[marme]

The change of address form at USPS is laughably unsecure. All it takes is $1 and anyone can write any address and forward all the mail for 1 year to any other address. There is no verification of ID and the only warning you get is a post card at the original address telling you the mail is being forwarded but by then it is already too late as mail is already being routed to the new address. Even if you called immediately to stop it some of your mail would end up at the new address

[chrischen]

Postal mail is insecure yet companies and services like to rely on it as the authoritative form of notice and communication. That and also giving out info over the telephone.

On one hand we have PCI-compliance, SSL encryption, and on the other hand we have a phone call (unecrypted, easily tappable anywhere along the thousands of miles of wire) where companies expect to call me and assume it's secure enough for me to 1) know that it's definitively them and 2) not have some support agent steal my credit card information/private information.

[bigiain]

> Postal mail is insecure yet companies and services like to rely on it as the authoritative form of notice and communication.

From another perspective though - while not "secure against manipulation", at least postal mail has federal laws with serious punitive remedies, and investigators who seem to genuinely be committed to enforcing those laws and chasing the penalties.

Most things in the real world are not "4096 bit cryptographically secured, guaranteed unbreakable before the heat death of the universe", instead they're "secured by people with guns, courts, and jails who are society's deterrence against smashing fragile windows, picking flimsy locks, and fraudulently filling out paperwork".

It _mostly_ works.

And in some ways, the "fiction of security backed by laws with teeth" works _better_. I locked myself out of my apartment recently, and my friend with my spare keys was on a trip ~800km away. So I called a locksmith, who got through the two locks on my front door in ~90 seconds. I'm _very_ glad he could, even though the tool he used is easily available on AliExpress for ~$25...

[heartbreak]

> investigators who seem to genuinely be committed to enforcing those laws and chasing the penalties.

There are some pretty incredible stories about the USPIS.

https://en.wikipedia.org/wiki/United_States_Postal_Inspectio...

[runesoerensen]

They also have a pretty incredible TV show https://www.youtube.com/watch?v=21G3vCXOIAc

[RugnirViking]

Could you post a link to such a story? I'd love to read about it. Unfortunately the wikipedia article doesn't seem to have many leads for me just yet.

[mjcl]

A short story about the USPSIS:

I was downloading Postal Service mp3s from Kazaa and ended up downloading some USPS disciplinary reports on accident. I shared them with a friend because I thought they were funny, and he posted excerpts on a message board. From there it somehow got to the USPSIS who tracked down my friend’s cell phone #. I eventually agreed to meet, so the inspector flew out from DC and met us at a diner in Santa Cruz. He showed us his badge and went over how I ended up with the files. The whole thing was sort of bizarre, but he was pretty friendly and seemed more interested in figuring out how the files got out than throwing the book at me or my friend.

[chrischen]

Wow they flew across country to discuss over dinner something they could have just emailed/phoned about? They really do have a pretty boring job.

[AmericanChopper]

>at least postal mail has federal laws with serious punitive remedies

ACH is also laughably insecure, the only thing standing between it and total chaos is federal prison.

[opinionator1]

Sure, whatever you say. One of my bitcoin-addled friends loves to claim this. I left $1000 in an account and gave him the routing and account numbers and welcomed him to take it. He couldn't do it.

[AmericanChopper]

Then he was not very clever. Account + routing number can be used to make a payment to any merchant that accepts ACH payments. At the very least he should have been able to pay his credit card or utilities with it, without any technical knowledge at all.

If you have a merchant account, you can take direct debits from and account using those numbers. Getting a merchant account underwritten for yourself can take less than a day, and the verification process isn’t all that robust.

Account numbers are essentially more valuable than credit card numbers. Except credit card numbers are at least supposed to be protected by a rather decent security standard. With ACH there is no such standard, you can handle account numbers any way you please, and many merchants do so very poorly. Also, the account number is written on checks that you literally hand out to people, which is pretty much the worst thing you could do with a credit card number.

Your anecdote is meaningless. Any individual can easily commit fraud with an account number, and if they put a small amount of effort into it, they could do it on a very large scale. There is no security standard that protects ACH data, only a short set of regulations that describe how committing fraud will send you directly to prison.

[matte_black]

What tool did he use? Bump keys? A raker?

[Zak]

I do a bit of lockpicking as a hobby and often carry lockpicks because they've come in handy several times when people lost keys, etc....

Most door locks and deadbolts in the US will fall to rakes in a minute or less. I've found the Southord L-rake and Pagoda to be pretty effective. These can be had in basic versions without much of a handle from southord.com for $1.65. (A tension tool is also required; it's pretty much just a bent piece of steel).

[bigiain]

It looks like it's called a "lock gun", that's what I found them called when I went looking for one on Ali Express. Just a little plastic pistol-grip handled tool that he selected a metal blade on and stuck in in the keyway and pulled the trigger as he wriggled it around and twisted it. The first lock took him 2 tries at the right blade and took him a minute or so, then second lock he got the right blade first try and was in in under 30 secs...

I kinda knew "ordinary domestic locks" weren't very secure agains skilled lockpickers, and I don't know if there's some hidden technique required to use those things - but I was astounded and dismayed at how quickly my two different locks fell to such an easily available tool...

[PascLeRasc]

It's not like the system he was cracking was very secure. It has to be regularly openable with just a piece of metal, with tolerances so that when your key teeth wear down over the years it still works.

[Zak]

A pin/tumbler lock can be made considerably more secure against the attacks that work very quickly than most of the ones found on houses in the US actually are. Simply using security pins will significantly reduce the effectiveness of lockpick guns, rakes and bump keys.

In short, standard pins in locks only have one place they're likely to stick when manipulated under tension: the shear line that allows the lock to open. Security pins have additional grooves machined into them that will make the pin stick at points that do not result in the lock opening. It's still possible to pick locks that have them, but it often needs to be done one pin at a time, which is usually slower and tends to require more skill.

[exelius]

This drives me mad. My health insurance company tries to call me on a regular basis, but because they have to verify they’re speaking with me for HIPAA, they ask for the last 4 of my social.

To which I reply “You called me. I don’t know that you are who you say you are. I’m not giving you anything.” And hang up. What moron thought this was a good idea?

[wolfgang42]

The first time my insurance company did this to me, the woman who called me (from a random phone number that didn't belong to the insurance company) sounded confused about why I wasn't going to give some random person my PII. When I called their 800 number, I was on hold for 20 minutes before they finally tracked down the entry in my account explaining why they had called.

Apparently, every time I order medical supplies they call me to tell me that they've sent a Very Important Letter, but they can't say what it is. When it arrives the next day, it informs me that they've approved my request for the supplies, which by this point have already arrived a week and a half ago.

It's gotten to the point where the calls now go like this:

    Them: Hi, this is [insurance company], can I have your date of birth please?
    Me: Is this about the letter you've sent?
    Them: ...Yes?
    Me: OK, I'll keep an eye out.
    Them: Erm... right. Have a nice day!

I have no idea what the moral of this story is.

[lostlogin]

This is so awful. I once got randomly selected to be a survey participant by a government agency while I was building a path. It was on the effect on my life of an earthquake thousands of kilometres away (there wasn’t any). They claimed I was legally obliged to participate or would be prosecuted. ID was produced etc. He sat and fired random questions at me while I broke concrete with a sledgehammer for an hour. I’d give the shotest possible answer, because I was breathless and the time between swings wasn’t long. Then they did follow up calls once every week for a year at the same time each week. These were were never answered and the messages were not returned. I have no idea why your story reminded me of this, but it triggered the same rage centre.

[jandrese]

Unless that was the census I would be extremely dubious of "you must take this survey or go to jail, trust me I'm from the government".

[lostlogin]

It was The Ministry of Statistics census people doing some work post the Christchurch earthquake.

[Thriptic]

It's because tech has a long tail. You have to remember that there are people who still aren't online, who are technologically illiterate, who don't use email or secure messaging etc. A lot of regulated companies (especially health care entities) are MANDATED to send and receive stuff insecurely so they can make sure that Jane Doe grandma in rural Wyoming actually gets the correspondence.

[Stratoscope]

Just the last four? You're lucky.

One time my own bank scammed me into giving them my full seven digit SSN over the phone when they called me. And all they had to do was ask me for it!

The worst part was that I fell for it. Of course, no harm done, because it really was my bank, but what an idiot I was.

At least I knew better when the Windows Support people started calling me a year later!

[DalekBaldwin]

I've run into the opposite situation making me hesitant to trust legitimate correspondence with my own banks. The past few times I had to take care of something over the phone, they did not ask for anything that could reasonably confirm my identity or account. One bank only asked for the last four digits of my account number. When I called another bank in response to an email alert about a fraudulent transaction, the representative asked for a phone number to text a verification code that I had to repeat back to them ("You want me to give you a ten-digit number?" "Yes"). Looking back on it, the first bank may have figured that few people will ever have the same account status problem at the same time and would ask for more information in the event of a collision, and the second one may have required me to name one of the phone numbers they already had on file (I'm used to representatives telling me a few digits of the number they're going to text based on what they have on file). But without knowing the entire workflow ahead of time, it seemed just as likely that this was a bunch of meaningless ceremony meant to give the appearance of bank-scale IT infrastructure in action so that I'd feel more comfortable revealing sensitive information later.

[himom]

7 digits? It’s 3+2+4=9 digits in the US.

[Stratoscope]

Thus proving that I can't count past seven!

You've seen off by one errors, this is twice as bad.

[shkkmo]

Would have been funnier if you said "thrice"

[hinkley]

My credit union’s fraud department contact information isn’t listed on their website and they called me several times before I finally called the main switchboard and had someone patch me through. No I’m not giving my account information to someone who called me.

You’re the fraud prevention department for chrissakes. Act like you’re preventing fraud, not participating.

[stordoff]

That's why I was pleasantly surprised recently when my bank called me about some fraudulent transactions, and the entirety of the conversation was: "Do you recognise this transaction?" "No" "OK, your card has been blocked and a new one is on its way".

Even if it had been a fraudulent call, they weren't asking for anything (so I didn't have to bother verifying it was legitimate), and even if they got the wrong person there is limited damage they could do.

[daveFNbuck]

What if they got the person who just redirected your mail to their own address?

[stordoff]

I'd notice there was a problem when I stopped receiving mail and my current card stopped working. Even then, even if they DID get the new card, I could report any subsequent transactions as fraudulent (honestly, my mail being redirected would be a much bigger issue to me than someone having access to my card, so that doesn't add much to the attack potential).

Also, at some point, it becomes infeasible enough (that someone would have redirected my mail, hijacked my phone number or managed to change it with the bank, triggered a call from my bank, and managed to line them all up so I hadn't noticed there was a problem) and more trouble than it's worth to be worried about it happening.

[jandrese]

You would probably notice when your card suddenly stopped working.

[apricot]

And let's not even get started about using the SSN as a form of ID.

[bmarquez]

A while back, Anthem Blue Cross' automated phone number was flagged as "Scam Likely" by T-Mobile Scam ID. Can't blame me for ignoring those calls.

[tim333]

I can kind of see how it happened though. People want their data protected so they pass laws that you have to check who it is and not someone else in the building who happened to pick up the phone.

[jecxjo]

I'm on a home owners board with a woman who is a paralegal for her brother's lawfirm and it amazes me how much stuff they do that they think is either secure or provides some sort of authentication (in the meat world). Kind of annoying when they want to go through all sorts of rigmarole when it doesn't actually provide the features they think.

[jsjohnst]

I was recently meeting with the Head of Security for a large firm. He had a pretty decent explanation of the process to implementing security that I thought was very apt. The way he put it, there’s two over arching milestones, “liability” and “actually secure”. “Liability” is where you have checked all the right boxes to be able to aptly defend yourself in court and is the achievable goal. “Actually secure” is the pipe dream you will always strive for, but never obtain.

[jecxjo]

In college I had a Prof who was a leader in network technology and was hired as an expert whiteness for the RIAA trials for people getting busted illegally downloading music and movies. I lost all respect for him when he was working a case where an elderly lady had an open wifi connection on her home router. He never brought up the fact that it's not possible to know what was going on behind the NAT wall and that because her wifi has no encryption anyone driving by could use it.

Now that I'm older it worries me that it is very possible to go to court and be on the right side and have a judge and jury who cannot comprehend these basic concepts. I've had bosses who work in software / hardware industry not understand concepts, God forbid I ever have to defend myself in a public forum.

[syshum]

The legal world is not designed for security or to be efficient

it is designed to be as convoluted as possible to

a) increase billable hours

b) create loops hole big enough to drive a truck through that the $$$$$ lawyers can exploit for their clients

[jecxjo]

Well our issues are more about things like sending someone a letter, proving they got it and that the person receiving it is the person we wanted to send it to. Even with a certified letter none of those features are actually possible with the current USPS, at least not in any real meaningful way. And don't even get me started on their use of received receipts in email.

But like you said, it's all about screwing the system and I'm sure a judge would not understand any of these concepts regardless of how simple someone would make them.

[toomanybeersies]

We have "secure mail" here in Australia, where you have to go to the post office to pick it up.

It's actually incredibly annoying, my rental contract was sent via this method, so I have to go to the post office to pick it up, despite the fact that I actually live closer to the real estate agents office.

Why they couldn't just email it to me, I'm not entirely sure.

[Wohlf]

We have this in the US as well, "Registered Mail". It's only used for things that are very sensitive/important since it's a huge pain in the butt, both sender and recipient require verification of identity.

[jsjohnst]

“Registered Mail” in the US does not require any form of verification of identity. All it does is provide extra insurance and delivery confirmation. “Certified Mail” doesn’t require identity verification either, so I’m not sure what service you are thinking of, but I’m near positive nothing of that sort exists with USPS.

https://www.usps.com/ship/insurance-extra-services.htm

[detaro]

From your link:

Restricted Delivery

Specify the person who can sign for and receive your item. Must be purchased in combination with another extra service as follows: Certified Mail, COD, Insured Mail (over $500), Registered Mail, or Signature Confirmation.

[jsjohnst]

Restricted delivery doesn’t do identity verification. I can say I’m John Doe and sign as John Doe and receive the package (I’ve received restricted delivery packages before and the carrier in multiple different states never asked for ID). I’ve also sent restricted delivery mail before and never had my identity checked as OP claimed.

Edit: Per Stamps.com [0], the USPS “may” require ID on delivery, but again, in my experience, I’ve never been asked once.

[0] https://stamps.custhelp.com/app/answers/detail/a_id/157/~/re...

[im3w1l]

With old, physical systems, a bad person can easily mess with a single to a few people. With new digital system the bar is very high, most people are stumped. But when you do get over the bar, then you can mess with hundreds of millions of people.

[ams6110]

Authoritative notice via postal mail is done by certified letter. That is trackable and much more reliable than the regular postal mail.

In my neighborhood I routinely get mail that is meant for my neighbors, and they get mine. I don't know if it's a sorting problem at the central office or driver incompetence but regular postal mail is absolutely not reliable.

[jpindar]

>companies and services like to rely on it

And governments!

[koboll]

There's a new feature they just rolled out that emails you images of the mail whenever it comes. Just as little security. You can spy on someone's mail indefinitely and they'd be none the wiser.

[craftyguy]

My favorite part of this feature is that I now get to see images of junk mail before it is delivered to my mailbox. Too bad the USPS is so serious about maintaining their leadership as the 'leading deliverer of junk mail' to offer a way for recipients to reject it since they can literally see it in transit.

[jngreenlee]

The most offensive part is that you can't unsubscribe from bulk mailings. It's like the USPS turned into the govt in Snow Crash.

[tetrep]

If you could reject junk mail, junk mail senders wouldn't pay to, well, send it. And the USPS would lose a lot of money.

Imagine how terrible GMail's spam filters would be if spammers paid Google for delivery... Oh wait, Google literally has a dedicated tab for that! For those that find it useful (and I don't doubt it is), imagine what the alternative would be for the spammers, you'd be 100% ignoring it by unsubscribing or filtering it as spam. Now that it's corralled off, you can look at it at your leisure, and Google can keep advertisers happy by offering them a non-zero chance you'll look at their spam.

[viraptor]

But promotions is something completely different from spam. Almost every single email you get there, you subscribed to or didn't opt-out of. And if you don't have an unsubscribe linkk in those emails, you can still create a manual filter to auto-delete them. And those senders don't pay Google to end up in promotions anyway.

[PascLeRasc]

Not to mention emails don't require killing trees and burning fossil fuels to get there.

[jlgaddis]

Energy is still required to transmit those (e-mail) bits.

[r00fus]

How about I get first right of refusal to outbid the spammer?

I mean, ok so USPS is getting $5/mo for my address from a dozen companies. Can I just pay them that $5? Not today.

I'd be happy to open the discussion on opting out of the junk mail without going to a costly service like earth-class mail.

[komali2]

It does seem really weird that somehow a business relationship between spam companies and the United States postal service means that I have to be responsible for recycling a bunch of garbage.

Once it's in my mailbox, what can I do, drop it on the ground? That's littering and a crime. Leave it in my mailbox? I tried that and the mailman eventually stuck a Post-It note on my box saying I wasn't allowed to do that.

So I'm in some sort of weird uncontracted relationship wherein I must ferry a bunch of paper from my box to the recycling bin.

[craftyguy]

> Leave it in my mailbox?

I tried this with a twist, I wrote "return to sender" on it. Mail(wo)man also said "you cannot do this."

[DoofusOfDeath]

Have you tried marking the spam "return to sender" and dropping it in a public poastal box?

[UncleEntity]

> Leave it in my mailbox?

I used to do that until the mailman decided I didn't live here anymore...twice.

Now I apparently don't have a mailing address though the only bill I could never successfully get converted to all electronic (not from lack of trying) is the power company which messes them up every so often getting their bills returned every month.

[koboll]

It does seem like there is a procedure to refuse mail- http://refuseyourmail.cooperjr.name/how-to

[ensignavenger]

I don't think there is any law requiring you to have a mailbox, if you don't want to receive mail?

[spacehome]

Check out Traveling Mailbox. Same basic idea as Earth-class mail, but cheaper and targeted more towards individuals rather than businesses. I'm not affiliated, but a satisfied customer.

[msandford]

What's the biggest missing feature or "complaint" you have? I'm doing some research.

[kull]

I need an address for creating LLC in TX. Will that work?

[perl4ever]

I wish that for a variety of online activities, I could set a maximum bandwidth available for ads and have advertisers bid for it, to keep my system running fast. And in turn, Google (or others) could price its services based on how much bandwidth users put out for bid.

Edit: It should be obvious that you could do this with physical mail too.

[icebraining]

Why would anyone set more than the minimum?

[reaperducer]

Yep. I get e-mail every few days with pictures of the mail headed for the people who now live in an apartment in another city I haven't lived in for close to 10 years.

I've tried to get it fixed online, but so far no results.

[justin66]

> The change of address form at USPS is laughably unsecure.

Well, yes, but it's insecure in the same way that the average bank branch is insecure:

- you're not going to get away with a lot (important stuff is sent using something more secure than first-class mail)

- you're automatically committing a felony

- your crime will automatically be investigated by federal law enforcement, not just the local donut patrol

[jngreenlee]

Not for me! I switched to a mail forwarding service (US Global Mail of Houston, TX) many years ago. The benefits are many-fold: -I no longer change my address when I move (my wife and I have lived in an flipped 10+ houses in 6 years) -I get to view full color envelope scans of all my mail at anytime and choose what to: fully scan, bundle and forward, or toss in the rubbish -I got to sign off with notarized US Govt forms that i am "no longer a customer of the USPS" -The only mail that arrives at my physical address is thus spam, and I toss all of it (I should rig a trash can to the bottom of the mailbox) -The price point is well within reason

[StudentStuff]

Perhaps move your mailbox to directly feed into your recycle can, with a transparent tube so the mailman can watch it go straight into the recycling!

[wahern]

I used Earth Class Mail for years while moving around for school and work. I even put my ECM address on my resume along with my phone number. As is typical of these services, among ECM's many customers were scam businesses. If you Googled the address of some fly-by-night company to get a phone number after being ripped-off or defrauded, my resume would be at the top of the search results, along with my phone number. I regularly received phone calls from upset and confused people. Fortunately it was easy to explain the mixup.

[msandford]

Hey awesome! I'm glad you like it. I built that whole system from about 100 customers. I don't work there anymore but I did really enjoy making that stuff work.

[jngreenlee]

Thank you for your part of the product! It is good.

[yosito]

What's the form that says you're no longer a customer?

[jngreenlee]

Ps1583

https://www.google.com/url?sa=t&source=web&rct=j&url=http://...

[obelix_]

I once sent a friend a temp Gmail account login to read a doc. Next thing I know most Google apps on their phone is using that login. Search/video search/location history all available without their knowledge.

[lostlogin]

If there are shared computers in a workplace, it’s amazing how many people set up their personal email on the machines mail client. It’s mystifying how some of them do it and it seems to be accidental.

[closeparen]

Sensitive mail such as ID and credit cards often will not follow address forwarding, for this reason. Was a huge PITA when I tried to renew my driver license while in college: I had to lift the forwarding setup from my parents’ house to get it to stop bouncing back to the DMV.

[seanmccann]

I just did this yesterday and it verified my credit card billing with either my previous or new address. Probably not that hard to pass that with a prepaid card.

[reaperducer]

It's only $1 to do it online. If you do it in person, it's free!

[RIMR]

Yeah, and people can just open your mailbox and take your mail, so if people want it, they'll get it.

Of course, the penalties are pretty harsh, so most people don't bother.

[5555624]

Actually, if you fill out the form, you can mail it in or hand it to a postal clerk and skip the $1 fee. I recently had to change my P.O. Box address and could not do it online; because the credit card used for the $1 charge has to match the old address.

[blang]

I'm always shocked that when I pause my mail when I go on vacation that there is no verification and I can do it for free.

[smelendez]

I was struggling to think of a profitable, malicious use case for this but there is at least one: send someone like your landlord a check with insufficient funds in your account and put a hold on their mail, hoping they won't straighten it out until you get paid.

[gowld]

Landlords and vendors can do the same thing: Send you a notice of changes in terms to your contract, and then bill you and send you to collections before you have a chance to object. (Been there, done that, with a landlord who decided that "the apartment I previously rented from her" was my current official contact address. )

[alonmower]

I think that you not getting your check to your landlord in time is still your fault, not their's, even if it's lost or delayed in the mail

[coderzach]

No, because they won't get anyone's check, and then it's definitely their problem.

[Izkata]

> and the only warning you get is a post card at the original address telling you the mail is being forwarded

Uh, I didn't get one of those a few years ago when I moved. After the move I mailed something to my old address to make sure it worked.

[sg0]

I have used this mail forwarding service thrice and every time I have wondered what prevents me from forwarding my annoying neighbors' mails to Denali National Park. The answer is, fear of jail time.