I’ve been a fan of the buy postage online and slap it on a
Priority Mail envelope for the longest time, until today. I had to send some
sensitive information through the mail because I wasn’t quite ready to drive 40
miles round trip to use FedEx, because I feared my package of sensitive info
setting in some FedEx box on a weekend awaiting pick-up was a bad idea. I also
thought about encrypting the files and sending them digitally but I’m not
entirely sure the parties on the other end would be able to deal with the
procedure to access them; even passwords elude some people so two-step
authentication via an online method was out of the question.
So I opted for the most “secure” method of delivery
possible from the US Postal Service, selecting the “Require Adult Signature” tick box in addition to insuring the package on the USPS website.
This is really ridiculous in hindsight, but at the time it felt good. I guess I
can thank Seinfeld for causing my fears about mail pricing class systems and
mail carrier preferential treatment in regard to extra postage or lack-thereof; that's a fallacy as well because if anything more money for "security" means the more precious the cargo.
Patiently I awaited the tracking info on the website to say
“Delivered,” but it never came, even though today was the target delivery date.
The reason being, the main sorting facility in the city where the package was
being delivered dragged their feet on sorting my high priority package. So when
it was finally sorted for its destination, it was already almost 10:00 in the
morning. It’s likely sitting in the sorted stacks of mail in the sorting
facility waiting for delivery in the morning, but this doesn’t keep my mind
from wondering.
How could someone tamper with my mail unknowingly?
Physical tampering on a letter is fairly evident. When
someone opens an end and tapes it closed you will likely notice because there are physical signs that
it has been tampered with.
I started thinking about the ubiquitous packaging
used by the US Postal Service with their campaign “If it fits, it ships.”
Sorting facilities likely have stacks of these preprinted boxes lying around.
So if someone were to abscond with a package (for a short time while the
tracking info said it was at the sorting facility, or in my case “out for
delivery”), they could grab a similar package to the one that I have used (eg.
Priority Mail Envelope), and go to their local office where a scanner and
printer reside.
Then they could rather carelessly extract all of the
documents, make copies, take pictures, or scan the items. Next they would use
their new package to repackage my documents, and then scan and reprint the
delivery label from my package. Place it on the new package and return the
items back to the sorting facility or the waiting pile.
It’s not just mail
Then I started thinking about that expensive option of using
a service like FedEx who also uses the same sort of standardized packaging. The
same scenario applies. Also in regard to FedEx if someone were to notice a
pattern of deliveries, they might interlope to satisfy a curiosity.
So, How Can You Really Tell?
Using simple two-step authentication (verification) is one method. The best way I
thought of so far was to mark the package in a way that was nearly impossible
to replicate, or in a way so that a normal onlooker for the package would not
notice. Colored markers, color printout of an image from the web, but basically
you mark the package.
Next you would take a picture of the markings and either
text, or e-mail it to the recipient (if it is someone you can contact). Let
them know that you are sending a package and send them the picture so they can
verify that it is indeed the envelope or package that you initially packed.
If you have budgets for custom printing you can print your customized envelope for the internal documents and wrap the interior of your package with something that's not easily replaceable. Companies like Uline sell tape and tamper-evident bags that show indication of tampering. If the document arrives in a non-standard format you know the package was tampered with, and you can then start an investigation with the delivery service.
What companies would be the target of such an attack?
Banks, finance companies, mortgage lenders, payroll
companies, Realtors, insurance companies, basically any company that receives sensitive personal
information through a standardized delivery service such as FedEx or the US
Postal Service in the States. Outbound mail from these companies likely isn't so much of a target in this regard for this type of attack. It's much easier to just take the letter outright if there is no tracking. Mail gets lost everyday right? The bank would assume the information was lost in transit and resubmit. If it was unexpected (like a replacement credit card), the end recipient would be clueless to the attack. Corporations only care about protection of personal information in regard to the bad press or negative media fall-out.
In regard to identity theft the corporations aren't necessarily liable if someone finds a way to game the system, so the companies will not invest money for a potential threat.
Inbound mail or packages from individuals tend to have people's personal information in them, like in instances where the senders are completing a correspondence or form. Since they have a vested interest in maintaining their identity security they will likely opt for more postage.
Final thoughts
Call it paranoia, but I notice patterns, and when I’m
sending sensitive info in high profile packages to consistent recipients in a
way that would normally not have a time delay or interference, the anomalies in
transit do pique my interests. If anyone tells you that snail mail is safer
than e-mail or encrypted files they do not know what they are talking about unless they're using a complicated verification method like I've discussed here.
Remember security is an illusion.
No comments:
Post a Comment
I'm going to read this before it goes live if you don't mind.