[chrischen]

Postal mail is insecure yet companies and services like to rely on it as the authoritative form of notice and communication. That and also giving out info over the telephone.

On one hand we have PCI-compliance, SSL encryption, and on the other hand we have a phone call (unecrypted, easily tappable anywhere along the thousands of miles of wire) where companies expect to call me and assume it's secure enough for me to 1) know that it's definitively them and 2) not have some support agent steal my credit card information/private information.

[bigiain]

> Postal mail is insecure yet companies and services like to rely on it as the authoritative form of notice and communication.

From another perspective though - while not "secure against manipulation", at least postal mail has federal laws with serious punitive remedies, and investigators who seem to genuinely be committed to enforcing those laws and chasing the penalties.

Most things in the real world are not "4096 bit cryptographically secured, guaranteed unbreakable before the heat death of the universe", instead they're "secured by people with guns, courts, and jails who are society's deterrence against smashing fragile windows, picking flimsy locks, and fraudulently filling out paperwork".

It _mostly_ works.

And in some ways, the "fiction of security backed by laws with teeth" works _better_. I locked myself out of my apartment recently, and my friend with my spare keys was on a trip ~800km away. So I called a locksmith, who got through the two locks on my front door in ~90 seconds. I'm _very_ glad he could, even though the tool he used is easily available on AliExpress for ~$25...

[heartbreak]

> investigators who seem to genuinely be committed to enforcing those laws and chasing the penalties.

There are some pretty incredible stories about the USPIS.

https://en.wikipedia.org/wiki/United_States_Postal_Inspectio...

[runesoerensen]

They also have a pretty incredible TV show https://www.youtube.com/watch?v=21G3vCXOIAc

[RugnirViking]

Could you post a link to such a story? I'd love to read about it. Unfortunately the wikipedia article doesn't seem to have many leads for me just yet.

[mjcl]

A short story about the USPSIS:

I was downloading Postal Service mp3s from Kazaa and ended up downloading some USPS disciplinary reports on accident. I shared them with a friend because I thought they were funny, and he posted excerpts on a message board. From there it somehow got to the USPSIS who tracked down my friend’s cell phone #. I eventually agreed to meet, so the inspector flew out from DC and met us at a diner in Santa Cruz. He showed us his badge and went over how I ended up with the files. The whole thing was sort of bizarre, but he was pretty friendly and seemed more interested in figuring out how the files got out than throwing the book at me or my friend.

[chrischen]

Wow they flew across country to discuss over dinner something they could have just emailed/phoned about? They really do have a pretty boring job.

[AmericanChopper]

>at least postal mail has federal laws with serious punitive remedies

ACH is also laughably insecure, the only thing standing between it and total chaos is federal prison.

[opinionator1]

Sure, whatever you say. One of my bitcoin-addled friends loves to claim this. I left $1000 in an account and gave him the routing and account numbers and welcomed him to take it. He couldn't do it.

[AmericanChopper]

Then he was not very clever. Account + routing number can be used to make a payment to any merchant that accepts ACH payments. At the very least he should have been able to pay his credit card or utilities with it, without any technical knowledge at all.

If you have a merchant account, you can take direct debits from and account using those numbers. Getting a merchant account underwritten for yourself can take less than a day, and the verification process isn’t all that robust.

Account numbers are essentially more valuable than credit card numbers. Except credit card numbers are at least supposed to be protected by a rather decent security standard. With ACH there is no such standard, you can handle account numbers any way you please, and many merchants do so very poorly. Also, the account number is written on checks that you literally hand out to people, which is pretty much the worst thing you could do with a credit card number.

Your anecdote is meaningless. Any individual can easily commit fraud with an account number, and if they put a small amount of effort into it, they could do it on a very large scale. There is no security standard that protects ACH data, only a short set of regulations that describe how committing fraud will send you directly to prison.

[matte_black]

What tool did he use? Bump keys? A raker?

[Zak]

I do a bit of lockpicking as a hobby and often carry lockpicks because they've come in handy several times when people lost keys, etc....

Most door locks and deadbolts in the US will fall to rakes in a minute or less. I've found the Southord L-rake and Pagoda to be pretty effective. These can be had in basic versions without much of a handle from southord.com for $1.65. (A tension tool is also required; it's pretty much just a bent piece of steel).

[bigiain]

It looks like it's called a "lock gun", that's what I found them called when I went looking for one on Ali Express. Just a little plastic pistol-grip handled tool that he selected a metal blade on and stuck in in the keyway and pulled the trigger as he wriggled it around and twisted it. The first lock took him 2 tries at the right blade and took him a minute or so, then second lock he got the right blade first try and was in in under 30 secs...

I kinda knew "ordinary domestic locks" weren't very secure agains skilled lockpickers, and I don't know if there's some hidden technique required to use those things - but I was astounded and dismayed at how quickly my two different locks fell to such an easily available tool...

[PascLeRasc]

It's not like the system he was cracking was very secure. It has to be regularly openable with just a piece of metal, with tolerances so that when your key teeth wear down over the years it still works.

[Zak]

A pin/tumbler lock can be made considerably more secure against the attacks that work very quickly than most of the ones found on houses in the US actually are. Simply using security pins will significantly reduce the effectiveness of lockpick guns, rakes and bump keys.

In short, standard pins in locks only have one place they're likely to stick when manipulated under tension: the shear line that allows the lock to open. Security pins have additional grooves machined into them that will make the pin stick at points that do not result in the lock opening. It's still possible to pick locks that have them, but it often needs to be done one pin at a time, which is usually slower and tends to require more skill.

[exelius]

This drives me mad. My health insurance company tries to call me on a regular basis, but because they have to verify they’re speaking with me for HIPAA, they ask for the last 4 of my social.

To which I reply “You called me. I don’t know that you are who you say you are. I’m not giving you anything.” And hang up. What moron thought this was a good idea?

[wolfgang42]

The first time my insurance company did this to me, the woman who called me (from a random phone number that didn't belong to the insurance company) sounded confused about why I wasn't going to give some random person my PII. When I called their 800 number, I was on hold for 20 minutes before they finally tracked down the entry in my account explaining why they had called.

Apparently, every time I order medical supplies they call me to tell me that they've sent a Very Important Letter, but they can't say what it is. When it arrives the next day, it informs me that they've approved my request for the supplies, which by this point have already arrived a week and a half ago.

It's gotten to the point where the calls now go like this:

    Them: Hi, this is [insurance company], can I have your date of birth please?
    Me: Is this about the letter you've sent?
    Them: ...Yes?
    Me: OK, I'll keep an eye out.
    Them: Erm... right. Have a nice day!

I have no idea what the moral of this story is.

[lostlogin]

This is so awful. I once got randomly selected to be a survey participant by a government agency while I was building a path. It was on the effect on my life of an earthquake thousands of kilometres away (there wasn’t any). They claimed I was legally obliged to participate or would be prosecuted. ID was produced etc. He sat and fired random questions at me while I broke concrete with a sledgehammer for an hour. I’d give the shotest possible answer, because I was breathless and the time between swings wasn’t long. Then they did follow up calls once every week for a year at the same time each week. These were were never answered and the messages were not returned. I have no idea why your story reminded me of this, but it triggered the same rage centre.

[jandrese]

Unless that was the census I would be extremely dubious of "you must take this survey or go to jail, trust me I'm from the government".

[lostlogin]

It was The Ministry of Statistics census people doing some work post the Christchurch earthquake.

[Thriptic]

It's because tech has a long tail. You have to remember that there are people who still aren't online, who are technologically illiterate, who don't use email or secure messaging etc. A lot of regulated companies (especially health care entities) are MANDATED to send and receive stuff insecurely so they can make sure that Jane Doe grandma in rural Wyoming actually gets the correspondence.

[Stratoscope]

Just the last four? You're lucky.

One time my own bank scammed me into giving them my full seven digit SSN over the phone when they called me. And all they had to do was ask me for it!

The worst part was that I fell for it. Of course, no harm done, because it really was my bank, but what an idiot I was.

At least I knew better when the Windows Support people started calling me a year later!

[DalekBaldwin]

I've run into the opposite situation making me hesitant to trust legitimate correspondence with my own banks. The past few times I had to take care of something over the phone, they did not ask for anything that could reasonably confirm my identity or account. One bank only asked for the last four digits of my account number. When I called another bank in response to an email alert about a fraudulent transaction, the representative asked for a phone number to text a verification code that I had to repeat back to them ("You want me to give you a ten-digit number?" "Yes"). Looking back on it, the first bank may have figured that few people will ever have the same account status problem at the same time and would ask for more information in the event of a collision, and the second one may have required me to name one of the phone numbers they already had on file (I'm used to representatives telling me a few digits of the number they're going to text based on what they have on file). But without knowing the entire workflow ahead of time, it seemed just as likely that this was a bunch of meaningless ceremony meant to give the appearance of bank-scale IT infrastructure in action so that I'd feel more comfortable revealing sensitive information later.

[himom]

7 digits? It’s 3+2+4=9 digits in the US.

[Stratoscope]

Thus proving that I can't count past seven!

You've seen off by one errors, this is twice as bad.

[shkkmo]

Would have been funnier if you said "thrice"

[AlexCoventry]

Which would be three quarters as bad.

[hinkley]

My credit union’s fraud department contact information isn’t listed on their website and they called me several times before I finally called the main switchboard and had someone patch me through. No I’m not giving my account information to someone who called me.

You’re the fraud prevention department for chrissakes. Act like you’re preventing fraud, not participating.

[stordoff]

That's why I was pleasantly surprised recently when my bank called me about some fraudulent transactions, and the entirety of the conversation was: "Do you recognise this transaction?" "No" "OK, your card has been blocked and a new one is on its way".

Even if it had been a fraudulent call, they weren't asking for anything (so I didn't have to bother verifying it was legitimate), and even if they got the wrong person there is limited damage they could do.

[daveFNbuck]

What if they got the person who just redirected your mail to their own address?

[stordoff]

I'd notice there was a problem when I stopped receiving mail and my current card stopped working. Even then, even if they DID get the new card, I could report any subsequent transactions as fraudulent (honestly, my mail being redirected would be a much bigger issue to me than someone having access to my card, so that doesn't add much to the attack potential).

Also, at some point, it becomes infeasible enough (that someone would have redirected my mail, hijacked my phone number or managed to change it with the bank, triggered a call from my bank, and managed to line them all up so I hadn't noticed there was a problem) and more trouble than it's worth to be worried about it happening.

[jandrese]

You would probably notice when your card suddenly stopped working.

[apricot]

And let's not even get started about using the SSN as a form of ID.

[bmarquez]

A while back, Anthem Blue Cross' automated phone number was flagged as "Scam Likely" by T-Mobile Scam ID. Can't blame me for ignoring those calls.

[tim333]

I can kind of see how it happened though. People want their data protected so they pass laws that you have to check who it is and not someone else in the building who happened to pick up the phone.

[jecxjo]

I'm on a home owners board with a woman who is a paralegal for her brother's lawfirm and it amazes me how much stuff they do that they think is either secure or provides some sort of authentication (in the meat world). Kind of annoying when they want to go through all sorts of rigmarole when it doesn't actually provide the features they think.

[jsjohnst]

I was recently meeting with the Head of Security for a large firm. He had a pretty decent explanation of the process to implementing security that I thought was very apt. The way he put it, there’s two over arching milestones, “liability” and “actually secure”. “Liability” is where you have checked all the right boxes to be able to aptly defend yourself in court and is the achievable goal. “Actually secure” is the pipe dream you will always strive for, but never obtain.

[jecxjo]

In college I had a Prof who was a leader in network technology and was hired as an expert whiteness for the RIAA trials for people getting busted illegally downloading music and movies. I lost all respect for him when he was working a case where an elderly lady had an open wifi connection on her home router. He never brought up the fact that it's not possible to know what was going on behind the NAT wall and that because her wifi has no encryption anyone driving by could use it.

Now that I'm older it worries me that it is very possible to go to court and be on the right side and have a judge and jury who cannot comprehend these basic concepts. I've had bosses who work in software / hardware industry not understand concepts, God forbid I ever have to defend myself in a public forum.

[syshum]

The legal world is not designed for security or to be efficient

it is designed to be as convoluted as possible to

a) increase billable hours

b) create loops hole big enough to drive a truck through that the $$$$$ lawyers can exploit for their clients

[jecxjo]

Well our issues are more about things like sending someone a letter, proving they got it and that the person receiving it is the person we wanted to send it to. Even with a certified letter none of those features are actually possible with the current USPS, at least not in any real meaningful way. And don't even get me started on their use of received receipts in email.

But like you said, it's all about screwing the system and I'm sure a judge would not understand any of these concepts regardless of how simple someone would make them.

[toomanybeersies]

We have "secure mail" here in Australia, where you have to go to the post office to pick it up.

It's actually incredibly annoying, my rental contract was sent via this method, so I have to go to the post office to pick it up, despite the fact that I actually live closer to the real estate agents office.

Why they couldn't just email it to me, I'm not entirely sure.

[Wohlf]

We have this in the US as well, "Registered Mail". It's only used for things that are very sensitive/important since it's a huge pain in the butt, both sender and recipient require verification of identity.

[jsjohnst]

“Registered Mail” in the US does not require any form of verification of identity. All it does is provide extra insurance and delivery confirmation. “Certified Mail” doesn’t require identity verification either, so I’m not sure what service you are thinking of, but I’m near positive nothing of that sort exists with USPS.

https://www.usps.com/ship/insurance-extra-services.htm

[detaro]

From your link:

Restricted Delivery

Specify the person who can sign for and receive your item. Must be purchased in combination with another extra service as follows: Certified Mail, COD, Insured Mail (over $500), Registered Mail, or Signature Confirmation.

[jsjohnst]

Restricted delivery doesn’t do identity verification. I can say I’m John Doe and sign as John Doe and receive the package (I’ve received restricted delivery packages before and the carrier in multiple different states never asked for ID). I’ve also sent restricted delivery mail before and never had my identity checked as OP claimed.

Edit: Per Stamps.com [0], the USPS “may” require ID on delivery, but again, in my experience, I’ve never been asked once.

[0] https://stamps.custhelp.com/app/answers/detail/a_id/157/~/re...

[im3w1l]

With old, physical systems, a bad person can easily mess with a single to a few people. With new digital system the bar is very high, most people are stumped. But when you do get over the bar, then you can mess with hundreds of millions of people.

[ams6110]

Authoritative notice via postal mail is done by certified letter. That is trackable and much more reliable than the regular postal mail.

In my neighborhood I routinely get mail that is meant for my neighbors, and they get mine. I don't know if it's a sorting problem at the central office or driver incompetence but regular postal mail is absolutely not reliable.

[jpindar]

>companies and services like to rely on it

And governments!