Featured Article

The life-upending flaw that USPS won’t fix

Change of address fraud can have lasting fallout, but USPS won’t say how it plans to close the loophole

Comment

a postal worker worker pushes a mail cart outside a United States Postal Service (USPS) distribution center in Chicago.
Image Credits: Luke Sharrett / Bloomberg (opens in a new window) / Getty Images

Sometime in November, someone walked into a U.S. post office and filled out a change of address form, just as tens of millions do each year to route their mail to a new address. The person signed the form, handed it in and walked out. That was enough to set in motion a domino effect that upended the life of a former Microsoft executive several states away, as the person who signed the form effectively hijacked the executive’s home address in just a few minutes.

The fraud relies on a simple flaw in how the U.S. Postal Service processes changes of address. It’s neither new nor a particularly sophisticated technique, and has long been known to fraudsters and federal investigators. A fraudulently filed change of address form can have lasting fallout for the thousands of individuals whose mail is hijacked and rerouted every year, with criminals able to obtain bills, credit cards and other sensitive information that can be used to raid bank accounts or make fraudulent purchases.

What is more baffling is that there seems to be an equally simple fix. But while USPS acknowledges there is a problem, it wouldn’t say how it plans to close the loophole that allows fraudsters to cash in on someone else’s identity.

The former Microsoft executive, who asked not to be named but agreed to tell his story to TechCrunch, is not naïve to cybersecurity and privacy threats. But by his own admission, the former executive said he did not know it was so easy for someone to maliciously change his address without his consent, let alone open the doors for criminals to raid his accounts or potentially rack up thousands of dollars in fraudulent purchases. All of this, he says, is because of a simple paper form that gets handed back to the post office without much of a second thought.

USPS processed some 36 million changes of address in 2021. There are two ways to change an address. Most people fill out the form online by providing their old and new address, then pay $1.10 for the convenience of speed. The other way — still used by a significant minority of folks — is by filling out the paper form at a local USPS post office.

Neither online or paper form requires the person to present proof of their identity. The online form, at least, requires a small payment, which is by no means verification of a person’s identity, but it leaves a digital paper trail that makes it ultimately traceable to someone. But USPS relies almost entirely on the system trusting the person signing the paper form, whoever they might be.

a postcard-sized change of address form, made of paper, facing front-side up on a flat wooden desk.
After filling out this form, there are no guarantees that USPS will check the identity of the person submitting the change of address request. Image Credits: TechCrunch

The paper form is officially known as PS Form 3575. As bureaucratic as government paperwork goes, this form is both refreshingly simple and remarkably dull. You have to request the postcard-sized form at a USPS post office, which we did — for journalism! The person then fills it out with their name, old address, new address and for how long they want to reroute their mail.

The last thing is to sign the form, and hand it back to a postal worker or drop it in the letter mail slot inside the post office. But besides a notice on the reverse side warning that filling out the form with false information could result in criminal charges (if caught), there are no guarantees that USPS will check the identity of the person submitting a paper change of address form. That is the simple flaw that fraudsters exploit in order to hijack home addresses, steal their credit cards and wreak havoc on their bank accounts.

Once a form is handed in and processed, USPS sends out two letters, one letter to the old address and another to the new address, notifying the resident that the change of address went through. But these letters can, and are, easily missed, and the letters themselves do not require customer attention or interaction, only if the person wants to “view or cancel” an unauthorized change of address request.

Not only is this flaw not new, it’s widely documented. In a particularly comical case from 2017, an Atlanta resident was arrested for cashing checks that he had rerouted from the corporate headquarters of shipping giant UPS, resulting in literal bathtubs of mail piling up outside the hapless fraudster’s apartment. Yet, it still took nearly three months for UPS to notice that its mail wasn’t showing up.

A letter from one of the former executive’s banks, which he shared with TechCrunch, corroborates his account and confirmed that the bank made the address change in its systems “as a result of data received from the United States Postal Service (USPS) indicating that an address change had occurred.” Because USPS had accepted the fraudulent change of address made in the former executive’s name, USPS passed along the new address set by the fraudsters to countless other companies, including his banks. USPS has long sold change of address data to data brokers, which resell this information to anyone who wants to buy it, like financial institutions.

Luckily for him, he caught the fraud before the criminals could do irreversible damage, yet it still took weeks to return his accounts — and his home address — in order. But change of address fraud still affects thousands of people every year who don’t have the clout of a former technology executive to get their lives back to normal.

To understand how the U.S. Postal Service was reducing this kind of change of address fraud given that it remains an ongoing issue, TechCrunch asked USPS for comment.

USPS spokespeople Sue Brennan and Tatiana Roy declined to comment and referred our email to the U.S. Postal Inspection Service, or USPIS, the law enforcement arm of USPS, which provided TechCrunch with a boilerplate statement — some of which repeated itself — but did not say how the U.S. Postal Service planned to prevent change of address fraud. USPIS sent its response from a general unnamed email address, and repeatedly declined to provide a spokesperson’s name when asked by TechCrunch, despite being standard practice for reporters to ask. When reached by email, USPIS’ Ariana Ramirez also declined to provide the name of the department’s media spokesperson.

In its boilerplate statement USPIS said that, “as these situations arise, USPS reevaluates their internal controls to address security concerns,” without saying what those internal controls were, if any, nor if they implemented any changes. We asked again, but did not receive a response.

“Customers are encouraged to monitor the receipt of their mail, by retrieving it daily from their mailbox or through Informed Delivery online,” the statement added, referring to the online service that allows residents to preview their inbound USPS mail and packages. But while regularly checking your mailbox could help notice missing mail before it’s too late, this is by no means foolproof. That’s why fraudsters are still doing it.

Neither USPS or USPIS mentioned what seems like an obvious solution. If the online form requires a small payment to reduce the chance of fraud, why not check the person’s proof of identity when handing in the form in person?

It is not a novel idea. The independent watchdog that oversees the postal service, the USPS Office of Inspector General (or USPS OIG), has raised concerns about change of address fraud for years. USPS OIG said in its 2018 audit report, which it initiated based on concerns from lawmakers, news outlets and customer complaints, that the postal service did not require customers to present a government form of identification, such as a passport or a driver’s license, for review when submitting a paper change of address form. The watchdog noted that several overseas postal services, notably Australia, Canada and the United Kingdom, all require some form of identity check when manually submitting a change of address form, but that they also accept a range of documents for those who do not have a government-issued form of identification.

The USPS OIG was clear in its findings. “The lack of a national policy to support such an ID-requirement control may perpetuate additional fraudulent activities and harm the Postal Service’s brand as a trusted provider.”

Following the audit, USPS said it planned to implement government-issued identity checks for paper change of address forms by the end of March 2019.

USPS OIG spokesperson Bill Triplett told TechCrunch that USPS agreed with the inspector general’s findings of its 2018 audit report and the recommendations were closed in August 2019, indicating that the matter is resolved. The spokesperson said that USPS “provided documentation demonstrating sales associates require identification to process change of address requests in person.”

When asked about whether USPS enforces this policy: “The Postal Service would have the most up-to-date information on how they are enforcing their policies. Typically, once we close a recommendation based on supporting documentation provided by the Postal Service, we do not complete follow-up work to check whether they continue to implement it,” the spokesperson said.

USPS OIG said it would “consider auditing this topic in the future.”

To say the quiet part out loud, USPS is not adequately enforcing its own policy on identity checks when someone files a paper change of address form. USPS has yet to comment or identify any efforts where it is trying to reduce this kind of fraud.

This isn’t just the case of one former Microsoft executive who got unlucky and fell through the cracks. Seattle-based KIRO 7 News covered this story just six months ago and reached the same conclusions. After reporting on a local family that had faced this issue on two separate occasions, USPS dismissed the family’s ordeal by claiming that identity theft “can’t happen” through change of address fraud.

“But that doesn’t account for someone not asking for ID at the counter,” KIRO 7 News wrote, pointing directly to the flaw in the system.

An identity check need not rely on some grand database of information or keeping a ledger of records for decades to come. It should not require more than a person simply showing a postal worker their proof of identity, or similar documentation, as they hand in the form, just as postal systems do in other countries. Check their name, and nothing more. And while no system is ever perfect, a brief glance at a person’s ID or documents would make it significantly more difficult to change someone’s address without their permission.

Otherwise, there is little anyone can do to prevent this kind of fraud without some level of constant vigilance. But at some point, it shouldn’t be the responsibility of the consumer, when the USPS could enforce the solution it allegedly fixed four years ago.

“For elections, for financial issues, everybody’s relying on the Post Office,” the former executive told me. Yet for a simple but devastating flaw with an equally simple fix, he said he could not understand why the USPS is “not doing anything.”


Get in touch with the security desk on Signal and WhatsApp at +1 646-755-8849 or by email. You can also tip us stories or securely share documents via SecureDrop.

US Postal Service exposed data of 60 million users

More TechCrunch

Struggling EV startup Fisker has laid off hundreds of employees in a bid to stay alive, as it continues to search for funding, a buyout or prepare for bankruptcy. Workers…

Fisker cuts hundreds of workers in bid to keep EV startup alive

Chinese EV manufacturers face a new challenge in their pursuit of U.S. customers: a new House bill that would limit or ban the introduction of their connected vehicles. The bill,…

Chinese EV makers, and their connected vehicles, targeted by new House bill

With the release of iOS 18 later this year, Apple may again borrow ideas third-party apps. This time it’s Arc that could be among those affected.

Is Apple planning to ‘sherlock’ Arc?

TechCrunch Disrupt 2024 will be in San Francisco on October 28–30, and we’re already excited! This is the startup world’s main event, and it’s where you’ll find the knowledge, tools…

Meet Visa, Mercury, Artisan, Golub Capital and more at TC Disrupt 2024

Featured Article

The women in AI making a difference

As a part of a multi-part series, TechCrunch is highlighting women innovators — from academics to policymakers —in the field of AI.

4 hours ago
The women in AI making a difference

Cadillac may seem a bit too traditional to hang its driving cap on EVs. And yet, that hasn’t stopped the GM brand from rolling out — or at least showing…

The Cadillac Optiq EV starts at $54,000 and is designed to hook young hipsters

Ifeel is being offered as part of an employer’s or insurance provider’s healthcare coverage.

Mental health insurance platform ifeel raises a $20 million Series B

Instead of opening the user’s actual browser or a WebView, Custom Tabs let users remain in their app while browsing.

Google Chrome becomes a ‘picture-in-picture’ app

Sanil Chawla remembers the meetings he had with countless artists in college. Those creatives were looking for one thing: sustainable economic infrastructure that could help them scale rather than drown…

Slingshot raises $2.2 million to provide financial services to artists

A startup called Firefly that’s tackling the thorny and growing issue of cloud asset management with an “infrastructure as code” solution has raised $23 million in funding. That comes on…

Firefly forges on after co-founder murdered by Hamas

Mistral, the French AI startup backed by Microsoft and valued at $6 billion, has released its first generative AI model for coding, dubbed Codestral. Like other code-generating models, Codestral is…

Mistral releases Codestral, its first generative AI model for code

Pinterest announced today that it is evolving its Creator Inclusion Fund to now be called the Pinterest Inclusion Fund. Pinterest teamed up with Shopify’s Build Black and Build Native programs…

Pinterest expands its Creator Fund to allow founders

Alex Taub, a longtime founder with multiple exits under his belt, believes it’s time to disrupt the meme industry. “I have this big thesis that meme tech is going to…

This founder says meme tech is the next big thing

Lux, the startup behind popular pro photography app Halide and others, is venturing into video with its latest app launch. On Wednesday, the company announced Kino, a new video capture app…

Kino is a new iPhone app for videographers from the makers of Halide

DevOps startup Harness has shown itself to be an ambitious company, building a broad platform of services while also dabbling in M&A when it made sense to fill in functionality.…

Harness snags Split.io as it goes all in on feature flags and experiments

Microsoft’s Copilot, a generative AI-powered tool that can generate text as well as answer specific questions, is now available as an in-app chatbot on Telegram, the instant messaging app.  Currently…

Microsoft’s Copilot is now on Telegram

HBO’s new documentary, “MoviePass, MovieCrash,” tells a story that many of us know about: how MoviePass, the subscription-based movie ticketing startup, was a catastrophic failure. After a series of mishaps…

MoviePass co-founders speak their truth in HBO’s new documentary 

The watch features a variety of different 3D games, unlocking more play time the more kids move.

Fitbit’s new kid smartwatch is a little Wiimote, a little Tamagotchi

In the video, a crowd is roaring at a packed summer music festival. As a beat starts playing over the speakers, the performer finally walks onstage: It’s the Joker. Clad…

Discord has become an unlikely center for the generative AI boom

After the Wirecard scandal, Germany’s financial regulator BaFin started to look more closely at young fintech startups that wanted to grow at a rapid pace — it’s better to be…

Germany’s financial regulator ends anti-money laundering cap on N26 signups after $10M fine

Among other things, this includes the ability to trace code from source to binary packages across both platforms, single sign-on support and unified project structures.

JFrog and GitHub team up to closely integrate their source code and binary platforms

The company’s public fund disbursement and e-commerce platform makes accepting school tuition and enabling educational enrichment more accessible. 

Tech startup Odyssey goes on journey to help states implement school choice programs

A new startup called Kinnect aims to help people privately save generational memories, traditions, recipes and more. The company’s app, launched this month, lets people create invite-only spaces where they…

Kinnect’s new app aims to help families record and store generational memories

Spotify has hiked its premium subscription in France by an eye-watering €0.13, in response to a new music-streaming tax.

Spotify hikes subscription price in France by 1.2% to match new music-streaming tax

The European Union has taken the wraps off the structure of the new AI Office, the ecosystem-building and oversight body that’s being established under the bloc’s AI Act. The risk-based…

With the EU AI Act incoming this summer, the bloc lays out its plan for AI governance

Solutions by Text, a company that gives people a way to pay their bills and apply for loans via text messaging, has secured $110 million in new growth funding. Edison…

Bootstrapped for over a decade, this Dallas company just secured $110M to help people pay bills by text

Owners of small- and medium-sized businesses check their bank balances daily to make financial decisions. But it’s entrepreneur Yoseph West’s assertion that there’s typically information and functions missing from bank…

Relay raises $32.2 million to help smaller businesses manage their cash flow

When other firms were investing and raising eye-popping sums, Clean Energy Ventures took a different approach. It appears to be paying off.

How Clean Energy Ventures avoided the pandemic bubble and raised a $305M fund

PwC, the management consulting giant, will become OpenAI’s biggest customer to date, covering 100,000 users.

OpenAI signs 100K PwC workers to ChatGPT’s enterprise tier as PwC becomes its first resale partner

Tech enthusiasts and entrepreneurs, the clock is ticking! With just 72 hours remaining until the early-bird ticket deadline for TechCrunch Disrupt 2024, now is the time to secure your spot…

72 hours left of the Disrupt early-bird sale