Categories
Uncategorized

Enhancing Seattle Times ESD Article on Missed Red Flags

Links to related articles at bottom

The Seattle Times ran an article called How missed ‘red flags’ helped Nigerian fraud ring ‘Scattered Canary’ bilk Washington’s unemployment system amid coronavirus chaos. This post supplements that article. Links at the bottom of this post provide more detail on ESD systems mentioned in the Times article.

40,000 Fraud Accounts?

Are the fraudsters more efficient than ESD? They might be, considering that Commissioner LeVine is reported as saying the fraud could be in the “hundreds of millions of dollars”. Let’s make some simple assumptions.

  1. Hundreds of millions = $200,000,000
  2. Average amount taken in each fraudulent account = $5,000
  3. 200,000,000 / 5,000 = 40,000 accounts!
  1. Hundreds of millions = $300,000,000
  2. Average amount taken in each fraudulent account = $5,000
  3. 300,000,000 / 5,000 = 60,000 accounts!

Commissioner Suzi LeVine has been adamant there has been no data breach — data stolen — and insisting all the fraud is because of data from other sources, such as the Equifax breach. She has said “This is happening because bad actors have acquired people’s personal information through other data breaches outside of the agency. Criminals then use this information to fraudulently apply for unemployment benefits in someone else’s name. There has been no data breach from ESD’s system.” Note the word “from”.

If there are really 40,000 or 60,000 accounts used for funneling money to the fraudsters, this suggests a degree of automation. Imagine the organizational logistics of getting enough computers and enough people to sit at computers to manually and individually create accounts or gain access to an accounts to set email address, routing, and bank account information.

Consider this scenario: Fraudster gains entry into a backdoor of the ESD system and figures out that 1) a properly structured file of data (account activation, fraudulent email addresses, routing numbers and account numbers) could be uploaded and 2) a process could be run on the ESD server to process all the data in a batch. Fast and efficient. This could all be done without taking any data from the ESD server.

Whether there was intrusion or not, it seems reasonable that automation was used if there really are 40,000 or 60,000 accounts used for funneling money to the fraudsters.

How might ESD come up with hundreds of millions dollars of fraudulent payments? Database queries!

Calculating Loss With Database Queries

How would ESD calculate loss to fraud? Here are some scenarios:

Assuming ESD has the ability to construct and run different queries on the ESD Claimant database, they might use any or all of these techniques (and probably more on data we don’t know about):

Throw-Away Email Addresses

Throw away email addresses

Some domain names are used for throw-away email addresses, such as yopmail.com, and those associated with it:

@yopmail.fr
@yopmail.net
@cool.fr.nf
@jetable.fr.nf
@nospam.ze.tc
@nomail.xl.cx
@mega.zik.dj
@speed.1s.fr
@courriel.fr.nf
@moncourrier.fr.nf
@monemail.fr.nf
@monmail.fr.nf

So, with the right query — something like this admittedly simple query — can generate a number:

select (sum)amountpaid from datatable where emailaddress LIKE “%yopmail%”

Run this on each domain, add the numbers, and you get an approximation of the amount paid out.

Routing numbers

Probably most ESD applicants would be using a bank within Washington State. (Exceptions, of course, like USAA out of Texas, used a lot by military, ex-military, and families). By looking at the routing number for direct deposit ESD could get an idea of where payments are going. Routing numbers include number designations for the Federal Reserve district a financial institution is on. There have been reports that payments went to an institution in Oklahoma. Oklahoma is in Federal Reserve district 10. The Bank of Oklahoma routing number is 103900036. Washington is in District 12. Most Banner Banks in Washington start with 12, such as 121141903. There are variations, of course. Many credit unions begin with 3, such as Boeing Employees Credit at 325081403.

Using a simple query as an example, ESD could get a sence of how much money was being sent outside of Federal Reserve District 12:

select (sum)amountpaid from datatable where routingnumber NOT LIKE “12%”

Because each financial institution has a unique routing number, suspicious financial destinations could be determined or verified. There have been reports of fraud victims receiving Green Dot cards in their mail as a result of a fraudulent creation of an account at Green Dot Bank and then at ESD. ESD could run a query like this to see number of accounts using the Green Dot Bank (aka GOBank): 124303162

select count(*) from datatable where routingnumber = “124303162”.

If you end up with something like 12,243 in the total count, then eyebrows would probably be raised.

Getting a total amount paid to 124303162 would be something like this:

select (sum)amountpaid from datatable where routingnumber = “124303162”.

No doubt the database ESD keeps its data in is more complex, and thus more complex queries would be needed.

Google Email

The Seattle Times reported this:

“Scattered Canary also used so-called “google.dot” accounts, that is, variations of the same Gmail address that can be used to set up a separate ESD account but, which all deliver to a single Gmail email address, according to Agari.”

This is actually a feature of Gmail. Rather than simply affix a specific combination of characters to a mail ID, Gmail uses a concept they used to call “namespace”. In this concept, variations on the name will still be accepted by the Gmail server as a valid email address and delivered to the same inbox as the original ID a user set up. From the Google help page “Dots don’t matter in Gmail addresses”. Google gives this example:

For example, if your email is johnsmith@gmail.com, you own all dotted versions of your address:
john.smith@gmail.com
jo.hn.sm.ith@gmail.com
j.o.h.n.s.m.i.t.h@gmail.com

These variations are useful to determine if a service or company is selling an email address.

Another way to use the Gmail namespace is to add an identifer after the name with the plus sign:

john.smith+esd@gmail.com

Developing a query to detect if the same basic name was used in different accounts is possible, but might require additional processing outside of a database query. For example, ESD could run a query to compile a list of all gmail addresses used. Then remove with search and replace all periods (dots). Then put the email addresses back into a database and run a query like this:

SELECT COUNT(DISTINCT emailaddress) AS emailaddress FROM datatable

You could end up with something like this:

johnsmith@gmail = 15 (total)
marysmith@gmail = 14 (total)

Results like this will give ESD heart attacks. Presumably, if there was no fraud, there would be only one email address for each account and appear only once in the entire database.

Related Pages

Seattle Times Editorial Misses Important Details on Employment Security Department

Ticking along with ESD

WA State CIO apparently OK with ID sent by email

Washington State Sets Unemployment Benefit to $0 by making up job title

Categories
Uncategorized

Seattle Times Editorial Misses Important Details on Employment Security Department

The Seattle Times published an editorial on May 21, 2020 called “Crisis reveals need for better state tech”.

The Times’ headline may be true but the editorial content misses some important details, and in one instance, is misleading.

The Times says this in one paragraph:

“That’s little consolation, though, for hundreds of thousands of residents desperately needing checks and stuck in the hell of a bureaucratic system meltdown.”

Then in the very next paragraph the Times says this:

“To her credit, LeVine acknowledged problems, promptly updated the system and presented a detailed plan to resolve 100% of claims by June 15.”

There are two issues in these two paragraphs:

  1. The numbers
  2. The update

The numbers

The reader may reasonably believe from these paragraphs that “100% of claims by June 15” refers to the “hundreds of thousands of residents needing checks and stuck in the hell of a bureaucratic system meltdown”.

But the reader’s reasonable belief is not so, because the “100% of claims by June 15” refers to “Operation 100%,” which WA Employment Security Department (ESD)  launched to resolve about 57,000 applications – not “hundreds of thousands” – in the adjudication process.

Here’s what LeVine said on her video announcement May 11, 2020 at about 1:17 into the video: “Our goal is to get through the lion’s share of these 57,000 pending claims over the next two to three weeks. Because of the complexity for those still remaining at that point we believe it will take until mid-June to have 100% of those specific claims resolved or paid. Again those specific ones are the ones that we had in queue up until May 1st.”

The Times’ editorial inaccurately implies that Operation 100% refers to “hundreds of thousands of residents,” thereby giving the reader an inaccurate impression of what ESD hopes to accomplish by June 15, 2020.

The update

We can assume from the Times use of “bureaucratic system meltdown” that “system” refers to the entire conglomeration of computer systems, phone systems, personnel systems, etc. In that regard the Times may be correct. But if referring to “computer systems,” where’s the evidence?

Governor Inslee said in a news conference on April 16, 2020 that Suzi LeVine was “using new technology to try to accelerate getting these dollars to hard pressed Washingtonians.” I asked the Governor’s media person “What is this new technology in use by ESD?” The one and only response I got was: “I have reached out to ESD but have not heard back.” But the Governor made the comment so why not reach out to the Governor to see what new technology he was referring to?

Other issues

The Times makes reference to ESD’s mainframe replacement:

“Also listed [in in the information officer’s dashboard] is a project started in 2007 to replace Employment Security’s mainframe for $46.8 million.”

“The dashboard shows the cost rose to $64.2 million in 2016, at which point the new system worked but still had issues to fix under warranty.”

This is only part of the story.

Next Generation Tax System

The $46.8 million was to replace the mainframe’s system for collecting taxes from employers. The new system is called NGTS — Next Generation Tax System. The majority of the money went to a company called Saber systems, which was a subsidiary of EDS, which in turn was purchased by HP. Subsidiary of EDS, an HP Company, to Modernize Washington State Unemployment Insurance Tax System: “EDS, an HP company, announced that Saber Government Solutions, its non-healthcare U.S. state and local government subsidiary, has been awarded a $24 million contract to develop and design the new tax system for the Washington Employment Security Department (WA ESD).”

The goal, according to the HP news release, encompassed a lot:
“Under the Next-Generation Tax System contract, Saber will perform project management, data conversion, business analysis, and application development and testing with the assistance of the WA ESD staff. As a result, the new system will improve UI tax functions such as employer registration, tax calculation, wage reporting, general ledger support, field auditing and collections.”

Implementation took longer than expected. After six years, in 2014, EDS launched the new system. According to a report by KING TV in 2016, not all was well. “But instead of making ESD’s job easier and providing employers with a more sophisticated and reliable collections system, the IT project created a wave of problems. Businesses were bit first by the new system’s many bugs.”

By 2016 there were still problems, even though earlier, strange problems had appeared. In 2014 when NGTS was launched, there was this report:

“For example, NGTS considers any empty field on an unemployment tax return to be an error… which sounds okay except the standard paper form provides six spots for six employees. So you have to fill in all six spots if you file your return using paper. You can’t avoid the penalty if, oh, say you have only one or two employees.”

“And it gets worse. Another bug in both the paper and electronic filing systems removes the leading digit in any employee’s Social Security Number if the number begins with a 6, 7, 8 or 9… and then because that Social Security Number is now “missing” a digit, NGTS assesses that employer an “incomplete” report penalty.”

FASTUI and false allegations

NGTS was the side that collects taxes from employers. Moving ahead for the benefits side — the side applicants use — ESD decided to use FASTUI from Fast Enterprises in Colorado. The contract for that purchase and implementation was in April 2017. The contract was signed by then Deputy Comissioner Lisa Marsh.

Not all went well when FASTUI was rolled out in January 2017 to applicants seeking benefits. KING TV reported: “The trouble with the system resulted in more than 750,000 calls for help to claim center staff on Tuesday [January 3, 2017] .”

Fast Enterprises has been a partial focus of problems in Michigan. The combined systems that included Fast Enterprises software in Michigan were known as Michigan Integrated Data Automated System (MiDAS). The Detroit Free Press reported:

“State officials have said that between Oct. 1, 2013, when the MiDAS system came on line, and Aug. 7, 2015, when the state halted the auto-adjudication of fraud determinations and began to require some human review of MiDAS findings, the system had a 93% error rate and made false fraud findings affecting more than 20,000 unemployment insurance claims. Those falsely accused of fraud were subjected to quadruple penalties and aggressive collection techniques, including wage garnishment and seizure of income tax refunds. Some were forced into bankruptcy.”

A Fast Enterprises spokesman told the Free Press:

“It”s not the role of a software company to tell an agency what to do or not to do, in general,” James Harrison of Fast Enterprises told the Free Press. “We can make suggestions.”

Regardless of fault, the attorney for plaintiffs in one of the lawsuits about this issue was reported in an NBC News article to have said that “40,000 fraud determinations were ultimately overturned.”

(For more detailed undersanding of what went on, read this published Opinon from United States Court of Appeals for the Sixth Circuit. See excerpts below.)

Assuming all ESD upper management is aware of the massive false fraud allegations that happened in Michigan in relation to software from Fast Enterprises and associated software, it is not unreasonable that ESD would want to require human review of ID associated with an application to substantiate that the application is not a fraud attempt.

On the other hand, with automation capability, one might wonder if automation is partially responsible for all the fraud. LeVine won’t say, but if ESD swung to the opposite end to avoid false fraud determinations, might it be possible software configurations were too loose? Here the Seattle Times is right: “Fuller explanation is needed to assure residents that state systems handling sensitive information are truly secure and less vulnerable to being spoofed. The public also needs to know if its government erred and what corrective measures are needed.”

Moving forward, why not consider strong, national cryptographic identity like Estonia?

System of systems

One software product can be complex. Then add other software systems and you have a bigger complex system. In a March 25, 2020 consultant’s report: “The Employment Security Department (ESD) has over 170 applications/systems providing both direct support to Washington residents as well as administrative support to the operation of the Department, including employee payroll and vendor payments.”

Add the complexity of setting up hundreds of workers to work from home. Whose computer is used? How to establish secure connections? How to route phone calls? Are all programs that an in-office worker would use be available at home?

Juggling all this is certainly a huge challenge when confronted with an onslaught of applicants that push software, infrastructure, and people into operations never designed for that magnitude.

What’s Missing?

In a March 2020 report from a consultant hired by ESD, the agency does not have a method of rapid recovery. “Currently ESD does not have a back-up or disaster recovery (DR) plan that would enable ESD to pay unemployment benefits to Washington residents in a timely manner in the event IT infrastructure, systems, or data became unavailable. The current back-up solution includes snapshots of data every 24-hours stored in one of ESD’s claim centers. Recovering the snapshots would require a manual process taking weeks to months to return to an operational state. Interruption to or total loss of technology systems and associated IT infrastructure would significantly disrupt critical services to job seekers and employers, potentially causing significant social and economic impact to residents of Washington State.”

— Bruce Miller


Excerpts from the Court of Appeals Opinion mentioned above

“If the employee reported no income for any week during a quarter in which he or she earned income, MiDAS automatically determined that the claimant had engaged in fraud. The Agency made no effort to assess whether the claimant truthfully reported no income for the week(s) in question.”

“The Agency assessed the penalties even when claimants did not actually receive benefits. Many claimants were assessed penalties that ranged from $10,000 to $50,000.”

“The only time real-life Agency employees evaluated a particular instance of suspected fraud was when a claimant filed an appeal. Claimants had 30 days to appeal the fraud determination to an Administrative Law Judge (“ALJ”). But “the vast majority” of claimants did not know about the fraud determination until the window to appeal had expired and they had been assessed thousands of dollars in fines. And when claimants attempted to appeal, Agency employees informed them that they could not appeal because more than 30 days had passed, even if the claimants still had the right to appeal because they never received notice. Furthermore, according to the Michigan Auditor General, the Agency never answered over 90% of the calls to its “Help Line.” In fact, out of the last 50,000 calls the “Help Line” received before the Auditor General conducted the audit, “not a single one had been answered or returned.”

Related Pages

Ticking along with ESD

WA State CIO apparently OK with ID sent by email

Washington State Sets Unemployment Benefit to $0 by making up job title

Enhancing Seattle Times ESD Article on Missed Red Flags

Categories
Uncategorized

WA State CIO apparently OK with ID sent by email

Apparently the Washington State Chief Information Officer (Jim Weaver) does NOT have a problem with Employment Security Department inviting applicants to send identification via email. The State CIO office was asked twice why the State CIO would allow ESD to invite applicants to submit ID via email.

Here’s the image below that shows ESD was offering this method.

The State’s CIO office responded 2020-05-19 with this:

The state Employment Security Department is your best source of information regarding the state unemployment benefits system. It’s our understanding from ESD that fraud victims are submitting their information through a secure webform at esd.wa.gov/fraud.

Thanks,

WaTech Communications

The response obviously does not address the evidence that ESD has communicated to applicants that sending ID via email is an option. Therefore, reasonable to assume the State CIO has no problem with ESD inviting applicants to send ID via email.

Interestingly, an ESD web page clearly states that a Social Security number should NOT be sent by email to ESD because “emails you send us may not be secure.” See the image below.

Then, through some miracle of increasing security consciousness, ESD updated the fraud page sometime after April 11, 2020 to say you should “never” send full SS# via email.

Nick Demerice, ESD spokesperson during the 2020-05-21 news conference with Suze LeVine, about 13:44 hours, said:

Some of the letters that went out did indicate that people should send sensitive information to an email address. That is old content before we were able to update the secure online reporting form. So we actually, we apologize for that and we are updating the language in those letters. We ask that folks go ahead and log into the secure system to be able to upload those documents and not send them via email.

Still no mention that sending “sensitive information” by email is a bad idea. Or that the “old” information contradicted what had been on the website for a long time.

Many businesses, for many, many years, have discouraged customers from sending credit card information by email. Recent example:

2020-05-19: OmahaSteaks.com: “For your protection, we do not recommend e-mailing credit card information.”

From https://www.securitymetrics.com/blog/sending-credit-card-info-over-email:

PCI DSS Requirement 4.2 states that credit card information must not be captured, transmitted, or stored via end-user messaging technologies (like email). Here’s why: email leaves trails of unencrypted credit card numbers in inboxes, trashes, web browser caches, etc. As with any end-user technology, it’s extremely difficult to secure.

When a credit card number is misused, you can can call the issuing bank and have a new one issued and even with a new number. Try calling the Social Security Administration saying you want a new Socical Security number.

If the business community has clearly adopted a policy that sending credit card information by email is not a good idea, why would sending personal ID, including image of Social Security Card, be a good idea?

Here’s what a small smattering of others have thought about sending Social Security number by email:

Never send your Social Security number or any account information via email, even if you trust the recipient, because you become less secure as soon as you press send.

Why You Should Never Email a Social Security Number

Don’t ever email a Social Security number.

Don’t store electronic documents containing Social Security numbers on your computer, your smartphone or a cloud-storage drive.

1798.85. (a) Except as provided in this section, a person or entity may not do any of the following: Require an individual to transmit his or her social security number over the Internet, unless the connection is secure or the social security number is encrypted.


WA State Law requiring WA agencies to disclose data breaches

Any agency that owns or licenses data that includes personal information shall disclose any breach of the security of the system to any resident of this state whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person and the personal information was not secured. Notice is not required if the breach of the security of the system is not reasonably likely to subject consumers to a risk of harm. The breach of secured personal information must be disclosed if the information acquired and accessed is not secured during a security breach or if the confidential process, encryption key, or other means to decipher the secured information was acquired by an unauthorized person.

Related Pages

Seattle Times Editorial Misses Important Details on Employment Security Department

Ticking along with ESD

WA State CIO apparently OK with ID sent by email

Enhancing Seattle Times ESD Article on Missed Red Flags

Washington State Sets Unemployment Benefit to $0 by making up job title