In 2016, the U.S. Postal Service managed 31,585 retail offices serving 877 million customers. To reduce wait-time-in-line and expedite customer transactions, the Postal Service developed the mobile Point-of-Sale (mPOS) system. mPOS is a mobile system that allows retail associates to accept credit card and non-PIN debit card payments for customers’ retail transactions. In fiscal year (FY) 2016, the mPOS system processed over 26 million transactions totaling about [redacted] million in revenue. As of May 2017, there were a total of 3,037 mPOS devices at high-volume retail units.

Like other retail systems, mobile retail systems are vulnerable to the same malware attacks as traditional payment systems, laptops, and other electronic devices.

Our objective was to determine if the mPOS devices and application are managed in accordance with Postal Service policy and best practices.

What the OIG Found

The Postal Service did not manage the mPOS devices and application in accordance with its policies and best practices. We reviewed access to the mPOS application and found that management should have disabled or removed accounts due to inactivity according to Postal Service policy. Specifically, [redacted] of 39,112 active accounts ([redacted] percent) have not been accessed in over [redacted] days. This occurred because management bulk-loaded accounts into mPOS based on user access to the lobby retail system and did not regularly review and validate users’ need for mPOS access.

We also determined that all mPOS devices are running on [redacted]. This occurred because management did not have a process to ensure that they updated all mPOS devices when new operating system versions are available. Additionally, the Postal Service was unable to upgrade some devices [redacted]. In FY 2016, management approved the upgrade of all mPOS devices to the latest hardware by February 2018.

When system access, devices, and the application are not properly managed, there is an increased risk that the mPOS system could be exploited. For example, a [redacted].

Management also does not adequately train mPOS users. Specifically, [redacted] of 26,786 ([redacted] percent) active mPOS users with transaction activity did not receive mandatory mPOS user training. Management does not have a process to ensure that employees have completed mandatory training prior to using the mPOS application. Improperly trained employees could lead to errors resulting in (1) reduced confidence in the Postal Service brand, (2) increased customer wait-time-in-line causing customers to use a competitor, or (3) unintentionally mishandled customer data and credit card information.

Finally, approved security standards for the mPOS devices and application did not exist. This occurred because the CISO recently re-established a dedicated security standards team and has been working through a backlog of outdated standards. [Redacted].

What the OIG Recommended

We recommended management:

  • Disable or delete unnecessary mPOS application user accounts and implement a process to ensure accounts are maintained in accordance with Postal Service policies.
  • Upgrade mPOS devices as described in the approved decision analysis report, and develop a process to ensure all mPOS devices are updated to current [redacted].
  • Develop and implement a process to ensure that employees receive mPOS training prior to granting them access to the mPOS application.
  • Implement security standards for the mPOS devices and application.

Read full report 


Comments (4)

  • anon

    Drive a mobile van using M POS sell stamps, pick up and mail package could save thousands. Without small town post office.

    Oct 09, 2017
  • anon

    I was never get any income yet .. may be my disability make me.. and I try one time it's not working - after didn't want try again, again .. that's why never get anythings yet so, many problem with financial can't pay anythings, I must pay post office for my for 6 months, couldn't pay my monthly ticket transportation. you can't imagine how I live in here... I know all problem is my disabled made me like this but don't have any security any people help.. and check up my situation -. So I really need an assistant who can help my problem about this.

    Oct 05, 2017
  • anon

    How am I not respected in my place as a citizen on this land of the free?! for the Deserving Most Worthy Love of My God I DEMAND HE BE RESPECTED IMMEDIATELY. BLESS US ALL

    Oct 05, 2017
  • anon

    How many Users who are not window trained are using the devices?

    Sep 27, 2017