How $100M in Jobless Claims Went to Inmates — Krebs on Security – About Your Online Magazine


The U.S. Department of Labor inspector general said this week that about $ 100 million in fraudulent unemployment insurance claims were paid in 2020 to criminals already in prison. That is a small portion of the estimated tens of billions of dollars in unemployment benefits that states gave identity thieves last year. To help reverse this trend, many states are now turning to a little-known private company called ID.me. This post examines a little of what this company is seeing in its efforts to prevent unemployment fraud.

These prisoners tried to apply for unemployment benefits. Personal information from prisoner IDs has been deleted. Image: ID.me

One new report (PDF) from the Department of Labor’s Office of the Inspector General (OIG) found that, from March to October 2020, about $ 3.5 billion in fraudulent unemployment benefits – nearly two-thirds of the analyzed false claims – figures filed in various states were paid to individuals with Social Security. Almost $ 100 million went to more than 13,000 ineligible people who are currently in prison.

OIG recognizes that total losses for all states are likely to be tens of billions of dollars. In fact, only one state – California – reported last month that hackers, identity thieves and foreign criminal groups stole more than $ 11 billion in state unemployment benefits last year. That is about 10 percent of all claims.

Bloomberg Act reports that in response to a flood of unemployment insurance claims that exploit the lack of information sharing between states, the Department of Labor urged states to use a federally funded center designed to share candidate data and detect claims registered in more than one state. But, as the OIG report notes, participation in the hub is voluntary and, so far, only 32 of the 54 state or territorial workforce agencies in the U.S. are using it.

Many of these scams exploit the weak authentication methods used by states that have long sought to verify candidates using static and widely available information, such as social security numbers and birthdays. Many states also did not know when multiple payments were going to the same bank accounts.

To make matters worse, as the Coronavirus pandemic spread, several states have drastically reduced the amount of information needed to successfully apply for unemployment benefits.

77,000 NEW (AB) USERS EVERY DAY

In response, 15 states have now joined the McLean-based ID.me, Va. To reinforce their authentication efforts, with six more states under contract to use the service in the coming months. This is a minor blow to a company launched in 2010 with the aim of helping e-commerce sites to validate customers’ identities for marketing purposes. granting discounts for veterans, teachers, students, nurses and first responders.

ID.me says it now has more than 36 million people registered for accounts, with about 77,000 new users registering each day. Naturally, a large part of this growth came from unemployed people looking for benefits without a job.

To filter fraudsters, ID.me requires candidates to provide much more information than previously requested by states, such as driver’s license images or other government-issued ID, copies of utility or insurance bills and details about their cell phone service.

When a candidate does not have one or more of the above – or if something in their app triggers possible fraud flags – ID.me may require a live video chat with the person applying for benefits.

This has led to some pretty fun attempts to bypass their verification processes, said ID.me founder and CEO Blake Hall. For example, it is not uncommon for candidates to appear on the company’s video chat to wear disguises. The Halloween mask worn by the candidate in the photo below is just one example.

Image: ID.me

Hall said the company’s service is blocking a significant amount of “primary” fraud – someone using their own identity to register in various states where they are not eligible – as well as “third party” fraud, where people are tricked into giving out data. identity that thieves use to claim benefits.

“There are literally all forms of attack, from nation states and organized crime to prisoners,” said Hall. “It’s like D-Day of fraud, we’re in Omaha Beach now. The amount of fraud we are fighting is truly impressive. “

According to ID.me, one of the main drivers of false claims for unemployment insurance comes from social engineering, where people gave up personal data in response to romance or sweepstakes, or after applying for what they thought was a legitimate work from home work.

“A lot of that targets the elderly,” said Hall. “We saw [videos] of people in nursing homes, where people off camera are speaking for them and holding documents ”.

“We had a video in which the person who signed up said, ‘I’m here for the cash prize,’” continued Hall. “Another elderly victim started crying when he realized he was not getting a job and was the victim of a job scam. In general, however, the scamming business affects young people more, and romance and the cash prize affect older people more. “

Many other false claims are made by people who have been approached by fraudsters, promising them a share of all unemployment claims granted in their names.

“This person is informed only to claim that his identity was stolen when and if the police show up,” said Hall.

SUBSOIL REACTIONS

Fraudsters involved in unemployment benefit claims have definitely noticed ID.me’s efforts. Shortly after the company started working with California in December 2020, ID.me was the victim of a series of denial of service (DDoS) attacks aimed at bringing down the service offline.

“We have blocked at least five large-scale sustained DDoS attacks originating in Nigeria, trying to bring down our service because we are blocking their fraud,” said Hall.

In May 2020, KrebsOnSecurity examined posts for various Telegram chat channels dedicated to selling services that help people fraudulently enroll for unemployment benefits. Nowadays, some of the most frequent posts on these channels announce the sale of several “methods” or tips on how to get around ID.me’s protections.

Id.me mentions in cyber crime forums, Telegram channels in 2020. Source: Flashpoint-intel.com

Asked about the effectiveness of these methods, Hall said that while his service fails to prevent all false claims of unemployment benefits, he can ensure that a single scammer can only file a fraudulent claim.

“I would say that this space is not about being perfect, but about being better,” he said.

This is an understatement in an era when being able to limit each scammer to a single fraudulent claim can be considered progress. But Hall says one of the reasons we are in this mess is that states have long relied on data brokers that sell authentication services based on static data that are very easy for fraudsters to steal, buy or trick people into donating. a way.

“There has been a real shift in the market from data-centric identity verification to verification through something you have and something you are, like a phone, face or identity,” he said. “And these are not from the holders, the data-centric brokers. When there have been so many data breaches that the toothpaste is basically out of the tube, you need a complete orchestration platform. “

A BETTER MOUSETRAP?

Collecting and storing so much personal data from tens of millions of Americans can make one an attractive target for hackers and identity thieves. Hall says that ID.me is certified against NIST 800-63-3 digital identity guidelines, employs multiple layers of security and completely separates static consumer data linked to a validated identity from a token used to represent that identity.

“We take a defense-in-depth approach with partitioned networks, and we use a very sophisticated encryption scheme so that when and if there is a breach, this material is protected by a firewall,” he said. “You would have to compromise tokens at scale and not just the database. We encrypt it all down to the file level with keys that rotate and expire every 24 hours. And after we verify you, we don’t need this data about you continuously. “

With such a high percentage of unemployment insurance claims now being made by identity thieves, many states have instituted new fraud filters that have ended up rejecting or delaying millions of legitimate claims.

Jim Patterson, a Republican deputy from California, gave a news conference in December accusing the ID.me system “continually of failures and rejections of legitimate forms of identification, forcing candidates to go through the manual verification process that takes months”.

ID.me says that about eight users will go through its automated self-service flow for each user who needs to use the video chat method to verify their identity.

“Most legitimate applicants pass our automated self-service identity verification process in less than five minutes,” said Hall. “For individuals who fail in this process, we are the only company in the United States that offers an identity verification method based on secure video chat to ensure that all users can prove their identity online.”

Hall says his company also exceeds the industry standard in terms of validating the identity of people with little or no credit history.

“If you only depend on credit bureaus or data brokers for this, it means that anyone who does not have a credit history cannot access it,” he said. “And it tends to have a disproportionate effect on those most likely to be less wealthy, like minority communities.”



Tag: , , ,

This entry was posted on Thursday, February 25th, 2021 at 17:26 and is filed at A little sun, News of malaise, Web 2.0 fraud.
You can follow any comments on this entry through the RSS 2.0 food.

You can skip to the end and leave a comment. Pinging is currently not allowed.

Paula Fonseca