HARRISBURG, Pa. (WHTM) – Pennsylvania’s new unemployment system allows hackers to steal applicants’ checks without a measure that a cybersecurity expert says “prevents 99.9% of attacks on your accounts,” according to the stories from two claimants about how their accounts were hacked.
Last week, a viewer who asked not to be identified – but provided evidence for her claims – told abc27 News that someone had logged into her account and entered new direct deposit banking information , including a new name, which was not hers.
“You are nauseous,” the woman said of her reaction when she realized what had happened. “You have a stomach ache. And you are really scared.
She said that based on her experience, changing bank information does not require anything more than logging into the account with a username and password.
Get daily news alerts, weather and breaking news straight to your inbox! Subscribe to abc27 newsletters here
She said the system does not require some other form of authentication, such as sending a code to the requester’s cell phone and entering the code into the website, a process known as authentication. multifactor or MFA.
How important is the AMF?
“It prevents 99.9% of attacks on your accounts,” said Scott Schober, a cybersecurity expert, president and CEO of Berkeley Varitronics Systems and author of the book “Hacked Again”. “It’s as good as a traditional connection” because physically owning a cell phone is much more difficult for a cybercriminal than learning something that only you think you know.
“Any hacker, cybercriminal, can access the dark web and purchase a list of stolen compromised credentials,” said Schober. “Username, passwords and often security questions. (He said it’s so easy to tell which high school someone attended that “12345” is a safer answer to “Which high school did you attend?” Than the actual name of your high school.)
All of this information, no matter how many requirements a system has, only includes one factor: knowledge. The AMF would require a second factor. It could be something in someone’s possession, such as a cell phone or other code-generating device, or something unique to the person, such as a fingerprint or a facial or retinal scanner.
When asked to confirm the claimant’s account that multi-factor authentication was not required for a hacker to siphon unemployment checks into a fraudulent bank account, a spokesperson for the Ministry of Labor and Industry (L&I) responded, “The Pennsylvania System for UC Claims Filing uses numerous fraud detection measures, including virtual identity verification provider ID.me to verify the identity of all new job seekers.
When asked if fraud detection methods extend to preventing a hacker from altering the banking information of an existing account, rather than verifying only the identity of a new applicant, the carrier parole replied, “L&I is always looking for ways to improve our Unified Communications system. and to protect applicants’ valuable personal information “and reminded users” to create a strong and unique password for their UC account and protect their private information by not providing it to anyone “but did not note the actions commonly considered MFA by cybersecurity experts.
The woman who contacted the newsroom said stories like hers have become so common that people in similar situations have created a Facebook group to advise each other – she showed abc27 the group.
After the initial story aired, a second claimant – a man who asked not to be identified – contacted abc27 News and described details similar to those told by the woman: money missing from her bank account , log in and see someone else’s bank details, be bounced around for help between L&I and Treasury officials, and been told by a phone agent that the problem is common.
“Multi-factor authentication should be a minimum standard for any kind of public or private online system that you need to access remotely,” said Schober.
Or, in other words, if the applicants’ accounts prove that redirecting unemployment checks to a new bank account does not require an MFA, what should Pennsylvania do?
“They need to implement multi-factor authentication, at a minimum, across the platform,” said Schober.
abc27 again asked the spokesperson for L&I to confirm to the applicants’ accounts that the system does not require the AMF for changes to existing accounts, including reorientation of funds; if so, whether the ministry considers this to be a systemic flaw and seeks to strengthen the system; how many claimants are known to have been victims of a similar hack; how much money is known to have been redirected to fraudulent bank accounts; and what is done to ensure that unemployment benefits are paid to their legitimate beneficiaries. On Monday evening, the spokesperson said the ministry was working on answers to questions.