UK flooded with forged stamps despite using barcodes — to prevent just that – Source: www.bleepingcomputer.com

Royal Mail, the British postal and courier service began switching all snail mail stamps to barcoded stamps last year.

The purpose of the barcode was to enhance security, deter stamp reuse, and possibly prevent forgeries—which it has failed to do.

Fast forward to this year, several senders were left appalled to see their mail returned and being slapped with a £5 fine for use of “counterfeit stamps,” despite the senders insisting that they had bought legitimate stamps.

China accused of flooding UK with 1 million stamps

As Royal Mail transitioned towards barcoded stamps last year, the public had until the end of July 2023 to swap out their old paper stamps with ones carrying a 2D data matrix barcode at no cost.

“The move is part of [Royal Mail’s] extensive and ongoing modernisation drive and will allow the unique barcodes to facilitate operational efficiencies, enable the introduction of added security features and pave the way for innovative services for customers,” earlier explained an FAQ on the mail provider’s website.

Ironically, “security features,” such as these unique barcodes believed to prevent stamp re-use and forgeries in the future failed at just that.

Hundreds of senders saw their mail items returned by Royal Mail last month, and each had a “£5 penalty” notice slapped on them for the use of “counterfeit stamps.”

This left senders surprised who did not understand why they were being penalized despite properly purchasing what they thought were legitimate stamps.

According to The Telegraph, the organization has been investigating to identify the “source of the problem.”

“When a customer reports to us that they bought a stamp from a retailer that is subsequently found to be counterfeit, we will always look into the circumstances of that case,” said a Royal Mail spokesperson.

“We also work closely with retailers and law enforcement agencies, and actively seek the prosecution of those who produce counterfeit stamps. We reaffirmed that policy to the minister today.”

On Wednesday, however, an investigation led by the newspaper revealed that four major Chinese suppliers were offering to print up to one million forged Royal Mail stamps every week “for as little as 4p each – and deliver them to Britain within days.”

Security experts and British MPs likened the large-scale forgeries to an “act of economic warfare” that is almost like “printing counterfeit money.”

Predictably, a diplomatic row erupted with the Chinese government dismissing these claims as “baseless.” Chinese officials suggested that Royal Mail should instead investigate its supply chains. 

The blame game begins

Royal Mail has blamed the UK Border Force for failing to stop the counterfeit product from entering the UK—which is an interesting accusation given the simplistic nature of the product. Stamps are ultimately shipped as sheets of paper, making them harder to distinguish from letters or boxes of documents via conventional screening means.

A Royal Mail executive does admit that its “overly sensitive” machines can sometimes wrongly flag genuine stamps as fake, and has human experts thoroughly inspecting flagged mail items.

Even more interestingly, the penalized customers state that these stamps were purchased at Post Office branches and not Royal Mail.

Post Office often partners with Royal Mail to provide a variety of mail and collection services but remains a separate commercial entity.

The Post Office further claims that it receives these stamps directly from Royal Mail’s secure printers.

“The implication of such an allegation is that one of our postmasters, or a member of their staff, has obtained fake stamps and has chosen to sell them to customers rather than selling legitimate stamps that have come from Royal Mail’s secure printers. This is why we insist that any customer who thinks they may have purchased a fake stamp from a Post Office must produce an itemised receipt so that this can be looked into further.”

It’s been a tough year for Post Office as is with the company embroiled in the notorious Horizon IT scandal that involved hundreds of postmasters being wrongfully convicted and sentenced—all because of accounting flaws in Horizon, an IT system designed by Japanese company Fujitsu and used at Post Office branches.

Now, claims of counterfeit stamps circulating in the UK could risk relentlessly putting the spotlight on postal staff members and retailers once again.

Privacy groups remained silent on stamp roll out

Surprisingly, the rapid transition to barcoded stamps escaped the scrutiny of just about everyone—including leading privacy groups.

Along with tightened “security,” these digitalised stamps arrived with a ‘feature’ for senders to attach videos using their smartphone that a recipient could then watch by scanning the stamp with their smartphone.

No one questioned whether this could be invasive for privacy reasons and be the death of anonymous mail.

BleepingComputer understands there are several scenarios in which every barcoded stamp could, in theory at least, be associated with its purchaser (the sender) and make anonymous snail mail a thing of the past.

At the time of the rollout, we tested several such new stamps. We noticed each such stamp had a unique string identifier stored in the data matrix barcode which looks like this:

JGB S1115XXXXXXXXXXXXXXXXXXXX2503


XXXX F0XXXXXXXXXXXXXX01

(That’s three sets of text strings separated by spaces—56 characters in total. The ‘X’ represents different digits)

Last year, BleepingComputer also contacted leading UK and international privacy groups to get their understanding on the matter—none responded.

Royal Mail told us at the time that barcoded stamps do not provide end-to-end public facing tracking, such as via the website, but did not rule out these being internally traceable, e.g. for law enforcement purposes.

“The barcodes will not provide end-to-end public facing tracking. It is not possible to track items using these stamps as current regulation does not permit this on services offered under the Universal Service Obligation (USO),” a Royal Mail spokesperson had earlier told BleepingComputer in an email interview.

“Tracked services are already available, details of which are on our website.”

The Royal Mail spokesperson further explained that although the barcode made each stamp unique, “no personal data is held on the stamp,” which was also obvious in our tests.

That still does not imply whether the unique identifier contained in these barcodes could not be associated with a sender’s identity in other ways, such as when they purchase these using digital payment methods or use their smartphones to “attach” videos to them.

With the forged stamps now infiltrating the country, the benefits these new stamps were designed to provide have largely been rendered void.