As Washington State geared up to respond to the economic reverberations of Governor Jay Inslee’s stay home, stay healthy orders earlier this spring, a Nigerian fraud ring dubbed “Scattered Canary” by the security community saw an opportunity to make out like bandits. Armed with the spoils of numerous data breaches, they instigated a cyber heist, filing tons of fraudulent unemployment claims with Washington State’s Employment Security Department (ESD).
We don’t yet know how much they stole, but it’s in the hundreds of millions.
“To some degree, Washington and its workers are the latest casualties in an era of rising identity theft,” reported The Seattle Times in a story on the theft.
“Filing for unemployment insurance in Washington and many states requires the sort of personal information — Social Security numbers, birth dates, addresses — that is depressingly easy to steal or buy on the dark web, thanks to massive data breaches such as the 2017 attack on credit reporting agency Equifax that allowed access to records of more than 145 million individuals.”
“Indeed, officials at ESD and at WaTech, the agency that manages the system the state uses to authenticate users for ESD and other state agencies, have repeatedly insisted that when thieves have enough personal information, it’s difficult to stop people from filing fraudulent claims without also obstructing legitimate filers,” the Times story (by Jim Brunner, Paul Roberts, and Patrick Malone) went on to explain.
ESD and WaTech officials are absolutely right.
Ever heard the adage “On the Internet, nobody knows you’re a dog?”
This is the dilemma that Washington State officials are wrestling with.
Washingtonians understandably like the ease and convenience of doing business online — including with their government, which belongs to them — but online systems are unfortunately highly susceptible to fraud. It’s trivial to masquerade as someone else if you have their personal identifying information. Trivial.
The bad guys know it’s hard for the authorities to sort out legitimate claims from illegitimate ones without making everyone jump through additional hoops, which almost defeats the purpose of offering people the ability to file for unemployment online. They used that knowledge to scam Washingtonians on a large scale.
On the Internet, nobody knows you’re a sophisticated Nigerian fraudster.
Public agencies aren’t the only entities that are grappling with the twin problems of identity theft and cybercrime. So are companies of all sizes in the private sector. Fraud in ecommerce is also a huge and growing problem… a problem that has largely been left to banks and merchants to manage as a cost of doing business.
We’ve all become accustomed to zero fraud protection guarantees. Spot a fraudulent charge on your credit card statement? No problem, just call the bank (or credit union) and report it. The charge will be reversed, pronto, and the card re-issued at no cost. At no direct cost to you, that is.
We may have decided as a society to tolerate a lot of fraud when it comes to our economic activities, but that model simply does not work for elections.
This disturbing case of cyber fraud ought to serve as a reminder of how difficult it is to validate someone’s identity over the Internet. And validating identity is the critical step in determining whether a measure has earned the requisite support from voters needed to qualify for placement on the ballot.
Current law (in Washington State and in most other places) allows petitioning on paper only. Voters must physically sign a petition for their signature to count.
That’s the way it needs to stay.
NPI knows of several lawsuits in which plaintiffs are presently asking judges to issue orders decreeing that signature gathering should be able to take place online due to the pandemic. These requests should be uniformly denied. This pandemic must not be the pretext for the further destruction of public confidence in elections.
NPI also knows of nonprofits that are claiming to have developed technology that can safely facilitate online signature gathering… like MapLight.
No nonprofit making such claims is to be trusted.
The Internet is unquestionably useful for many things, but it is not an appropriate medium for signature gathering. Signature fraud (on paper petitions) is already a problem. The last thing anyone who cares about the integrity of our democracy should want to do is make that problem worse by a factor of a zillion… which is exactly what would happen if online signature gathering were to be permitted.