HARRISBURG, Pa. (WHTM) — Department of Labor & Industry leaders confirmed for the first time Thursday they’ve implemented security measures to specifically prevent the altering of direct-deposit banking information by fraudsters. And they explained for the first time why they chose last year not to implement multi-factor authentication measures that cybersecurity experts have said could have prevented much of the “bank hijacking,” as leaders have called it.
“We will not rest until we stop this in its tracks,” Secretary of Labor & Industry Jennifer Berrier testified Thursday to the Pa. House of Delegates Labor & Industry Committee.
Get daily news, weather, breaking news, and alerts straight to your inbox! Sign up for the abc27 newsletters here
Berrier said the department is working through a backlog of fraud complaints that now number 37,000, down from more than 50,000 in recent weeks. These include the “bank hijacking” — that is, diversion of unemployment checks into fraudulent bank accounts — in recent months as well as an earlier wave of fraudulent unemployment claims filed using the identities of real Pennsylvanians.
Susan Dickinson, L&I’s deputy secretary for unemployment compensation, told the committee the department has implemented “some final changes this week that seems to be working well so far,” with no new known bank hijacking cases “happening the last few days.”
Now, she explained, the system requires claimants to go through a round of identity verification when they make any number of sensitive moves, including switching the direct-deposit information for their unemployment check deposits.
That might sound straightforward. “But as we found in the system, there are multiple places where people could go to do that. So our vendor had to help us get through the system and find all the places where you could do that, which we were not aware of originally,” Dickinson said.
The commonwealth’s chief information officer, John MacMillan, confirmed for the first time the commonwealth knew its system was capable of multi-factor authentication (such as texting a code to a claimant’s cell phone and requiring the claimant to enter that code on the system website before changing banking information) and chose not to implement the measure. The reason?
“We’re trying to balance out the delivery of benefits to citizens and not make it burdensome,” MacMillan said. “It might require a claimant to have a mobile phone, and not everybody does. It might require them to have a valid email, and not everybody does.”
Berrier, the L&I secretary, said free identity protection — which L&I previously announced it would provide to unemployment compensation claimants because of the security problems — would be available within the system soon.