The U.S. Labor Department’s inspector general said this week that roughly $100 million in fraudulent unemployment insurance claims were paid in 2020 to criminals who are already in jail. That’s a tiny share of the estimated tens of billions of dollars in jobless benefits states have given to identity thieves in the past year. To help reverse that trend, many states are now turning to a little-known private company called ID.me. This post examines some of what that company is seeing in its efforts to stymie unemployment fraud.
A new report (PDF) from the Labor Department’s Office of Inspector General (OIG) found that from March through October of 2020, some $3.5 billion in fraudulent jobless benefits — nearly two-thirds of the phony claims it reviewed — was paid out to individuals with Social Security numbers filed in multiple states. Almost $100 million went to more than 13,000 ineligible people who are currently in prison.
The OIG acknowledges that the total losses from all states is likely to be tens of billions of dollars. Indeed, just one state — California — disclosed last month that hackers, identity thieves and overseas criminal rings stole more than $11 billion in jobless benefits from the state last year. That’s roughly 10 percent of all claims.
Bloomberg Law reports that in response to a flood of jobless claims that exploit the lack of information sharing among states, the Labor Dept. urged the states to use a federally funded hub designed to share applicant data and detect fraudulent claims filed in more than one state. But as the OIG report notes, participation in the hub is voluntary, and so far only 32 of 54 state or territory workforce agencies in the U.S. are using it.
Much of this fraud exploits weak authentication methods used by states that have long sought to verify applicants using static, widely available information such as Social Security numbers and birthdays. Many states also lacked the ability to tell when multiple payments were going to the same bank accounts.
To make matters worse, as the Coronavirus pandemic took hold a number of states dramatically pared back the amount of information required to successfully request a jobless benefits claim.
77,000 NEW (AB)USERS EACH DAY
In response, 15 states have now allied with McLean, Va.-based ID.me to shore up their authentication efforts, with six more states under contract to use the service in the coming months. That’s a minor coup for a company launched in 2010 with the goal of helping e-commerce sites validate the identities of customers for the purposes of granting discounts for veterans, teachers, students, nurses and first responders.
ID.me says it now has more than 36 million people signed up for accounts, with roughly 77,000 new users signing up each day. Naturally, a big part of that growth has come from unemployed people seeking jobless benefits.
To screen out fraudsters, ID.me requires applicants to supply a great deal more information than previously requested by the states, such as images of their driver’s license or other government-issued ID, copies of utility or insurance bills, and details about their mobile phone service.
When an applicant doesn’t have one or more of the above — or if something about their application triggers potential fraud flags — ID.me may require a recorded, live video chat with the person applying for benefits.
This has led to some fairly amusing attempts to circumvent their verification processes, said ID.me founder and CEO Blake Hall. For example, it’s not uncommon for applicants appearing in the company’s video chat to don disguises. The Halloween mask worn by the applicant pictured below is just one example.
Hall said the company’s service is blocking a significant amount of “first party” fraud — someone using their own identity to file in multiple states where they aren’t eligible — as well as “third-party” fraud, where people are tricked into giving away identity data that thieves then use to apply for benefits.
“There’s literally every form of attack, from nation states and organized crime to prisoners,” Hall said. “It’s like the D-Day of fraud, this is Omaha Beach we’re on right now. The amount of fraud we are fighting is truly staggering.”
According to ID.me, a major driver of phony jobless claims comes from social engineering, where people have given away personal data in response to romance or sweepstakes scams, or after applying for what they thought was a legitimate work-from-home job.
“A lot of this is targeting the elderly,” Hall said. “We’ve seen [videos] of people in nursing homes, where folks off camera are speaking for them and holding up documents.”
“We had one video where the person applying said, ‘I’m here for the prize money,'” Hall continued. “Another elderly victim started weeping when they realized they weren’t getting a job and were the victim of a job scam. In general though, the job scam stuff hits younger people harder and the romance and prize money stuff hits elderly people harder.”
Many other phony claims are filed by people who’ve been approached by fraudsters promising them a cut of any unemployment claims granted in their names.
“That person is told to just claim that they had their identity stolen when and if law enforcement ever shows up,” Hall said.
REACTIONS FROM THE UNDERGROUND
Fraudsters involved in filing jobless benefit claims have definitely taken notice of ID.me’s efforts. Shortly after the company began working with California in December 2020, ID.me came under a series of denial-of-service (DDoS) attacks aimed at knocking the service offline.
“We have blocked at least five sustained, large-scale DDoS attacks originating from Nigeria trying to take our service down because we are blocking their fraud,” Hall said.
In May 2020, KrebsOnSecurity examined postings to several Telegram chat channels dedicated to selling services that help people fraudulently apply for jobless benefits. These days, some of the most frequent posts on those channels advertise the sale of various “methods” or tips about how to bypass ID.me protections.
Asked about the efficacy of those methods, Hall said while his service can’t stop all phony jobless claims, it can ensure that a single scammer can only file one fraudulent application.
“I’d say in this space it’s not about being perfect, but about being better,” he said.
That’s something of an understatement in an era when being able to limit each scammer to a single fraudulent claim can be considered progress. But Hall says one of the reasons we’re in this mess is that the states have for too long relied on data broker firms that sell authentication services based on static data that is far too easy for fraudsters to steal, buy or trick people into giving away.
“There’s been a real shift in the market from data-centric identity verification to verifying through something you have and something you are, like a phone or face or ID,” he said. “And those aren’t in the provenance of the incumbents, the data-centric brokers. When there have been so many data breaches that the toothpaste is basically out of the tube, you need a full orchestration platform.”
A BETTER MOUSETRAP?
Collecting and storing so much personal data on tens of millions of Americans can make one an attractive target for hackers and ID thieves. Hall says ID.me is certified against the NIST 800-63-3 digital identity guidelines, employs multiple layers of security, and fully segregates static consumer data tied to a validated identity from a token used to represent that identity.
“We take a defense-in-depth approach, with partitioned networks, and use very sophisticated encryption scheme so that when and if there is a breach, this stuff is firewalled,” he said. “You’d have to compromise the tokens at scale and not just the database. We encrypt all that stuff down to the file level with keys that rotate and expire every 24 hours. And once we’ve verified you we don’t need that data about you on an ongoing basis.”
With such a high percentage of jobless claims now being filed by identity thieves, many states have instituted new fraud filters that ended up rejecting or delaying millions of legitimate claims.
Jim Patterson, a Republican assemblyman from California, held a news conference in December charging that ID.me’s system “continually glitches and rejects legitimate forms of identification, forcing applicants to go through the manual verification process which takes months.”
ID.me says roughly eight users will pass through its automated self-serve flow for every one user who needs to use the video chat method to verify their identity.
“The majority of legitimate claimants pass our automated, self-serve identity verification process in less than five minutes,” Hall said. “For individuals who fail this process, we are the only company in the United States that offers a secure, video chat based method of identity verification to ensure that all users are able to prove their identity online.”
Hall says his company also exceeds the industry standard in terms of validating the identities of people with little or no credit history.
“If you just rely on credit bureaus or data brokers for this, it means anyone who doesn’t have a credit history doesn’t get through,” he said. “And that tends to have a disproportionate affect on those more likely to be less affluent, such as minority communities.”
Static, old, perma-stolen data relied upon indefinitely. #credentials
Simswap + deepfake?
Next up : Bad guys hire professional makeup artists for the chat.
“Sir, pull on your nose to show you’re not latex.”
I have not met a single person who had not heard about someone in their circle who got their identity used for fraudulent unemployment claims. Hard to believe that so many states did not check stuff.
You are right! I work at a bank in fraud — we get reports every day of people’s identities being used to get unemployment benefits. I spoke to someone recently who WORKS in the IT department of Arizona’s Unemployment office — she said that she has found massive evidence of no one checking these unemployment claims to see if the person truly lives in Arizona or to prove they are legitimate. It’s crazy. FIRE THEM ALL!
People are getting RICH all over the place!
And the states/US gov. only have themselves to blame!
Uncle Sam has been having itself a big party for a long time, case in point, Solarwinds hack. Everybody was caught with their pants down!
PLAYTIME IS OVER!! Time to get your sh*t together!
If USA wants to be #1 leading superpower in the world they better START FK!N ACTING like it!
Back in the old days a person had to report to the Unemployment Office in person with documentation from their employer. Maybe it’s time to return to in person filing.
Time to go back to in-person application and redemption of benefits only. If you make it too easy, it will be easier than getting a job.
Have you heard about this thing from 2019? It’s called a pandemic. And the reason it’s a pandemic is because it’s at least airborne.
There’s been a drastic reduction in the availability of jobs for the people on the low end of the scale.
Asking people to go into a closed building to beg for money so they don’t die and risk infecting the person/people hearing their pleas and the people who come in after them is just plain stupid.
Yes, there’s fraud against unemployment benefits.
No, it’s nothing near as bad as the amount of money the wealthiest 100 people in the US have gotten that they didn’t need.
Yes, there should be controls against fraud. But, the in person model is not the right approach at this time. And really, if one wants to do in person verification, it should be done by the US Postal Service. Along with postal banking. They already have a mandate to service the entire country, let them check in on people’s health. If someone doesn’t have a job, let them get to know their customers and arrange benefits.
then you have ones like me who was verified last year in july of 2020 with the video verification who had to resubmit docs for pua with the new system put in and then get my payments out on hold because idme system says that my identity is being used in more than one state which is total bs because i know i only filed in one state i dont click on emails from sources i dont know and they said my account with idme was used in filing for more than one state how did the fraudsters get into my idme account to file in another state is what i want to know and 3 days in im still getting the our agents are still looking into it
Sentences are your friend. Or should be.
Probably used the same pathetic password that you use on all of your accounts like a dumb*ss
But why these things happen?
…boy are we in the wrong business…
Tens of billions of dollars is a lot of tax payer money that we will never see again!
Sure you will. Isn’t the US all about trickle down economy. Once the scammers gets rich enough, the rest of you will enjoy it. Right?
Part of the problem is that both the US federal and state governments, as well as the Canadian federal and provincial equivalents, have been delinquent in providing properly defined digital identities, contrary to what is happening in Europe.
There they have been using well validate identities for the use of government services for a long time now, which were later expanded for use by the private sector.
In the last few years this work has been expanded to make these national Digital IDs work across Europe.
It doesn’t mean there is no fraught, but it is a lot less. For the losses incurred here in 2020 they could have build a pretty decent system.
me who was verified last year in 2020 with the video verification who had to resubmit docs for pua with the new system put in and then get my payments out on hold because idme system says that my identity is being used in more than one state which is total bs because i know i only filed in one state i dont click on emails from sources
Several years ago I warned a friend about the dangers of identity theft. He’s an excellent professional musician but has a very low income. He said his identity had already been stolen but “They can have it! Good luck with that!” His credit was so bad back then that no thief would’ve been able to get a loan or any other credit-based service in his name, let alone hijack his bank account with $47 in it.
Sadly, with government programs like these, just because one’s credit isn’t worth anything doesn’t mean their identity isn’t worth anything.
I do sympathize with his general outlook.
The fact that individuals have to proactively file credit freezes against 4+ entities just to prevent fraudsters from actively messing with others isn’t really fair to individuals whose expertise doesn’t include dealing w/ bureaucracies (i.e. the vast majority of people).
It’s best in my opinion to assume every website has been/will be hacked. Look at the many big security companies like Solar Winds and black/gray-hat groups like the Hacking Team that have been hacked.
Any company can brag on paper about its so-called great security based on buzzwords, rubberized double-layered tokens and triple AAA horn-to-horn rhino encyption. Remember Zoom’s early pandemic lies about its security? Granted, Zoom scrambled after the humiliation and greatly improved its security.
And don’t forget LifeLock, that infamous braggart that was supposed to guard your identity after you gave it mountains of personal data to protect for a fee of hundreds of US dollars per year: its security was so bad the US’s FTC (federal trade commission) fined them $100 million for brazen pathetic security.
Only believe independent reports by 3rd-parties about companies’ security (remember Zoom was busted by sharp outside security testers; and, of course, Krebs discovered numerous breaches).
I’m confident that many companies don’t admit they’ve been hacked publicly even if the law demands it.
Companies like Target and Home Depot aren’t in the business of identify or financial management. After breaches, they don’t really lose business by people walking into their stores and buying a hammer or soap.
But companies like id.me and Intuit/Mint would likely teeter on collapse after a breach because protecting user data IS their business.
Though I have no evidence, I can’t imagine Intuit/Mint hasn’t been hacked. I doubt they’d admit it voluntarily and they’d probably prefer risking criminal charges for covering up a breach.
When a site’s PR person starts bragging about its security, just remember the numerous big name cyber Security companies that have been hacked then try to imagine that bragging site’s IT security team has more skill than those victims. I can’t.
If you’re desperate and have no choice and id.me is the only way to get what you need, I guess you have to go with it.
But for heaven’s sake, follow Kreb’s longstanding advice of getting credit freezes everywhere possible.
>Though I have no evidence, I can’t imagine Intuit/Mint hasn’t been hacked. I doubt they’d admit it voluntarily and they’d probably prefer risking criminal charges for covering up a breach.
Of course they would risk it. The [unfortunately] most likely scenario if caught is they’ll pay a token fine with the shareholder’s money and admit no wrong doing.
“But companies like id.me and Intuit/Mint would likely teeter on collapse after a breach because protecting user data IS their business.”
Just like Experian collapsed after they failed to protect millions of people’s data?
Funny you should mention Mint [1]. Not even two years ago. Not precisely the same level of hacking as others, but still.
[1] https://krebsonsecurity.com/2019/11/ncr-barred-mint-quickbooks-from-banking-platform-during-account-takeover-storm/
I was wondering why a Republican official would snipe against the service.
Turns out the answer was right there:
““If you just rely on credit bureaus or data brokers for this, it means anyone who doesn’t have a credit history doesn’t get through,” he said. “And that tends to have a disproportionate affect on those more likely to be less affluent, such as minority communities.””
He was “snipping” because the CA Employment Development Department (EDD) were warned about the potential fraud by the Feds and didn’t do anything to prevent it. In fact the governor directed the EDD not to compare unemployment requests with jail records because of “privacy” never mind that inmates have little or not privacy. And when a number of DA’s, who were learned of fraudulent claims warned that many were from inmates the EDD froze all requests and debit cards issued hurting those most in need. According to some estimates the fraud in CA is upwards of $20B and could reach $30B. In the end the Rep’s constituents will end up footing the bill for the EDD’s incompetency.
Your reply in no way adresses the relevant section of the article:
“Jim Patterson, a Republican assemblyman from California, held a news conference in December charging that ID.me’s system “continually glitches and rejects legitimate forms of identification, forcing applicants to go through the manual verification process which takes months.””
If it was known that fraud was so prevalent, why was he specifically arguing against a solution?
This is representative democracy at work.
If his constituents suffer more directly from the change than the theoretical future loss, then it’s in his best interest “now” to be responsive to their concerns.
Republicans in California generally represent rural areas. In this case, he represents parts of Fresno/part of the Central Valley (and some National Parks…). On average, it is not wealthier than the rest of California [2].
[1] https://en.wikipedia.org/wiki/California%27s_23rd_State_Assembly_district
[2] http://www.edhovee.com/edhblog/2018/7/25/californias-central-valley-guideposts-to-success
Attacking fraud is a good thing. Using social security numbers for unemployment security is not recommended by NIST 800-63 and is used by id.me to pull credit report information.
From the CEO of ID.me, a little surprised you left this out of the article Krebs… they can’t keep up with the load and fraud is still occurring in the states they are protecting. See FL & CA and examples who have been using it and still losing millions.
“ID.me is experiencing a high volume of identity verification requests in relation to unemployment benefits claims across multiple states. We sincerely apologize for any inconvenience, additional wait times, or difficulties you may be experiencing. We are working 24/7 with our customer support teams and our state workforce agency partners to ensure any issues are resolved as quickly as possible.
Simultaneously, our security teams are working aggressively to defend against cyber attacks from bad actors across the globe who are seeking to defraud both individuals and states. We have blocked five major attacks to take down our service and stopped more than 2.3 billion malicious events targeting our service in December alone. We apologize that legitimate claimants using our system are having longer than normal wait times due to the influx of claims we are carefully vetting for fraud. We ask you to please bear with us during this time.
Please know that we are deeply empathetic to the plight of the families for whom this aid is intended. My team and I are working around the clock to get as many of them through the process as possible. We are sorry for the long video chat wait times and frustrating experience.
We also want to clarify that video chat is not required for most users, so please read the instructions carefully. More than 88% of verified users get through via ID.me’s fully automated process and do not need to enter a video chat.
About one-third of all users who enter video chat upload improper documents. Please click this link to upload the correct documents to expedite your process.
If you are in an emergency situation, please contact ID.me Member Support.
Thank you for your patience and understanding.”
The article specifically says that they’re not preventing all fraud, even through their own systems.
Is ID.me one of those services, where one should “plant the flag”? Is there a danger not to? What are the danger of creating an account with them?
The danger would be if they were themselves breached and their own databases compromised and exfiltrated. But that’s not imminent as far as anyone seems to know.
Sheer Id is a bigger and better company than Id.me
I am surprised the states didn’t use them
I have heard of these rings around Detroit- they travel to California many times a year. They post on social media in their aliases with pics of them holding STACKS of Ca. Unemployment cards. They are literally buying high end cars, heavy equipment, iphones, ps5s…. Anything of value in big bulk to further blur the lines of pursuit. They atm only allows 1000 a day, but they rope in street people to use the atm because of the surveillance cameras. The guy who told me these stories had NO guilt, remorse, or bad feelings of getting caught at all. He elaborated further and further until my mind was spinning from the braggadocio and pride. I don’t know how we as a nation are going to survive this next decade but I have a 9 yr old whose future in this country may be uncertain.
So post any single link to corroborate any of this.
This is FACTS!
Criminals are smarter than most people think. The days of hanging out at the liqor store drinking 40’s and selling dope on the corner those days are long gone!
More and more street guys are turning to white collar crime, this is a FACT! Straight from the grapevine
Solving these problems starts with solid leadership, and not the kind of “leadership” that currently inhabits the swampy marsh that is Congress!
These lawmakers are COMPLETELY incompetent! Every last one of those dinosaurs needs to be replaced, we need term limits to prevent these old f**k$ from serving more than 2-3 terms
Should be easy to prove with links to credible sources.
Why haven’t you provided any?
Can the government do ANYTHING right?
Why can’t the government agencies use the fraud detection systems of Visa or Verizon or Amazon?
Who thinks the US voting systems/processes are any LESS of a cluster-f***?
If the government ever gets in charge of healthcare the NY nursing home debacle will be a drop in the bucket.
How many millions of dollars have been lost by VISA fraud? They just pass the loss to customers in the form of fees.
Private sector loses millions too, hacked quite often. Solarwinds and Equifax, to name only two recent.
Government is made up of the same flawed people in corporate America. It’s just that government is a convenient scapegoat.
Healthcare in the private sector is a mess all by itself. Government might not do any better, but millions of people sick, dying and broke… Think government can’t possibly do worse.
Oh oh! You’re not supposed to say that about our “secure” election system!
Many election security experts have been shouting for years about vulnerabilities to local/remote hacking and holes in the processes.
And even they signed a statement saying NONE of the accusations of actually exploiting the vulnerabilities have merit.
Huge difference between being vulnerable and being exploited.
Some systems aren’t available for sale/rent. And some entities have privacy or contracting obligations that would prevent them from using other’s systems.
Amazon’s fraud detection system is almost certainly private.
Verizon [1] doesn’t have a perfect record.
Visa [2] isn’t perfect (actually, Verified by Visa at least was stupid & evil )
You aren’t wrong though, using a single centralized system gives better awareness than having 54 entities each doing their own thing. It’s why American Express probably has better ability to respond to fraud than some random Visa issuing bank — American Express is a single entity which sees all transactions for its network and is (almost exclusively) its own bank.
But, whenever governments get together to do things, some people (typically Republicans, but sometimes not) complain about “Big Government” and various brandings of “the devil” invading privacy.
It’s a tough balance.
[1] https://krebsonsecurity.com/2016/03/crooks-steal-sell-verizon-enterprise-customer-data/
[2] https://krebsonsecurity.com/2011/12/loopholes-in-verified-by-visa-securecode/
The article appears to be a puff piece for ID.me
Mr Krebs, your credibility is dwindling
Could you be more specific why you think that? I thought their experiences about how much of this fraud was being carried out was interesting. Also, it’s noteworthy when almost half of the states start moving to a new authentication system that really hasn’t been tried on such a large scale before.
I apologize – that was terse and unfair.
I consider you and Bruce Schneier to be the two most credible security experts online.
The impression I got from the article (admittedly read in haste) is that there is a problem and that ID.me is the solution. There are
13 references to ID.me in the article. Perhaps a survey of approaches to the problem would be fairer ….
Anyway, thanks for all you do Brian
Thanks for your reply. I don’t know what to say about a survey of competing approaches. But it’s clear what the states have been doing isn’t working, and that almost anything different would be an improvement. The reliance on static data and the expectation that everything about the process of applying for benefits is automated has gotten us to where we are now. The data point from Labor about more states starting to compare notes seems a step in the right direction as well.
First, one of the thing is missing from Brian’s article and the posters above is that many states have not updated their UI computer system. It is based on COBOL, program code from the 1990s. Some states have put out ads looking for people with that experience when faced with the need to change the code. Many states have never invest money in a new software with needed security over the years. This is what you get as a result. It is equivalent of carrying around your SS card in your wallet and it gets stolen.
Secondly, the system was not designed to handle many claims in response to the pandemic, as a result, fraud occurs largely because of static information and easily stolen information to file these claim from legitimate person who are in need of it.
Many states should be employing 2FA or MFA to ensure it is the person who is actually the person they say they are as many sites are employing it to move away from password based login due to it being reused and is not a good form of security. I, for one, use many forms 2FA, ranging from Google Prompt, biometric, and authenticator app largely you must have the device in hand to approve it to gain access.
Brian, I do read your article because I have an interest in understanding the evolving threats and the security of knowing what to think about when dealing with computers. So I thank you for putting this out on a regular basis. I used to read your article in the WaPo many years ago.
The problem is that the people who need help are those least likely to have anything close to 2FA.
The wealthy are likely to have good “know your customer” with their banks / bankers (this is why the bank driven relief at the beginning was such an inefficient and problematic way to give relief to those who needed it), as well as reasons to be using (and comfortable using) 2FA — namely, having assets worth protecting.
I’m certainly in favor of everyone having and using 2FA everywhere, but 4% of Americans didn’t have a cell phone and 19% didn’t have a smart phone in 2019 (when the pandemic began) [1]. And SMS isn’t a proper way to manage 2FA [2] (or pick many other articles from this site…), so it’s really the 19% that’s the problem.
As of 2018, 16% of Americans weren’t digitally literate [3]. And forget that percentage, try this one: “More than 60% of Americans say they’ve been a victim of an online scam” [4]. (I’ve been scammed, although I think mine was a phone scam, but that’s really a distinction without a difference.)
Heck, “Millions of Americans Have No Government ID” [5] and “The Invisibles: The cruel Catch-22 of being poor with no ID” [6] really define the problem space here.
[1] https://www.pewresearch.org/internet/fact-sheet/mobile/
[2] https://krebsonsecurity.com/2021/02/u-k-arrest-in-sms-bandits-phishing-service/
[3] https://nces.ed.gov/pubs2018/2018161.pdf
[4] https://nypost.com/2019/12/06/more-than-60-of-americans-say-theyve-been-a-victim-of-an-online-scam/
[5] https://www.npr.org/2012/02/01/146204308/why-millions-of-americans-have-no-government-id
[6] https://www.washingtonpost.com/lifestyle/magazine/what-happens-to-people-who-cant-prove-who-they-are/2017/06/14/fc0aaca2-4215-11e7-adba-394ee67a7582_story.html
While you’re correct about the computer literacy of most people, however the US government have a program that allows people of low income get a phone so they can be contacted for services and the like. They do provide many ways to prove who you are when applying for services. Some of the app are free to download and use. (Mobile Duo, Authy) .
The pandemic hit like a ton of bricks forcing people to buy computer so they can work from home which led to some retailers having to restock plus finding a suitable desk for people to work on. I for one had to study from home because of it, I responded by building my own laptop platform so I can work on school work without the strain on my neck. I was able to work comfortably.