A new report from the Office of the Inspector General of the US Postal Service highlights some troubling trends in change of address requests being used to commit fraud and identity theft.
The Review of National Change of Address and Moversguide Applications audit showed that fraudulent change of address requests made via online tools made available by USPS increased significantly from 2020 to 2021 (from 8,857 to 23,606) due to ineffective identity verification.
Finding #1: Moversguide Identity Verification
The Postal Service did not implement effective identity verification controls on Moversguide and charged customers $1.10 for identity verification services that it did not provide...We identified refundable revenue in the amount of $21,828,827 for identity validation services that were not provided...
...In 2018, the OIG issued a report on ineffective identity verification controls for online COA requests...The target implementation date for this recommendation was September 30, 2019; however, it was closed as “Not Implemented” in November 2021.
Finding #2: Identity Verification
...During our testing, we verified that when customers sign up for services directly through its website, the Postal Service validates their identity using the Customer Registration application. However, when through Moversguide, the Postal Service designed the system so that it would not utilize Customer Registration...
...Ineffective identity verification controls allow bad actors to use Moversguide to facilitate mail and identity theft against Postal Service customers, which could result in a financial loss to customers and negative impact on the Postal Service brand.
USPS management disagreed with the report, especially the reported monetary impact of the instances of identity theft, and states they believe the proposed recommendations would harm millions of customers.
Management stated that other than a significant fraud scheme in FY 2022,
no material facts have changed since November 2021 when the recommendation from the prior audit was closed as not implemented.
Finally, management concluded that based on their analysis of the proposed recommendation, millions of customers would be harmed to achieve an incremental risk reduction for several thousand customers.
Coincidentally, several of the identity theft victims I've spoken to who had fraudulent eBay accounts set up using their stolen ID info told me they discovered fraudulent USPS change of address requests had been entered for them as well.
It's not entirely clear what part the address change requests may have played in the larger fraud scheme on eBay.
They may have been used to redirect return packages or documents like 1099-K forms. Or worse, in some cases the CoA requests could have possibly been the mechanism by which bad actors gained access to the victims' personal identity information in the first place, allowing them to create fake eBay accounts that did tens of thousands of dollars in fraudulent sales undetected by eBay's Trust and Safety and Managed Payments departments.
I absolutely agree with the authors of this OIG report:
Identity verification is an important security measure to combat fraud, because it ensures that a person is who they claim to be when performing online transactions.
With data breaches and identity theft on the rise, it is important that businesses ensure that they protect customer information from identity fraud.