS will check the identity of the person submitting the change of address request. Image Credits: TechCrunch

The paper form is officially known as PS Form 3575. As bureaucratic as government paperwork goes, this form is both refreshingly simple and remarkably dull. You have to request the postcard-sized form at a USPS post office, which we did — for journalism! The person then fills it out with their name, old address, new address, and for how long they want to reroute their mail.

The last thing is to sign the form, and hand it back to a postal worker or drop it in the letter mail slot inside the post office. But besides a notice on the reverse side warning that filling out the form with false information could result in criminal charges (if caught), there are no guarantees that USPS will check the identity of the person submitting a paper change of address form. That is the simple flaw that fraudsters exploit in order to hijack home addresses, steal their credit cards, and wreak havoc on their bank accounts.

Once a form is handed in and processed, USPS sends out two letters, one letter to the old address and another to the new address, notifying the resident that the change of address went through. But these letters can, and are, easily missed, and the letters themselves do not require customer attention or interaction, only if the person wants to “view or cancel” an unauthorized change of address request.

Not only is this flaw not new, it’s widely documented. In a particularly comical case from 2017, an Atlanta resident was arrested for cashing checks that he had rerouted from the corporate headquarters of shipping giant UPS, resulting in literal bathtubs of mail piling up outside the hapless fraudster’s apartment. Yet, it still took nearly three months for UPS to notice that its mail wasn’t showing up.

A letter from one of the former executive’s banks, which he shared with TechCrunch, corroborates his account and confirmed that the bank made the address change in its systems “as a result of data received from the United States Postal Service (USPS) indicating that an address change had occurred.” Because USPS had accepted the fraudulent change of address made in the former executive’s name, USPS passed along the new address set by the fraudsters to countless other companies, including his banks. USPS has long sold change of address data to data brokers, which resell this information to anyone who wants to buy it, like financial institutions.

Luckily for him, he caught the fraud before the criminals could do irreversible damage, yet it still took weeks to return his accounts — and his home address — in order. But change of address fraud still affects thousands of people every year who don’t have the clout of a former technology executive to get their lives back to normal.

To understand how the U.S. postal service was reducing this kind of change of address fraud given that it remains an ongoing issue. TechCrunch asked USPS for comment.

USPS spokespeople Sue Brennan and Tatiana Roy declined to comment and referred our email to the U.S. Postal Inspection Service, or USPIS, the law enforcement arm of USPS, which provided TechCrunch with a boilerplate statement — some of which repeated itself — but did not say how the U.S. postal service planned to prevent change of address fraud. USPIS sent its response from a general unnamed email address, and repeatedly declined to provide a spokesperson’s name when asked by TechCrunch, despite being standard practice for reporters to ask. When reached by email, USPIS’ Ariana Ramirez also declined to provide the name of the department’s media spokesperson.

In its boilerplate statement USPIS said that, “as these situations arise, USPS reevaluates their internal controls to address security concerns,” without saying what those internal controls were, if any, nor if they implemented any changes. We asked again, but did not receive a response.

“Customers are encouraged to monitor the receipt of their mail, by retrieving it daily from their mailbox or through Informed Delivery online,” the statement added, referring to the online service that allows residents to preview their inbound USPS mail and packages. But while regularly checking your mailbox could help notice missing mail before it’s too late, this is by no means foolproof. That’s why fraudsters are still doing it.

Neither USPS or USPIS mentioned what seems like an obvious solution. If the online form requires a small payment to reduce the chance of fraud, why not check the person’s proof of identity when handing in the form in person?

It is not a novel idea. The independent watchdog that oversees the postal service, the USPS Office of Inspector General (or USPS OIG), has raised concerns about change of address fraud for years. USPS OIG said in its 2018 audit report, which it initiated based on concerns from lawmakers, news outlets, and customer complaints, that the postal service did not require customers to present a government form of identification, such as a passport or a driver’s license, for review when submitting a paper change of address form. The watchdog noted that several overseas postal services, notably Australia, Canada, and the United Kingdom, all require some form of identity check when manually submitting a change of address form, but that they also accept a range of documents for those who do not have a government-issued form of identification.

The USPS OIG was clear in its findings. “The lack of a national policy to support such an ID-requirement control may perpetuate additional fraudulent activities and harm the Postal Service’s brand as a trusted provider.”

Following the audit, USPS said it planned to implement government-issued identity checks for paper change of address forms by the end of March 2019.

USPS OIG spokesperson Bill Triplett told TechCrunch that USPS agreed with the inspector general’s findings of its 2018 audit report and the recommendations were closed in August 2019, indicating that the matter is resolved. The spokesperson said that USPS “provided documentation demonstrating sales associates require identification to process change of address requests in person.”

When asked about whether USPS enforces this policy: “The Postal Service would have the most up-to-date information on how they are enforcing their policies. Typically, once we close a recommendation based on supporting documentation provided by the Postal Service, we do not complete follow-up work to check whether they continue to implement it,” the spokesperson said.

USPS OIG said it would “consider auditing this topic in the future.”

To say the quiet part out loud, USPS is not adequately enforcing its own policy on identity checks when someone files a paper change of address form. USPS has yet to comment or identify any efforts where it is trying to reduce this kind of fraud.

This isn’t just the case of one former Microsoft executive who got unlucky and fell through the cracks. Seattle-based KIRO 7 News covered this story just six months ago and reached the same conclusions. After reporting on a local family that had faced this issue on two separate occasions, USPS dismissed the family’s ordeal by claiming that identity theft “can’t happen” through change of address fraud.

“But that doesn’t account for someone not asking for ID at the counter,” KIRO 7 News wrote, pointing directly to the flaw in the system.

An identity check need not rely on some grand database of information or keeping a ledger of records for decades to come. It should not require more than a person simply showing a postal worker their proof of identity, or similar documentation, as they hand in the form, just as postal systems do in other countries. Check their name, and nothing more. And while no system is ever perfect, a brief glance at a person’s ID or documents would make it significantly more difficult to change someone’s address without their permission.

Otherwise, there is little anyone can do to prevent this kind of fraud without some level of constant vigilance. But at some point, it shouldn’t be the responsibility of the consumer, when the USPS could enforce the solution it allegedly fixed four years ago.

“For elections, for financial issues, everybody’s relying on the Post Office,” the former executive told me. Yet for a simple but devastating flaw with an equally simple fix, he said he could not understand why the USPS is “not doing anything.”

Get in touch with the security desk on Signal and WhatsApp at +1 646-755-8849 or by email. You can also tip us stories or securely share documents via SecureDrop.

The life-upending flaw that USPS won’t fix by Zack Whittaker originally published on TechCrunch