Royal Mail’s Smart Stamp
I recently heard about Royal Mail’s Smart Stamp Service, which negates the need for physical stamps by allowing users to print their own postage paid envelopes and labels.
Subscription costs £49.99 for a year or £4.99 per month, with a 3 month free trial period currently available. Postage at standard rate is payable on top of this fee.
The service looks well suited to small to medium businesses as an alternative to franking machines, and private users who make heavy use of the postal service; regular Ebayers, for example.
As a very light user of “snail mail”, I can’t justify the cost, but nevertheless had a play with the trial version, which Royal Mail lets you have for free after registering for an account on their site and providing some demographic information. I would post a direct link, but Royal Mail use a custom download wrapper to prevent this.
System requirements are fairly modest – 200MHz CPU, 64MB RAM, 20MB HDD space, 800×600 resolution – but unfortunately Smart Stamp only supports Windows (from 98SE up to XP). It supports laser and inkjet printers of 300dpi or higher resolution (which covers pretty much all modern models) and requires IE 5.01 SP1 or later, as it’s an HTML application (urgh).
Note that while the site specifically lists Windows XP SP1 as supported, the software works fine with SP2. I’d imagine Windows Server 2003 will work too. I’ve not tried running Smart Stamp under Wine in Linux but I suspect that its IE dependencies might complicate the process.
The trial version has the same features as the full version, but partially obscures the “stamp” (a kind of barcode) with a “Specimen” box. UK and overseas postage is supported, and it is possible to customise your envelopes with a slogan or logo, several examples of which are included.
There’s also a diagnostic tool, which requires a ticket number supplied by the Smart Stamp support team (although I just made one up). It spits out a passworded ZIP file – no prizes for spotting the privacy implications!
Further digging around in the software’s installation directory uncovers all the images and HTML code used by the application, and curiously some German-language text files suggesting that Smart Stamp is based on Deutsche Post’s StampIt service.
Extra-geeky observation: I noted that Smart Stamp prints its URL – SmartStamp.co.uk – on all envelopes and labels, but the server in fact requires a leading “www”. Doh!
All in all, it’s an interesting offering, and means that we in the UK now have access to what the US has offered for a long time, with one major difference: we are being charged for the privilege, while the US has traditionally offered discounts to electronic stamp users. I hope to see Smart Stamp re-emerge as a free service once Royal Mail have recouped their costs, and maybe even pass the associated savings on to users. At that point, I suspect that I will not be alone in wanting to give it a go.
However, only time will tell whether Royal Mail have got it right. The software has some good features and looks pretty, but the way it has been implemented with its reliance on IE worries me slightly in terms of security. I fully expect hackers to have a field day with this, and would not be in the least bit surprised if someone manages the defeat the system and get free postage. Just think – spam will be the least of your worries when Smart Stamp is cracked and you have 100 ads for Viagra, penis enlargement, cheap loans and solicitations for Nigerian investments on your doorstep every day 
OK, so maybe I’m being a little paranoid, but I can see a number of potential vulnerabilities:
- Illicitly inflating a Smart Stamp account balance on Royal Mail’s servers, tricking the software into accepting a fake balance or spoofing the link between the local machine and the server to prevent an account being debited
- Using refunded, used or randomly-generated “e-stamps” in the hope that they will somehow slip through the system unnoticed (are Royal Mail actually scanning every piece of Smart Stamped mail and checking it against their database?)
- Hacking the software to prevent the trial print function from hiding the stamp, or regenerating the stamp from its human-readable code (this relies on the assumption that trial prints include valid stamps, which could indeed be true as each new document has a new code)
- Reverse-engineering the stamp generation mechanism to produce arbitrary valid stamps (if Royal Mail don’t check stamps against their records)
Royal Mail will be in trouble if they don’t have effective mechanisms for the prevention and detection of these and another attacks, and prosecuting offenders will prove difficult as the postal system is effectively anonymous.
And of course there are the traditional problems associated with e-commerce: account hijacking and credit card fraud to name but two.
Good luck, Royal Mail…
