5

Lets assume you just bought something and it is getting shipped via a major package shipping agency (such as FedEx or UPS etc.). You are given a tracking number which you can use to view where the package is. Now somehow a hacker is able to obtain this number. What could possibly be compromised?

Would the hacker be able to change the package destination to themselves?

Could the hacker steal personal information from the number (assuming the did not obtain any from the original method they got the number in the first place)?

An ideal answer would include a comparison of the different package carriers and additional information that could answer future questions

Eric Johnson
  • 715
  • 1
  • 6
  • 11

6 Answers6

2

I just had my iPad shipment re-routed from FedEx to a local store where the thief signed for the package with a name almost exactly as mine. I ordered the iPad via cell phone/internet without wifi connected. I checked the routing a few times via the same cell phone...

Somehow the thief now has my iPad and FedEx says there is nothing they can do about it.

schroeder
  • 123,438
  • 55
  • 284
  • 319
buckWild
  • 21
  • 2
1

This depends on the service used to ship the goods. Certain services (e.g. GLS in Germany) will allow you to reroute the parcel to a nearby GLS-Hub after it has been sent on its way. By using social engineering and the hotlines of delivery services one might be able to divert parcels of other services too. Most delivery services will only allow you to redirect a parcel to a "safe location" this will be an office of the service provider that you will force you to prove your identity to pick it up.

Regarding personal information: DHL in Germany requires you to know the destination ZIP-Code to track a parcel in detail. Other providers might leak information through their tracking portals.

This said, the attacker will most certainly not be able to steal the parcel, but will be able to delay the shipment by certain periods.

Jonas Köritz
  • 320
  • 1
  • 10
1

I this happened to me by an Ebay scammer. UPS is very difficult to work with and it is almost impossible to speak to a person. The scammers know that you have limited ability to solve the problem because of privacy policies at the shipping companies. Since you are not the addressee, they will not give out information about the shipment. With enough persistence, I was able to speak to a customer service "manager" who broke UPS protocol and emailed me a statement saying the package was not shipped by the seller and was not addressed to me. Armed with that information, I was able to have Paypal rule in my favor and issue a refund.

The shipping companies and eBay all know about this scam but, are not doing anything to prevent it. One simple solution is for the shipping companies and ebay to communicate with each other. The scammers would lose the incentive.

geo
  • 11
  • 1
  • There is nothing for the shipping companies to "prevent". From the shipper's point of view, everything is working fine. The problem is that 3rd parties are exploiting valid shipping data. But, yes, tying shipping data to the purchase would solve this problem. – schroeder Apr 13 '21 at 16:03
0

A hacker that just has a tracking number won't be able to do very much with it on it's own. However, if a hacker can gain access to the logistics database of the shipping company's entire operation, that tracking number, if the hacker so chooses, can then change the destination address in the system as an update and pretend that you initiated that change. In this way, they could have packages dropped at random addresses where the hacker would then personally pick up the package and sign your name to complete. The shipping company will see your signature and will believe that you received your package.

However such logistics systems are usually heavily monitored and in my research on the subject, I don't find many cases of such a risky hack occurring. Though it is not implausible.

Yokai
  • 795
  • 4
  • 7
  • You say "A hacker that just has a tracking number won't be able to do very much with it on it's own." What is very much? That was more what I was trying to get to with this question. – Eric Johnson May 15 '16 at 12:50
  • 1
    Without access to the logistics database, the only thing the hacker can really do with a tracking number is watch the progress of the package. If he/she knows your name, he/she can call and act like you and possibly change the destination address by providing the tracking number. But its a long shot I would assume because I have had to change a package destination myself and I needed a good bit of information so UPS would change the address. – Yokai May 15 '16 at 13:48
  • 2
    But like I mentioned, it is indeed plausible that a skilled hacker can do more. Social engineering is an extremely valuable skill if one has the character to use persuasive thought coercion. – Yokai May 15 '16 at 13:50
  • UPS uses a software called, On-Road Integrated Optimization Navigation (ORION) which if compromised could effect a global delivery, inventory, and tracking system. It would be utter chaos for them. So really, your question is a good one that begs inquiry into the larger scope. – Yokai May 15 '16 at 13:56
  • @Yokai Unless the tracking service website has unknown security bugs. If that were the case, the delivery could be redirected, but that would be a bold move. EricJohnson I lack of information on that kind of software, so I can not elaborate an informed answer, I am jus theorizing – bradbury9 Aug 10 '20 at 06:51
  • @bradbury9 You are not wrong at all. Zero-day exploits almost certainly exist within any system a delivery service may use. As far as my knowledge goes, no system or systems, of software is completely invulnerable. With developments in machine learning, artificial intelligence, and deep learning, there is a vast host of new techniques for gathering information to use to formulate a very complex attack on vectors not commonly known or sought. – Yokai Feb 25 '21 at 10:12
0

A hacker with access to the UPS tracking database can make bogus sales online, using PayPal to take payment. They then watch the UPS system for another package matching the date and delivery area or town, copy that number and send it to Paypal for their bogus sale. The unwitting buyer watches the tracking across the country, right to their town, but the package never arrives. UPS will confirm the package was delivered, (the original, legitimate one was), but the scammed buyer has nothing. Buyer then opens a dispute claim with PayPal, who sides with seller, (because the tracking number says it was delivered), and will not refund money to buyer, or go after hacker/seller. It is ingenious, and, I'm sure, very profitable. The scammed buyer must contact UPS and try to get delivery confirmation proof that is was delivered to another address, and provide that proof to PayPal in order to try to reopen the case and get a refund.

Johnnie Schmidt
  • 1
  • 1
-1

I had this happen. UPS/PayPal is not acknowledging the issue. My credit card company has at least temporarily, reimbursed my account. I will not be using PayPal anymore until they create a more robust methodology to validate UPS tracking numbers with the intended recipients.

"A hacker with access to the UPS tracking database can make bogus sales online, using PayPal to take payment. They then watch the UPS system for another package matching the date and delivery area or town, copy that number and send it to Paypal for their bogus sale. The unwitting buyer watches the tracking across the country, right to their town, but the package never arrives. UPS will confirm the package was delivered, (the original, legitimate one was), but the scammed buyer has nothing. Buyer then opens a dispute claim with PayPal, who sides with seller, (because the tracking number says it was delivered), and will not refund money to buyer, or go after hacker/seller. It is ingenious, and, I'm sure, very profitable. The scammed buyer must contact UPS and try to get delivery confirmation proof that is was delivered to another address, and provide that proof to PayPal in order to try to reopen the case and get a refund."

par22
  • 1
  • "*The scammed buyer must contact UPS and try to get delivery confirmation proof that is was delivered to another address*" Good luck with that, that is personal information no courier service would/should disclose. – bradbury9 Aug 10 '20 at 06:45