How the US Postal Service fuels identity theft.

✉️💨

This might come as a surprise, but if you have never changed your address with the US Postal Service(USPS) before, they do not know where you live. You read that right. Before you ask, "Then how do I get my mail?" Let me explain.

The USPS delivers the mail based on the address shown on the mail piece. To prove my point, fill out a postcard addressed to Mickey Mouse with your address on it. Slap a stamp on it and drop it in the mailbox. See if the letter gets delivered with a postmark.📬

For those of you who have changed your address with the USPS, they know exactly where you live, and so do many people and organizations you have never met or engaged in business🤯.  In this article, I am going to explain in detail how the USPS fuels identity theft. I will follow up this article with the solution I am building to stop this $20+ billion-dollar problem.

The USPS is in the business of delivering the mail.📪 They are not in the business of handling data. Unfortunately, in 1985 the USPS needed a solution to stem the huge influx of Undeliverable-As-Addressed mail. A problem that costs them over $1 billion a year¹💸.

The USPS was in a bind. They needed to disseminate this information to businesses and government agencies, but the Privacy Act of 1974 states government agencies must get permission to distribute a person's name and address. To get around this law, they developed a program that licenses access to their database. This database is known as the National Change of Address(NCOA) database.² Those who are licensed to access it are known as NCOAlink® providers.

Businesses who need current address data on their customers go to these providers with their address lists. It could be lists with 100 names and addresses or 100 million. It doesn't matter. The NCOAlink® providers, also known as list cleaners, take the address lists and run them through the USPS NCOA database. The database returns any change of address data for the citizen on the list. It sounds like no big deal, right? Well, let's see how deep the rabbit hole goes.🐇

When a citizen fills out a change of address form at the Post Office or online they must accept the Privacy Act Statement.⁴ What exactly does it say?

The image might be hard to read, so I have posted the text below. Pay attention to the highlighted portions.

NOTE: The person signing this form states that he or she is the person, executor, guardian, authorized officer, or agent of the person for whom mail would be forwarded under this order. Anyone submitting false or inaccurate information on this form is subject to punishment by fine or imprisonment or both under Sections 2, 1001, 1702, and 1708 of Title 18, United States Code.

PRIVACY NOTICE: This information you provide will be used to forward your mail to a new location. The collection is authorized by 39 USC 404. Filing this form is voluntary, but we cannot forward your mail without it. We do not disclose your information, except in the following limited circumstances: to government agencies or bodies as required to perform official duties; to mailers, only if they already possess your old address; in legal proceedings or for service of process; to law enforcement as needed for a criminal investigation; or to contractors who help fulfill the service.

👇This is what is posted on the USPS Change of Address website.👇

Privacy Act Statement: Your information will be used to provide you with mail forwarding and change-of-address services. Collection is authorized by 39 U.S.C. 401, 403, and 404. Providing the information is voluntary, but if not provided we will not be able to process your request. We do not disclose your information to third parties without your consentexcept to facilitate the transaction, to act on your behalf or request, or as legally required. This includes the following limited circumstances: to a congressional office on your behalf; to financial entities regarding financial transaction issues; to a U.S. Postal Service (USPS) auditor; to entities, including law enforcement, as required by law or in legal proceedings; to contractors and other entities aiding us to fulfill the service (service providers); to federal, state, local or foreign government agencies regarding personnel matters or for the performance of its duties; for the service of legal process; for voter registration purposes; for jury service duties; to a disaster relief organization if the address has been impacted by a disaster or manmade hazard; to individuals or companies already in possession of your name and old mailing address, as an address correction service.🤔😕 Information will also be provided to licensed service providers of the USPS to perform mailing list correction service of lists containing your name and old address. 

ENTER the Equifax Data Breach.⁵ Here is a list of the data that was stolen in the breach.

  1. Names

  2. Social Security Numbers

  3. Birth Dates

  4. Addresses

  5. Driver’s License Numbers.

What does the US Postal Service need to update an address list?

 -Name and old address.

 Who can get this information?

 -Individuals or companies who have possession of an old address.

 How many identities were stolen in the Equifax Data Breach?

 -Over 143 million

So how does the USPS fuel identity theft? There is no authentication between a citizen and the NCOA database. Any company or bad actor can buy names and addresses on the dark web and run them through an NCOAlink provider. I know this for a fact because I tested the system. I posed as a legitimate non-profit and spoke to multiple NCOAlink providers. I gave them a sad story about how our non-profit was spending money we didn't have trying to cover our undeliverable mail costs. The NCOAlink provider was very sympathetic and fully understood my plight. Nothing about my story sounded odd because the industry as a whole spends $20 billion a year on this problem. I was a small fish in a huge pond. The provider didn't care how many records we had as long as we could pay the fees.

This told me anyone could obtain a change of address data on 100+ million Americans. All you would have to do is start a fake business or non-profit and buy stolen address data on the dark web to run through the NCOA database. Citizens would never know their identity was stolen.

Shortly after the Equifax Data Breach occurred, I immediately contacted the US Cyber Command and the Chief Data Officer of the US Air Force. I explained the vulnerability I discovered. I received no response. Of all the people and organizations I contacted since 2016 about my solution to this problem, only 1 person responded to my research; President Donald Trump. Here is a picture of the signed card he sent me.

Sources

  1. https://postalpro.usps.com/address-quality-solutions/undeliverable-addressed-uaa-mail

  2. https://www.nytimes.com/1992/05/14/us/post-office-criticized-for-opening-its-address-list.html

  3. https://postalpro.usps.com/ncoalink/Full_Service_Provider_Licensees

  4. https://moversguide.usps.com/mgo/disclaimer?referral=UMOVE

  5. https://epic.org/privacy/data-breach/equifax/#:~:text=The%20data%20breached%20included%20names,unprecedented%20in%20scope%20and%20severity.