Is USPS digital mail preview service a security hole?

Informed Delivery is a free service from the U.S. Post Office. Once a user signs up, they begin receiving an email every morning with photos of the coming day's mail delivery. It sounds convenient. And more than 6 million people have signed up.

But tech watchdog Krebs on Security reports the U.S. Secret Service is warning Americans that thieves are abusing the system.

One victim is Chris Torraca, who shared his experience with the Dallas Morning News and spoke with Fox 5 by phone.

"It's a violation of privacy, a violation of your property and obviously you feel violated personally," he said.

Here's how Torraca thinks it happened. He was a previous victim of identity theft and believes the scammers bought his information from the dark web. Then they used his information to create the postal account and opened credit cards. 

With Informed Delivery, the thieves knew exactly when those cards arrived at his house so they could snatch the cards from his mailbox.

"They were monitoring what day they would be received," he said.

Dave Lieber is the watchdog columnist with the Dallas Morning News and says the scam is complicated but effective. He thinks the USPS should share some blame.

"The post office rolled this out too soon. they should have added two-step cell phone verification before they rolled it out," he said. "The first year they had it there wasn't even this question verification setup where you answer questions about your personal life to prove who you are."

Torraca said he too hopes the post office improves security. In the meantime, he has added physical locks to his mailbox.

The USPS responded to our questions about all this.

"The fraud referred to is a matter of identity theft that has already been perpetuated by a criminal. Postal Service customer identities' are not compromised by using the Informed Delivery feature," USPS said in a statement. "Unfortunately, in very few cases, an individual's identity has already been compromised by a criminal who then has used it to set up an Informed Delivery account."

 Creating a fraudulent account is illegal and punishable by law.