Late last week, LiteBlue had some issues and Direct Deposit/Net to Bank Functionality had been deactivated again. It was reactivated Monday and is up and running again. I will not go into the long details of why it was deactivated, but the short answer is the Postal Service identified patterns where certain applications were logging through anonymous VPN connections and making changes to direct deposit and net to bank. After investigation, the Postal Service found that the employees who were affected by this had voluntarily granted these apps access to make these changes by giving them their EINs, passwords, MFA information, etc. It should be common sense, but it is imperative no one give out this information or it can compromise the system. The apps that were identified as the apps making these changes were “CashApp” and “Albert”.
The Postal Service is now blocking all connections that use an anonymous VPN connection. If you are using an anonymous VPN you will not be able to login to LiteBlue. You will need to turn the anonymous VPN off in order to login.
Here is some additional messaging from the Postal Service on connecting to LiteBlue:
- Due to elevated security threats, we implemented additional device and location security policies in LiteBlue in March 2023.
- These policies monitor user log in activity to detect anomalies associated with known security threats, such as phishing, account takeover, etc.
- Specifically, the additional security policies monitor IP addresses, locations, devices, and time between attempted log ins.
- Ultimately, these policies are designed to safeguard employee account information by blocking attempted log ins from unrecognized devices or locations.
We are working with the helpdesks to improve the process when reporting issues.
If you do get your account reset you should set up MFA from their personal device to avoid potential issues with device / location security policies. We are updating the user guides and FAQ’s.
To address the last item that isn’t very clear —
When an employee has their account locked/blocked they need to get it reset. It may require a temporary password be mailed to the employee. The employee will need to call HRSSC to get that temporary password sent out (this process has been verified). Second, HRSSC will get them in contact/transfer them/have them call the IT helpdesk to get their account unlocked.
This is the important part: when the employee tries to log back in for the first time after a unlock/MFA reset they will need to make sure they do so from outside the Postal Service on their personal device — (a laptop or desktop; not your phone) that is not on the Blue network (a postal work computer). If they do log on from inside the “Blue” network and then log in from a personal device, they will be locked out again.
The Postal Service is working to improve the login process all the time. As I get updates I will let you know.