When mail is [potentially] tampered with and you don’t even know it.

I’ve been a fan of the buy postage online and slap it on a Priority Mail envelope for the longest time, until today. I had to send some sensitive information through the mail because I wasn’t quite ready to drive 40 miles round trip to use FedEx, because I feared my package of sensitive info setting in some FedEx box on a weekend awaiting pick-up was a bad idea. I also thought about encrypting the files and sending them digitally but I’m not entirely sure the parties on the other end would be able to deal with the procedure to access them; even passwords elude some people so two-step authentication via an online method was out of the question.

So I opted for the most “secure” method of delivery possible from the US Postal Service, selecting the “Require Adult Signature” tick box in addition to insuring the package on the USPS website. This is really ridiculous in hindsight, but at the time it felt good. I guess I can thank Seinfeld for causing my fears about mail pricing class systems and mail carrier preferential treatment in regard to extra postage or lack-thereof; that's a fallacy as well because if anything more money for "security" means the more precious the cargo.

Patiently I awaited the tracking info on the website to say “Delivered,” but it never came, even though today was the target delivery date. The reason being, the main sorting facility in the city where the package was being delivered dragged their feet on sorting my high priority package. So when it was finally sorted for its destination, it was already almost 10:00 in the morning. It’s likely sitting in the sorted stacks of mail in the sorting facility waiting for delivery in the morning, but this doesn’t keep my mind from wondering.

How could someone tamper with my mail unknowingly?

Physical tampering on a letter is fairly evident. When someone opens an end and tapes it closed you will likely notice because there are physical signs that it has been tampered with. 

I started thinking about the ubiquitous packaging used by the US Postal Service with their campaign “If it fits, it ships.” Sorting facilities likely have stacks of these preprinted boxes lying around. So if someone were to abscond with a package (for a short time while the tracking info said it was at the sorting facility, or in my case “out for delivery”), they could grab a similar package to the one that I have used (eg. Priority Mail Envelope), and go to their local office where a scanner and printer reside.

Then they could rather carelessly extract all of the documents, make copies, take pictures, or scan the items. Next they would use their new package to repackage my documents, and then scan and reprint the delivery label from my package. Place it on the new package and return the items back to the sorting facility or the waiting pile.

It’s not just mail

Then I started thinking about that expensive option of using a service like FedEx who also uses the same sort of standardized packaging. The same scenario applies. Also in regard to FedEx if someone were to notice a pattern of deliveries, they might interlope to satisfy a curiosity.

So, How Can You Really Tell?

Using simple two-step authentication (verification) is one method. The best way I thought of so far was to mark the package in a way that was nearly impossible to replicate, or in a way so that a normal onlooker for the package would not notice. Colored markers, color printout of an image from the web, but basically you mark the package.

Next you would take a picture of the markings and either text, or e-mail it to the recipient (if it is someone you can contact). Let them know that you are sending a package and send them the picture so they can verify that it is indeed the envelope or package that you initially packed.

If you have budgets for custom printing you can print your customized envelope for the internal documents and wrap the interior of your package with something that's not easily replaceable. Companies like Uline sell tape and tamper-evident bags that show indication of tampering. If the document arrives in a non-standard format you know the package was tampered with, and you can then start an investigation with the delivery service.

What companies would be the target of such an attack?

Banks, finance companies, mortgage lenders, payroll companies, Realtors, insurance companies, basically any company that receives sensitive personal information through a standardized delivery service such as FedEx or the US Postal Service in the States. Outbound mail from these companies likely isn't so much of a target in this regard for this type of attack. It's much easier to just take the letter outright if there is no tracking. Mail gets lost everyday right? The bank would assume the information was lost in transit and resubmit. If it was unexpected (like a replacement credit card), the end recipient would be clueless to the attack. Corporations only care about protection of personal information in regard to the bad press or negative media fall-out.

In regard to identity theft the corporations aren't necessarily liable if someone finds a way to game the system, so the companies will not invest money for a potential threat.

Inbound mail or packages from individuals tend to have people's personal information in them, like in instances where the senders are completing a correspondence or form. Since they have a vested interest in maintaining their identity security they will likely opt for more postage.

Final thoughts

Call it paranoia, but I notice patterns, and when I’m sending sensitive info in high profile packages to consistent recipients in a way that would normally not have a time delay or interference, the anomalies in transit do pique my interests. If anyone tells you that snail mail is safer than e-mail or encrypted files they do not know what they are talking about unless they're using a complicated verification method like I've discussed here.

Remember security is an illusion.