Categories
ESD

Creating ID file for WA ESD

Suggestions for Creating ID file to upload to WA ESD.

How you create a file depends largely on the equipment you have access to.

Here are two methods.

Regardless of the method used, create a file that includes the following:

  • Name and claim # at the top. This clearly ties your ID to a specific ESD claim. No confusion for ESD workers. Also, if the file gets disassociated with the claim, the ID at the top of the file shows which claim the file belongs to. (LeVine has indirectly admitted in news conference 2020-06-11 that some ID uploads have been lost. In answering Linzi Sheldon’s question about applicants being asked to upload ID over and over again, LeVine said: “There are some people where some of their information has changed and where we do actually need that information again. So, we are rapidly working to resolve this and will have more information and instructions for them, hopefully by later today that we release.” Where the ID information changes? Not likely. Working to resolve this probably means a software defect that is losing uploaded documents.)
  • Write date the file created and date submitted below name and claim # (this helps you know when you did both)
  • Then show the IDs, one on top of the other.

Here are two ways to create the file described above.

Using only phone

  • Get a piece of paper and clearly print your name and claim # on it.
  • Lay out on a table with ID stacked below.
  • Take a picture of it all, getting as close as possible for best clarity
  • This produces a single image file for upload.

Scanner and word processing program

  • Scan each image. If two fit into one scan, fine.
  • Open Word or OpenOffice Write
  • At top, type name and claim #, date created, date submitted
  • Insert images into the document, allowing for largest image possible
  • Save entire file as a PDF, which can be uploaded.

Categories
ESD

Washington ESD slipping on security again

If you think ESD is implementing best practices with security, think again after reading the analysis below. In fact, ESD is guilty of the very activity it is trying to guard and warn against.

Many individuals who have reported that they have been victims of imposter fraud through the WA State Employment Security Department are receiving email notices like the following, actual, email (click on image to enlarge):

Let’s examine ESD’s advice from the above image. ESD says:

“The email address we use will end with @esd.wa.gov or WashingtonESD@public.govdelivery.com. If you get any unemployment related correspondence from any other address, do not open or reply to it.”

The advice regarding “from any other address” certainly makes sense.

But, what if a phishing email shows up with “@esd.wa.gov” or “WashingtonESD@public.govdelivery.com” in the visible FROM field of the email? Fraudsters do this all the time, trying to trick recipients into thinking the email came from a legitimate source. Using someone else’s email address in the FROM field is called email address spoofing and there are articles all over the Internet about this. For example, Wikipedia has an article on email spoofing. Among the statements from that article:

MAIL FROM: – generally presented to the recipient as the Return-path: header but not normally visible to the end user, and by default no checks are done that the sending system is authorized to send on behalf of that address.

From: Joe Q Doe <joeqdoe@example.com> – the address visible to the recipient; but again, by default no checks are done that the sending system is authorized to send on behalf of that address.

WA State even has a law that recognizes and bans spoofing: RCW 9A.90.070 Spoofing. Is this law going to stop fraudsters? Hasn’t yet.

So, let’s say you get an email from an address ending with “@esd.wa.gov” or “WashingtonESD@public.govdelivery.com”. It invites you to visit an official-looking web site where you enter your phone number and perhaps other identifying info.

At this point, you’ve been had.

Then you get a call from someone at the fraudulent website saying they are a member of “OSI from the Employment Security Department”.

There is no way to validate that the caller is really from OSI. ESD creates the same problem with its wording discussed below.

At this point, you’ve been had again!

The only secure way to communicate with ESD’s OSI is to call the number ESD posts on the website.

An email sent out June 8, 2020 has some interesting wording.

“ESD will ask you for information through official correspondence and your ESD eServices account. If we call you, you can ask the agents to identify themselves.”

“If we call you”? ESD wants us to answer a call from someone who claims to be an ESD employee? But banks, the IRS, Social Security, tell us all the time they will not call us and ask for personal information.

ESD is not following best security practices.

Here’s how a call might go:

“Hello”.

“Hi. My name is John Smith. I’m calling from the Washington State Employment Security Department.”

“Great. Been waiting to hear from you folks.”

“Before we can move forward in resolving your application, I will need some additional information from you, including your Social Security number.”

“OK. But before we do that, I need for you to identify yourself.”

“Sure, no problem. My name is John Smith. I work for the Washington State Employment Security Department. My ID# is 19395954.”

“Oh, ok. So you need my Social Security number?”

“Yes, let’s start with that.”

“My Social Security number is 555-555-1111.”

See the problem with this? There is NO WAY for the recipient of the phone call to validate that the person calling really works for ESD.

In essence, ESD is helping applicants lower their guard against calls from fraudsters.

These two examples from ESD come after ESD was foolishly inviting people to send copies of their Social Security card and ID via email.

Categories
ESD

Editorial: LeVine’s crime report gives little hope to legitimate ESD applicants

Washington Employment Security Department Commissioner Suzi LeVine’s prepared remarks Thursday morning, 2020-06-04, were more of a crime report than a help report. Of the approximately 12 minutes of her prepared remarks, with six slides, only 1 minute — maybe 2 — was focused on how applicants with legitimate claims are going to be helped. And even those remarks were empty rhetoric, such as these three snippets (approximate time from the start of the video linked above):

7:33 “Through out this crisis that has meant being as honest and transparent as we can at all times in order to uphold our responsibility to Washingtonians who need our services, even if that means delivering news that is not always welcome.”

She delivered the bad news. Fraud, and more fraud — $500-600 million she thinks, as an early estimate. LeVine reported on the number of dollars recovered — $330 million. LeVine mentioned 25,000 fraudulent applications. What LeVine did NOT report on were, for example:

— how many ESD employees are examining ID documents to verify identity?
— how many applicant IDs are able to be verified each day?
— what is the percentage distribution of ESD workers that represent different functions, e.g.: 80% on phones, 10% on programming, 10% on ID verification?

10:39 “We are calling in every single resource we can and will leave no stone unturned to get the benefits people are due and to catch the criminals and to stop fraudulent claims from going out.”

LeVine did not mention even one “single resource” they were calling in. Why not? Why not explain the triage plan to work on the applications waiting the longest — if such a plan even exists.

12:45 “Everyday we see thousands of suspeciaous claims come in with increasingly convincing false IDs that must be reviewed and dealt with by trained investigators.”

How many investigators? Nine, as has been suggested in social media posts?

The six slides she included in her prepared remarks were:

1. Latest Numbers (of applicants)
2. Preventing Fraud: Helping the Victims
3. Preventing Fraud: Still Under Attack
4. Operation 100% (where she spend no more than 2 minutes, and said the June 15th deadline is going to be extended by at least two weeks)
5. Looking to the future (basically for another extension of PEUC benefits)
6. Fraud: Actions to take

Not one slide was devoted to “Actions to take if you are in limbo” or “Actions and resources we are taking to get you out of limbo”.

Overall, her crime report may be fodder for newspaper and TV reports, but offer little hope to the thousands of legitimate applicants thrown out of work and needing financial assistance.