I am amazed at how well these criminals from another country know the details of the systems in the US when we in the US have probably a handful of people who understand the end-to-end line they do.
I am not surprised this is happening. The small offices in each state are responsible for 100s of millions of dollars and they awfully unequipped for it. This is sort of thing that the federal government should do and provide a portal for each state to use so that they can track and do stuff across states to look for fraud. However i don’t know if states rights and separation of duties screws this up.
> I am amazed at how well these criminals from another country know the details of the systems in the US when we in the US have probably a handful of people who understand the end-to-end line they do.
It’s quite literally a criminals job to understand and abuse these systems, and there’s very clear link between their performance and their reward. Makes for a good motivator.
People frequently underestimate criminals because they don’t appreciate that these individuals are doing this work as full time job. I’m sure if you spent 8 hours a day for week, you’ll have an equally good understanding.
I always find it ironic that for all but the most lucrative criminal enterprises, if the criminal applied the same amount of effort towards pursuing legitimate employment, they would come out ahead (adjusted for risk of course).
Some people just enjoy "getting over" more, to the point that they will discount their labor used for such schemes.
> we in the US have probably a handful of people who understand
When I moved to the US from Canada and HR was helping me setup my health insurance on the first day, I was overwhelmed trying to understand it and said "Sorry, I don't really understand how health insurance works here."
The HR person responded:
"That's ok. Most Americans don't understand how it works either."
> Most Americans don't understand how it works either.
When I dislocated my jaw and went to an in-network ER for treatment (it popped back in as I was sitting on the bed), I wasn't surprised to get a call from a collections agency regarding bills I never received from an "out of network" shell corporation for "consulting physicians" (never even saw a doctor, only a nurse), but I definitely didn't see it coming.
I think a lot of US immigrants are more well versed in the workings of the US government than native born citizens.
This is because they have a source of comparison, and it is on the test! (if they go for citizenship)
Although some US citizens get how well some things work in the US compared to other countries, they have blind spots for some things that don't.
I got sick in Mexico once and went to a doctor there. I paid in cash and it was something like $2. If I wanted, I could get my medicine in pill or hypodermic form.
This is so True, as an immigrant - I have changed jobs and every orientation when talking about benefits does not break down the cost to the employee - resulting in "just sign here" so we can be done with everything mentality
That HR representative appears quite talented. Nobody knows how it works, or there would/could not be significant "administrative" changes daily as insurance companies (and really any businesses) find new ways to take more of your money without any risk or possible recourse. They do whatever they want.. at least that they believe they can get away with long enough to make a profit.
> when we in the US have probably a handful of people who understand the end-to-end line they do.
Is it a hard thing to understand or is it just something that doesn't get done?
I work for a municipal government (not in social assistance though). Very little is documented, not because it would be hard to do so, but because first everything from budget to approved software for documentation to time allocation to 5 different approvals would be required to do it. We are terrible at sharing information internally, so every thing would require meeting after meeting to chase down who knows what as well.
Actually documenting the system I work on would take 1-2 days. But we initiated an overarching documentation plan in November and it is still being worked on (if it has not died from neglect).
> However i don’t know if states rights and separation of duties screws this up.
The history of the US shows that such things matter only when there is no bipartisan support.
See for example the Commerce Clause that explicitly grants the Congress the power to regulate interstate trade, yet it is used as a basis to justify intrastate regulations (e.g. drug prohibition).
> See for example the Commerce Clause that explicitly grants the Congress the power to regulate interstate trade, yet it is used as a basis to justify intrastate regulations (e.g. drug prohibition).
> I am not surprised this is happening. The small offices in each state are responsible for 100s of millions of dollars and they awfully unequipped for it.
But trust us when we tell you that voter fraud isn't happening, that mail-in ballots offer no increased risks, and that non-citizens aren't voting.
Not that it's either relevant or germane to a discussion regarding an organization using stolen identity to wire funds electronically.
Multiple states have been using mail-in ballots for literally decades. No widespread voter fraud has ever been reported.
Here's an anecdote for you: a few elections back, my signature didn't look quite right on the envelope of my ballot. Got a call from elections officials to verify that I had in fact filled out the ballot.
There's a lot more control involved in mail-in voting than there are in fraudulently filling-out an online form and receiving an electronic funds transfer.
Every piece of mail must enter the system and be postmarked correctly. The US postal service certainly will not accept or deliver a piece of mail with a "Miami Beach, FL" postmark addressed to the "Sacramento Board of Elections" if it comes in with a batch of Par Avion mail off a plane from Nigeria.
You understand that the standard ML training data for OCR is from the US postal service, right? They've been routing mail electronically for decades.
The election system in the US is ridiculously decentralized, which makes it really hard to commit large-scale voter fraud at the ballot level.
people in business in the USA hire outsiders to do the dirty work, or afterwards such relationship leaks the details provided, to others who are just willing.. Why is USA federal IT work outsourced three times before it is done? What USA business owners, former owners, their accountants and others, are just in it for the money and tired of others winning while they work so hard and lose, etc.. SO .. there is some collusion across borders, most likely
> The investigator said in some states fraudsters need only to submit someone’s name, Social Security number and other basic information for their claims to be processed.
This is the problem, a complete lack of security. Why doesn't the US use an electronic signature supported by a digital certificate as we do in Europe?
Has there been a real profitable incentive to implement the technology? Then why spend the money for a risk that may not have an impact tends to be the mindset.
Quote: "The Service’s memo suggests the crime ring is operating in much the same way as crooks who specialize in filing fraudulent income tax refund requests with the states and the U.S. Internal Revenue Service (IRS), a perennial problem that costs the states and the U.S. Treasury hundreds of millions of dollars in revenue each year."
A perennial! problem, hundreds of millions each year. It blows my mind how 80+ years later SSN is still used as identity, far beyond its original purpose. I mean with only one year of those losses US gov. could easily adopt something better.
The Dutch system to this is pretty nice. Your BSN gets attached to a digital id (DigiD).
You might give your BSN out to a company (healthcare, doctor, etc) but that is used to create the link to your DigiD. From there if you want to login to something like your healthcare company it will then bring up a form where you copy four characters from your DigiD app on your phone. This makes sure the requests match, then you just scan a QR code and type in a pin.
So if you want to login to do something related to your taxes, or healthcare online you have very strong two factor auth.
Additionally banks work similarly for making payments or purchases online. I want to order a pizza for delivery online it redirects me to a payment page on my banks website. I then take out my bank app on my phone, type in a pin, scan a QR, and approve the payment.
It's crazy that we all walk around with some secret number that, if discovered, could wreak havoc on our lives.
This is especially true in this digital age of connectedness and breaches, wherein we're encouraged to use and share the number ourselves in some scenarios, but somehow expect it to not fall victim of a single error or act of malice.
I wonder, like, how much of that (and legitimate tax revenue) could be recovered or prevented each year by properly funding the IRS and other departments.
Where is the outrage compared to that of welfare queens, which don't exist in high numbers?
I think it's time we just eliminated the concept of personally identifiable information (PII). Your SSN, birthdate, name, etc. are no longer secret. Operate with that assumption. Invest in a department in the government (e.g. digital service) to make this change once and for all. Heck, let's eliminate DST and move to the metric system while we're at it. Let's call this "moving to new standards" that will pay off in dividends in the future.
I wonder what the rate/total volume (or detected volume) of fraud is? How does it compare to baseline levels of fraud? The article says the amount of fraud has kept pace with dramatic increase in claims in Rhode Island. If it's just keeping pace, why are we surprised? Do we even need to worry that much? Is the current situation making it easier to commit fraud? Or is it just generating more volume and noise to hide fraud in?
My friend's desperately needed unemployment funds are frozen because they were requested using a Romanian IP address. My friend has never been to Romania nor spoofed their IP in such a manner. The New York state unemployment website seemingly allows no recourse for this incident. They are now unemployed and unable to receive any income.
The recourse as I understand it is to try and call the agency to speak to a person. Of course the call systems are overloaded so that's easier said than done.
edit: This is the general approach by US agencies, the IRS website barfed on my info and I had to call a local office to get a person to help me (the nation wide number was 100% automated and likewise barfed on my info).
Calling the unemployment office right now is virtually impossible.
Conventional wisdom these days is that if you want to collect unemployment, you need to make filing a claim your full-time job. You start calling at 7am when they open, and keep re-dialing until you get through -- hopefully before they close at 4pm, and you have to start again the next day.
Also, don't call before Wednesday, if you don't absolutely need to. Monday/Tuesday are unofficially reserved for people who really need the money.
Of course, even if you get through to a person and get the right bit flipped in their database, there's no guarantees. I also hear lots of stories of people whose claims were approved 4 or 6 weeks ago and still haven't gotten a dime.
> Laid-off workers are confused and confounded by the department’s faltering claims system, erroneous denials and stubborn silence on key policies and questions.
> The frustrations lead people to call the department again and again – some say they dial more than 700 times a day.
> The employment department is taking steps to address the call volume. It has added hundreds of staff to process claims in recent weeks – it has 520 now and has leased a facility in Wilsonville to expand claims staff to 800.
> With jobless claims up nearly seventeenfold, though, the staffing increases aren’t close to keeping up with demand. So it may be weeks – or months – before Oregon works through its backlog in claims questions.
Once upon a time our office IP in Helsinki was tagged as being in Spain by some geoip provider. For months parts of the internet were in Spanish. No way to fix this from our end. For example, googling for any php function automatically linked me to the spanish version of php.net.
After a few months, the issue disappeared as mysteriously as it had appeared. And we'd had that set of static IPs for about 5 years by that point.
I've only been in the USA for less than a decade but when I landed here and got my SSN I got a pretty good lecture at the window from the Federal worker about never giving this out, keep it safe, yadda, yadda, yadda...
...and was then asked at every turn, by every website and application and whatnot, to provide four or more digits of this number to accomplish even the most benign things.
There's what the US government thought it would be and then there's what it's become because zero enforcement on use of it as a national person identity number was ever enacted.
The "don't give anyone your SSN" trope has become one of those household jokes. Right up there with "American's don't pay high taxes".
But you’re right that the original purpose wasn’t identifying people, however it was private banks that really latched onto it as a convenient way to identify people and associate debts to individuals.
When I worked on Wall Street way back in the 90s we knew SSNs were useless for any sort of id...
Too many 'shared' SSNs in, too many stolen SSNs. I highly doubt any financial instituation is using SSN as anything more then then 'corraborating' account access at this point.
Try telling a Doctor's office you don't want to give them your SSN. I personally make it a point to NOT give them my SSN and they always give me hell for it. Sometimes I give up but whenever I can, I try to fight it.
Direct payments are better for this very reason. They also become bonuses for those working. Banks and broken state systems have really caused problems getting stimulus out as expected.
Lots of people calling for temp UBI like Cuban [1]. It was obvious from the beginning we needed this.
With everything we learned from the Great Recession 'bailouts/stimulus' we should have expected this and just not gone the bank route or unemployment alone. Direct payments takes pressure off everything, unemployment, state budgets, individuals, mortgage/rent, small business, demand from purchasing power etc.
I didn't say buggy, I said broken, sometimes on purpose.
In "Study finds 44% of U.S. unemployment applicants have been denied or are still waiting" it shows the systems don't work [1]. This is one article, study or example in many, many reports on this.
Direct payments, at least during the crisis and maybe auto UBI during recessions, would make it to everyone, not prevent people from weighing going back to work, not overload state budgets, reduce unemployment, and more. Some systems like Floridas were meant to not really work at all to minimize usage.
Basically anyone in a state with a bad unemployment state system suffered. Direct payments gets around all that by using identity and tax system information.
Direct payments to everyone also get past the whole idea of selective stimulus. Money to everyone gets to where it needs to be that no central planning could ever predict from food, gas, housing, insurance, health, etc [2].
Direct payments during recessions would make the floor higher and bring back purchasing power demand sooner, or keep it with some semblance of consistency in times like this.
If only we saw this coming.... oh wait... Equifax's data breach of 143M records.
People have been calling for social security number system to be updated. In what world does it make sense to prove your identity with just a username (ss #) and not a password as well?
Readit News
I am not surprised this is happening. The small offices in each state are responsible for 100s of millions of dollars and they awfully unequipped for it. This is sort of thing that the federal government should do and provide a portal for each state to use so that they can track and do stuff across states to look for fraud. However i don’t know if states rights and separation of duties screws this up.
It’s quite literally a criminals job to understand and abuse these systems, and there’s very clear link between their performance and their reward. Makes for a good motivator.
People frequently underestimate criminals because they don’t appreciate that these individuals are doing this work as full time job. I’m sure if you spent 8 hours a day for week, you’ll have an equally good understanding.
Some people just enjoy "getting over" more, to the point that they will discount their labor used for such schemes.
When I moved to the US from Canada and HR was helping me setup my health insurance on the first day, I was overwhelmed trying to understand it and said "Sorry, I don't really understand how health insurance works here."
The HR person responded:
"That's ok. Most Americans don't understand how it works either."
When I dislocated my jaw and went to an in-network ER for treatment (it popped back in as I was sitting on the bed), I wasn't surprised to get a call from a collections agency regarding bills I never received from an "out of network" shell corporation for "consulting physicians" (never even saw a doctor, only a nurse), but I definitely didn't see it coming.
Count me an average American, I guess.
This is because they have a source of comparison, and it is on the test! (if they go for citizenship)
Although some US citizens get how well some things work in the US compared to other countries, they have blind spots for some things that don't.
I got sick in Mexico once and went to a doctor there. I paid in cash and it was something like $2. If I wanted, I could get my medicine in pill or hypodermic form.
Is it a hard thing to understand or is it just something that doesn't get done?
I work for a municipal government (not in social assistance though). Very little is documented, not because it would be hard to do so, but because first everything from budget to approved software for documentation to time allocation to 5 different approvals would be required to do it. We are terrible at sharing information internally, so every thing would require meeting after meeting to chase down who knows what as well.
Actually documenting the system I work on would take 1-2 days. But we initiated an overarching documentation plan in November and it is still being worked on (if it has not died from neglect).
It will take time to redevelop the systems and thinking to be more fraud resistant.
However, many in the US equate validation or verification as too intrusive, too discriminatory, or both.
The history of the US shows that such things matter only when there is no bipartisan support.
See for example the Commerce Clause that explicitly grants the Congress the power to regulate interstate trade, yet it is used as a basis to justify intrastate regulations (e.g. drug prohibition).
If anyone is curious, this is due to Wickard v. Filburn (https://en.wikipedia.org/wiki/Wickard_v._Filburn), a very unfortunate Supreme Court decision made in 1942. This decision was cited as precedent in Gonzales v. Raich (https://en.wikipedia.org/wiki/Gonzales_v._Raich)
But trust us when we tell you that voter fraud isn't happening, that mail-in ballots offer no increased risks, and that non-citizens aren't voting.
Not that it's either relevant or germane to a discussion regarding an organization using stolen identity to wire funds electronically.
Multiple states have been using mail-in ballots for literally decades. No widespread voter fraud has ever been reported.
Here's an anecdote for you: a few elections back, my signature didn't look quite right on the envelope of my ballot. Got a call from elections officials to verify that I had in fact filled out the ballot.
There's a lot more control involved in mail-in voting than there are in fraudulently filling-out an online form and receiving an electronic funds transfer.
You understand that the standard ML training data for OCR is from the US postal service, right? They've been routing mail electronically for decades.
The election system in the US is ridiculously decentralized, which makes it really hard to commit large-scale voter fraud at the ballot level.
> The investigator said in some states fraudsters need only to submit someone’s name, Social Security number and other basic information for their claims to be processed.
This is the problem, a complete lack of security. Why doesn't the US use an electronic signature supported by a digital certificate as we do in Europe?
A perennial! problem, hundreds of millions each year. It blows my mind how 80+ years later SSN is still used as identity, far beyond its original purpose. I mean with only one year of those losses US gov. could easily adopt something better.
You might give your BSN out to a company (healthcare, doctor, etc) but that is used to create the link to your DigiD. From there if you want to login to something like your healthcare company it will then bring up a form where you copy four characters from your DigiD app on your phone. This makes sure the requests match, then you just scan a QR code and type in a pin.
So if you want to login to do something related to your taxes, or healthcare online you have very strong two factor auth.
Additionally banks work similarly for making payments or purchases online. I want to order a pizza for delivery online it redirects me to a payment page on my banks website. I then take out my bank app on my phone, type in a pin, scan a QR, and approve the payment.
What happens when you don't own a phone?
I know folks in their 60s who positively would not be able to do any of this with any level of success.
This is especially true in this digital age of connectedness and breaches, wherein we're encouraged to use and share the number ourselves in some scenarios, but somehow expect it to not fall victim of a single error or act of malice.
Where is the outrage compared to that of welfare queens, which don't exist in high numbers?
The list of breaches just goes on-and-on: https://krebsonsecurity.com/category/data-breaches/
Or just straight up sold by the government: https://news.ycombinator.com/item?id=20438289.
https://www.cio.com/article/2417888/prison-labor--outsourcin...
edit: This is the general approach by US agencies, the IRS website barfed on my info and I had to call a local office to get a person to help me (the nation wide number was 100% automated and likewise barfed on my info).
Conventional wisdom these days is that if you want to collect unemployment, you need to make filing a claim your full-time job. You start calling at 7am when they open, and keep re-dialing until you get through -- hopefully before they close at 4pm, and you have to start again the next day.
Also, don't call before Wednesday, if you don't absolutely need to. Monday/Tuesday are unofficially reserved for people who really need the money.
Of course, even if you get through to a person and get the right bit flipped in their database, there's no guarantees. I also hear lots of stories of people whose claims were approved 4 or 6 weeks ago and still haven't gotten a dime.
> Laid-off workers are confused and confounded by the department’s faltering claims system, erroneous denials and stubborn silence on key policies and questions.
> The frustrations lead people to call the department again and again – some say they dial more than 700 times a day.
> The employment department is taking steps to address the call volume. It has added hundreds of staff to process claims in recent weeks – it has 520 now and has leased a facility in Wilsonville to expand claims staff to 800.
> With jobless claims up nearly seventeenfold, though, the staffing increases aren’t close to keeping up with demand. So it may be weeks – or months – before Oregon works through its backlog in claims questions.
After a few months, the issue disappeared as mysteriously as it had appeared. And we'd had that set of static IPs for about 5 years by that point.
...and was then asked at every turn, by every website and application and whatnot, to provide four or more digits of this number to accomplish even the most benign things.
There's what the US government thought it would be and then there's what it's become because zero enforcement on use of it as a national person identity number was ever enacted.
The "don't give anyone your SSN" trope has become one of those household jokes. Right up there with "American's don't pay high taxes".
But you’re right that the original purpose wasn’t identifying people, however it was private banks that really latched onto it as a convenient way to identify people and associate debts to individuals.
Too many 'shared' SSNs in, too many stolen SSNs. I highly doubt any financial instituation is using SSN as anything more then then 'corraborating' account access at this point.
BTW - you might find this interesting: https://www.ssa.gov/history/ssn/misused.html People thought they were getting an SSN when they bought the wallet...
Deleted Comment
Lots of people calling for temp UBI like Cuban [1]. It was obvious from the beginning we needed this.
With everything we learned from the Great Recession 'bailouts/stimulus' we should have expected this and just not gone the bank route or unemployment alone. Direct payments takes pressure off everything, unemployment, state budgets, individuals, mortgage/rent, small business, demand from purchasing power etc.
[1] https://www.marketwatch.com/story/mark-cuban-says-families-s...
In "Study finds 44% of U.S. unemployment applicants have been denied or are still waiting" it shows the systems don't work [1]. This is one article, study or example in many, many reports on this.
Direct payments, at least during the crisis and maybe auto UBI during recessions, would make it to everyone, not prevent people from weighing going back to work, not overload state budgets, reduce unemployment, and more. Some systems like Floridas were meant to not really work at all to minimize usage.
Basically anyone in a state with a bad unemployment state system suffered. Direct payments gets around all that by using identity and tax system information.
Direct payments to everyone also get past the whole idea of selective stimulus. Money to everyone gets to where it needs to be that no central planning could ever predict from food, gas, housing, insurance, health, etc [2].
Direct payments during recessions would make the floor higher and bring back purchasing power demand sooner, or keep it with some semblance of consistency in times like this.
[1] https://www.cnbc.com/2020/05/15/44percent-of-us-unemployment...
[2] https://www.cnbc.com/2020/04/15/coronavirus-stimulus-checks-...
People have been calling for social security number system to be updated. In what world does it make sense to prove your identity with just a username (ss #) and not a password as well?