COLUMBUS, Ohio — The computer code flaw that led to scammers stealing nearly $190,000 in Ohio unemployment benefits and freezing tens of thousands of genuine accounts doesn’t threaten other parts of the state’s online security system, according to a state spokesman.
However, there are a number of still-unanswered questions about the code flaw that the state’s unemployment office has declined to answer, citing security concerns.
The code flaw, announced Monday, was part of the “identity and authentication” link between Ohio’s unemployment benefits system and the state’s OH|ID system, which allows state residents to use a single username and password to access a variety of state programs and services, including the Ohio Bureau of Motor Vehicles and the Ohio Department of Taxation.
State officials extended OH|ID to cover Ohio’s unemployment system in 2021, saying at the time it would improve the security and privacy of Ohio’s unemployment system. The system had been beset by fraudsters taking advantage of pandemic funds, and the state was in search of a fix.
But earlier this month, Ohioans again were faced with hours-long hold times as they waited to speak to state unemployment officials about attempts at fraudulent activity made in their name. State officials said the code flaw was the problem.
That flaw was on the “unemployment side” of the system and “does not threaten other aspects of OH|ID,” stated J.C. Benton, a spokesman for the Ohio Department of Administrative Services, which runs OH|ID.
The flaw caused a weeks-long surge in fraudulent unemployment claims, which has led thousands of Ohioans to spend four hours or longer on the phone in order to unfreeze their accounts. ODJFS finally fixed the issue last week and now offers Ohioans locked out of their accounts a way to lift the freeze by setting up two-step verification and answering security questions.
Cleveland.com/The Plain Dealer submitted a list of questions to the Ohio Department of Job and Family Services, which runs the state’s unemployment office, regarding the flaw, including exactly how it allowed so much money to be stolen, who was responsible for it, and what steps are being taken to ensure it doesn’t happen again.
ODJFS spokeswoman Dasia Clemente, in a statement Tuesday, declined to provide answers to those questions but said her department is conducting an investigation into the issue.
“We have provided all that we can at this time and will provide an update when the investigation has concluded,” said Clemente, who did not respond to a reply email asking who was conducting the investigation.
ODJFS has long been hesitant to provide details about how they combat unemployment fraud, out of concern that scammers will exploit that information to bilk even more money out of the system.
Unemployment fraud has been a major issue in Ohio and around the country since the start of the coronavirus crisis in 2020, as scammers were drawn in by special COVID-19 jobless benefits that had lowered verification requirements. State officials estimated in 2021 that between April 2020 and June 2021 alone, more than $477 million was paid to Ohio unemployment claims later found to be fraudulent.
That pandemic wave of unemployment fraud gradually subsided, as the special COVID-era benefits ended and ODJFS brought in private-sector officials and security firms to beef up Ohio’s anti-fraud system.
How the fraud works
Blake Hall, CEO of ID.me, a security company hired by a number of states (not including Ohio) to help crack down on unemployment fraud, said in an interview that his company has seen “an enormous surge” in unemployment fraud attempts over the past several months, usually by crime rings operating in West Africa, against unemployment systems all over the United States.
These scammers often use low-tech methods, like exploiting private-sector data breaches or phishing emails to obtain people’s personal information to file a new claim or break into their account, Hall said. Those methods helped fuel the first wave of unemployment fraud during the pandemic.
“We’ve seen the schemes range from military romance scams – where people think that they have a fiancé who’s deployed overseas in the military and needs help – to job scams, where people think that they’re applying for a job at a major company like Amazon or an airline – to even things like people who think that they’re going to meet a rapper by verifying their identity,” Hall said. “In Connecticut, they created letters that looked exactly like the Department of Labor letterhead.”
However, there’s a new high-tech twist to their methods: As many overseas scammers aren’t fluent in English, Hall said, it’s likely they’re turning to artificial intelligence software to communicate with Americans.
In addition, scammers now have access to powerful software that allows them to test system vulnerabilities like never before, Hall said. One of those is OpenBullet, which Hall said permits fraudsters to take a lengthy list of user passwords stolen via a data breach and check them en masse to see which grant them access to Ohio unemployment accounts.
“(They can) take over tens of thousands of accounts if the security on the login system isn’t set up correctly,” Hall said.
If the Ohio unemployment system doesn’t have proper safeguards for either identity verification or for its OH|ID login system, Hall continued, scammers can take advantage of that.
“If you kind of dropped the ball on either one of those fronts, you’re typically going to be looking at substantial fraud and identity theft on any government system these days,” he said.
Hall said he was glad to hear that Ohio’s unemployment system offers two-step verification, under which Ohioans have to take an additional step – like typing in a code sent to their phone – beyond just entering a password to gain access to their accounts.
But he said that to prevent something like this from happening again, Ohio should follow federal security standards for identity verification. Cleveland.com/The Plain Dealer has reached out to ODJFS to ask whether they currently follow such standards.
Haywood Talcove, CEO of LexisNexis Risk Solutions – one of the security firms hired by Ohio’s unemployment system – said in an interview that Ohio, unlike some other states, requires more than just a document check to verify applicants’ identities. Additional anti-fraud measures available to states like Ohio include using non-public information and behavioral metrics such as the cadence at which people type to verify the identity of applicants.
Gov. Mike DeWine told reporters Wednesday that it was “good news” that ODJFS caught the code flaw. “The department made the correct moves in regard with that,” he said.
However, DeWine said unemployment fraud will remain an ongoing problem.
“This is not something that’s going to go away. This is something we’re going to live with,” he said. “It’s a battle – it’s a war that’s going to continue on many different fronts.”
