Expands the main menu

Audit Reports

Aug
15
2014
Report Number:
IT-AR-14-008
Report Type:
Audit Reports
Category: Customer Service

eCommerce Customer Registration

Background

The U.S. Postal Service’s Customer Registration application allows customers to create accounts through USPS.com to purchase products and services through over 40 eCommerce applications such as Every Door Direct Mail, Premium Forwarding Service, Click-N-Ship, and the Postal Store. Customers must provide personally identifiable information to create an account. There were over 24 million Customer Registration users as of June 2014 and revenue totaled about $1.2 billion in fiscal year (FY) 2013.

Our objective was to determine the effectiveness of controls used to safeguard the eCommerce Customer Registration process and reduce online credit card fraud.

What the OIG Found

Controls used to safeguard the eCommerce Customer Registration process and reduce online credit card fraud need improvement. Management has not established a threshold for fraud-related chargebacks (transactions rejected by credit card companies) for the four eCommerce applications in our review. As a result, management cannot objectively measure when to increase oversight and controls to reduce fraud.

Of the four applications, Click-N-Ship’s credit card fraud-related loss of $4.6 million was above the industry’s recommended threshold for acceptable levels of credit card fraud in FY 2013. In addition, management did not always ensure all credit card company chargebacks were validated.

Further, seven of the eight Customer Registration controls we tested worked as management intended. However, we identified one vulnerability that could permit a cyber criminal to impersonate a valid user and obtain postage using stolen credit card data. Finally, we did not identify any critical or high-risk vulnerabilities when conducting over 3,000 additional tests of the USPS.com login page.

What the OIG Recommended

We recommended management establish a threshold for credit card fraud and develop a policy defining chargeback roles and responsibilities.We also recommended management maintain chargeback research results from all eCommerce managers and configure eCommerce applications to prevent the noted security vulnerability.

Report Recommendations

# Recommendation Status Value Initial Management Response USPS Proposed Resolution OIG Response Final Resolution
2

R - 2 -- Create standard operating procedures documenting the roles and responsibilities for all program offices responsible for managing chargebacks and Eagan Accounting Service’s responsibility for monitoring and obtaining timely receipt of program managers’ chargeback research results.

 Closed $0 Disagree
1

R - 1 -- Establish thresholds for acceptable levels of credit card fraud for their program areas to help determine when escalation of oversight and additional controls are needed.

 Closed $0 Disagree
3

R - 3 -- Some or all of the recommendation is not publicly available due to concerns with information protected under the Freedom of Information Act.

 Closed $0 Disagree