Our objective was to evaluate the U.S. Postal Service’s identity verification internal controls for its Change of Address (COA) service.
The Postal Service offers COA service whereby residential and business customers can apply to have their mail forwarded to a new address. This service helps customers manage potential adjustments to their mail delivery.
The Postal Service processed 36.8 million COA requests in fiscal year (FY) 2017 — 20.6 million hardcopy requests and 16.2 million online requests. Nearly 96 percent of the total COA requests during that time were from residential customers (4 percent were from businesses).
The Postal Service has a variety of controls in place to help prevent identity theft using the COA service and to protect the mail and privacy of its customers. These controls include electronically validating online COA requests using credit card addresses. The Postal Service also sends hardcopy letters to both the old and new addresses as a means to confirm and validate every COA request.
We initiated this audit based on concerns expressed by Congress, news outlets, and customer complaints regarding the internal controls and security related to the COA service and the potential risk this service could be used for fraudulent activities. The congressional inquiry specifically asked us to identify additional safeguards the Postal Service implemented subsequent to our 2008 report titled Identity Theft Potential in the Change of Address Process. All recommendations related to identity verification controls from that report have been implemented. Furthermore, the identity verification-related controls mentioned in that report — such as those related to verifying that hard copy requests have valid customer signatures and to sending verification letters — remain in place today. Since that time, the Postal Service has implemented additional enhancements to its COA-related identity verification controls, including the development of a watch list for suspect addresses, domain blocks, and flags for requests made from foreign internet provider addresses.
What the OIG Found
The Postal Service has opportunities to improve its COA service identity verification controls. First, the Postal Service lacks a control requiring customers to present a government-issued form of identification for review when submitting a hardcopy COA request at a retail facility or to their letter carrier. Leading practices, including those from foreign posts in developed countries, include having employees perform identity verifications when conducting these types of in-person transactions.
Second, the current online identity verification processes [redacted]. Such a test could help verify the customer’s identity by demonstrating their control over the linked account. The Postal Service [redacted], which uses pre-determined questions and answers such as matching the credit card holder’s billing address with that of the address in the online COA request. Leading practices advocate having a verification process that includes [redacted].
The Postal Service recognizes potential vulnerabilities in these areas, and is evaluating control enhancements. Implementing such enhancements would help reduce the risk of COA-related identity theft. Since January 2016, the U.S. Postal Inspection Service received nearly 25,000 COA complaints, including 8,900 in 2016, 11,000 in 2017, and 5,000 for the first three months of 2018.
What the OIG Recommended
We recommend management:
Develop and implement a national policy requiring customers to present a government-issued form of identification for review when submitting a hardcopy COA request.
Develop and incorporate [redacted] into its online COA identity verification processes.
USPS Proposed Resolution
Develop and implement a national policy requiring customers to present a government-issued form of identification for review when submitting a hardcopy Change of Address request.
Some or all of the recommendation is not publicly available due to concerns with information protected under the Freedom of Information Act.