How $ 100 million in unemployment claims were paid to inmates – Krebs on Security



[ad_1]

The U.S. Department of Labor inspector general said this week that around $ 100 million in fraudulent unemployment insurance claims had been paid in 2020 to felons already in jail. That’s a tiny fraction of the estimated tens of billions of dollars in unemployment benefits that states have provided to identity thieves over the past year. To help reverse this trend, many states are now turning to a little-known private company called ID.me. This article takes a look at some of what this company sees in its efforts to tackle unemployment fraud.

These prisoners tried to apply for unemployment benefits. Inmate ID personal information has been redacted. Image ID: ID.me

A new report (PDF) from the Office of the Inspector General (OIG) of the Department of Labor found that from March to October 2020, some $ 3.5 billion in fraudulent unemployment benefits – nearly two-thirds of bogus claims ‘he examined – were paid to individuals. with social security numbers filed in multiple states. Almost $ 100 million has gone to more than 13,000 inadmissible people who are currently in prison.

The OIG recognizes that the total losses for all states will likely amount to tens of billions of dollars. Indeed, only one state – California – revealed last month that hackers, identity thieves and overseas criminal networks had stolen more than $ 11 billion in state unemployment benefits. Last year. This represents about 10% of all complaints.

Bloomberg Law reports that in response to a flood of jobless claims that exploit the lack of information sharing among states, the Department of Labor has urged states to use a federally funded center designed to share applicant data and detect fraudulent claims filed in more than one state. But as the OIG report notes, participation in the hub is voluntary, and so far only 32 of the 54 labor agencies in U.S. states or territories use it.

Much of this fraud exploits weak authentication methods used by states that have long sought to verify applicants using widely available static information such as social security numbers and birthdays. Many states also did not have the ability to tell when multiple payments were going to the same bank accounts.

To make matters worse, as the coronavirus pandemic has set in, a number of states have dramatically reduced the amount of information needed to successfully apply for unemployment benefits.

77,000 NEW USERS (AB) EVERY DAY

In response, 15 states have now joined forces with McLean, Va.-Based ID.me to bolster their authentication efforts, with six more states under contract to use the service in the coming months. It’s a small hit for a business started in 2010 with the goal of helping e-commerce sites validate the identity of customers to give discounts to veterans, teachers, students, nurses and firsts. stakeholders.

ID.me claims that over 36 million people have now signed up for an account, with around 77,000 new users signing up every day. Naturally, much of this growth has come from the unemployed seeking unemployment benefits.

To weed out scammers, ID.me asks applicants to provide much more information than states previously requested, such as pictures of their driver’s license or other government-issued ID, copies of utility or insurance bills and details on their mobile. phone service.

When an applicant does not have one or more of the above – or if something in their application triggers potential fraud signals – ID.me may require a recorded live video chat with the person requesting benefits.

This led to some pretty funny attempts to bypass their verification processes, said the founder and CEO of ID.me. Blake hall. For example, it’s not uncommon for candidates appearing in the company’s video chat to wear disguises. The Halloween mask worn by the contestant pictured below is just one example.

Image ID: ID.me

Hall said the company’s service blocks a significant number of “first party” frauds – a person using their own identity to file in multiple states where they are not eligible – as well as “third party” fraud, where people are made to give. away from the identity data that thieves then use to claim benefits.

“There are literally all forms of attack, from nation states and organized crime to prisoners,” Hall said. “It’s like the D-Day of the fraud, it’s Omaha Beach that we’re in right now. The number of frauds we are fighting is truly astounding. “

According to ID.me, one of the main drivers of bogus unemployment claims comes from social engineering, where people have given away personal data in response to, or after applying for, romance scams or sweepstakes. that they thought was a legitimate work from home job.

“A lot of this is aimed at the elderly,” Hall said. “We saw [videos] people living in nursing homes, where people off camera speak on their behalf and hold up documents.

“We had a video where the person who applied said, ‘I’m here for the price,’” Hall continued. “Another elderly victim started to cry when she realized she was not getting a job and was being scammed for jobs. In general, however, job scams hit young people harder, and romance and price issues hit older people harder. “

Many more bogus claims are filed by people who have been approached by fraudsters promising them a reduction in unemployment claims granted on their behalf.

“This person is told to just pretend they’ve had their identity stolen when and if law enforcement ever shows up,” Hall said.

UNDERGROUND REACTIONS

Scammers involved in filing unemployment benefit claims have definitely taken note of ID.me’s efforts. Shortly after the company began working with California in December 2020, ID.me was the target of a series of denial of service (DDoS) attacks aimed at taking the service offline.

“We have blocked at least five sustained and large-scale DDoS attacks originating in Nigeria by trying to take down our service because we are blocking their fraud,” Hall said.

In May 2020, KrebsOnSecurity reviewed the posts on several Telegram chat channels dedicated to selling services that help people fraudulently claim unemployment benefits. Some of the more frequent posts on these channels these days advertise the sale of various “methods” or tips on how to bypass ID.me protections.

Id.me mentions in cybercrime forums, Telegram channels throughout 2020. Source: Flashpoint-intel.com

Asked about the effectiveness of these methods, Hall said that while his service can’t stop all bogus unemployment claims, it can guarantee that a single scammer can only file one fraudulent claim.

“I would say in this space it’s not about being perfect, it’s about being better,” he says.

To put it mildly at a time when being able to limit each scammer to a single fraudulent claim can be considered progress. But Hall says one of the reasons we’re in this mess is that states have relied for too long on data brokerage firms that sell static data-based authentication services that are far too easy to use. that scammers steal, buy, or trick people into giving. a way.

“There has been a real shift in the market from data-centric identity verification to verification by something you own and something you are, like a phone, face, or ID.” , did he declare. “And these aren’t from the incumbents, the data-centric brokers. When there have been so many data breaches that toothpaste has practically come out of the tube, you need a full orchestration platform. “

A BETTER MOUSETRAP?

Collecting and storing so much personal data about tens of millions of Americans can make it an attractive target for hackers and identity thieves. Hall claims that ID.me is certified to comply with the NIST 800-63-3 digital identity guidelines, uses multiple layers of security, and completely separates static consumer data related to a validated identity from a token used to represent that identity. .

“We take a defense-in-depth approach, with partitioned networks, and use a very sophisticated encryption system so that, in the event of a breach, this material is protected by a firewall,” he said. “You would have to compromise the tokens at scale and not just the database. We encrypt all of this down to the file level with keys that spin and expire every 24 hours. And once we’ve verified you, we don’t need this data about you all the time. “

With such a high percentage of unemployment claims currently being filed by identity thieves, many states have implemented new fraud filters that have ended up rejecting or delaying millions of legitimate claims.

Jim Patterson, a Republican congressman from California, held a press conference in December, accusing the ID.me system of “constantly making trouble and rejecting legitimate forms of identification, forcing candidates to go through the manual verification process that takes months.

ID.me says that around eight users will go through its automated self-service flow for each user who needs to use the video chat method to verify their identity.

“The majority of legitimate requesters go through our automated, self-service identity verification process in less than five minutes,” Hall said. “For people who fail this process, we are the only company in the United States to offer a secure identity verification method based on video chat to ensure that all users are able to prove their identity online. “

Hall says his business also exceeds industry standards for validating the identity of people with little or no credit history.

“If you just rely on the credit bureaus or the data brokers for this, that means anyone who doesn’t have a credit history isn’t going through,” he said. “And that tends to have a disproportionate effect on those who are more likely to be less wealthy, such as minority communities.”

Tags: Blake Hall, id.me, Jim Patterson, Department of Labor

[ad_2]

Source link