HARRISBURG, Pa. (WHTM) — Pennsylvania’s new unemployment system is allowing hackers to steal claimants’ checks without a measure that a cybersecurity expert says “prevents 99.9 percent of attacks on your accounts,” according to accounts by two claimants of how their accounts were hacked.
Last week, a viewer who asked not to be identified — but provided evidence of her claims — told abc27 News someone had logged into her account and entered new direct-deposit banking information, including a new name, which wasn’t hers.
“You get nauseous,” the woman said of her reaction when she realized what had happened. “You get sick in your stomach. And you’re really scared.”
She said based on her experience, changing the banking information requires nothing more than logging into the account with a username and password.
Get daily news, weather, and breaking news alerts straight to your inbox! Sign up for the abc27 newsletters here
She said the system doesn’t require another form of authentication, such as sending a code to the claimant’s cell phone and requiring the code to be entered on the website, a process known as multi-factor authentication, or MFA.
How important is MFA?
“It prevents 99.9 percent of attacks on your accounts,” Scott Schober, a cybersecurity expert who is president and CEO of Berkeley Varitronics Systems and author of the book “Hacked Again,” said, citing a report by Microsoft. “It’s that effective over a traditional login” because physically possessing your cell phone is far more difficult for a cybercriminal than learning something you think only you know.
“Any hacker, cybercriminal, can go onto the dark web and buy a list of stolen compromised credentials,” Schober said. “Username, passwords and often security challenge questions.” (He said finding out what high school someone attended is so easy that “12345” is a more secure answer to “What high school did you attend?” than the actual name of your high school.)
All those pieces of information — no matter how many a system demands — comprise just one factor: knowledge. MFA would require a second factor. That could be something in someone’s possession, such as a cell phone or other code-generating device, or something unique to the person, such as a fingerprint or a facial or retinal scan.
Asked to confirm the account by the claimant that multi-factor authentication wouldn’t have been required for a hacker to siphon unemployment checks into a fraudulent bank account, a spokesman for the Department of Labor and Industry (L&I) replied: “Pennsylvania’s system for filing UC claims uses numerous fraud-detection measures, including virtual identity verification vendor ID.me to verify the identities of all new unemployment applicants.”
Asked whether the fraud-detection methods extend to preventing a hacker from changing the banking information of an existing account, rather than only to verifying the identity of a new claimant, the spokesman replied: “L&I is always looking for ways to improve our UC system and to protect the valuable personal information of claimants” and reminded users “to create a strong, unique password for their UC account and to protect their private information by never providing it to anyone” but didn’t note measures commonly considered MFA by cybersecurity experts.
The woman who contacted the newsroom said stories like hers have become so common that people in similar situations have created a Facebook group to advise each other — she showed abc27 the group.
After the initial story aired, a second claimant — a man who asked not to be identified — contacted abc27 News and described details similar to those recounted by the woman: money missing from his bank account, logging on and seeing someone else’s bank details, being bounced for help between representatives at L&I and the state treasury and being told by a telephone agent that the problem is common.
“Multi-factor authentication should be a minimum standard for any type of public or private online system that you have to access remotely,” Schober said.
Or put another way, if the claimant accounts prove true that re-routing unemployment checks to a new bank account doesn’t require MFA, what should Pennsylvania do?
“They have to implement multi-factor authentication, minimum, across the platform,” Schober said.
abc27 again asked the L&I spokesman to confirm the claimant accounts that the system doesn’t require MFA for changes to existing accounts, including redirecting funds; if so, whether the department considers this a systemic flaw and whether it seeks to strengthen the system; how many claimants are known to have been victims of similar hacking; how much money is known to have been re-routed to fraudulent bank accounts; and what is being done to get unemployment funds to their rightful recipients. Late Monday, the spokesman said the department was working on responses to the questions.