Sleeping on the job? Security at work-applicant sites faulted
In the face of criticism that they provided fertile ground for Web predators, online job sites have responded by posting warnings about work-at-home schemes and positions forwarding money or potentially stolen goods.
But they have failed to adopt straightforward reforms that could have prevented the rampant fraud that recently swept Monster.com, security experts say. Two of the recommended safeguards: more rigorous background checks to certify that employers are legitimate and identity authentication methods that make it harder for hackers to access the database.
“They should read the job descriptions and ask themselves if they sound like legal jobs -- that’s the least they could do,” said Elisa Felix, a San Diego communications worker who responded to a 2005 ad by “Heinkel Intersales” and wound up in a scam funneling stolen money abroad. “I had a trust in CareerBuilder that they would only post a legitimate job.”
In the latest and most sweeping attack, about 1.3 million Monster users’ names, e-mail and street addresses were stolen from the site and discovered last month on a computer in the Ukraine.
The thieves used the information to personalize e-mails to the victims in attempts to steal their money. Monster a week later said it couldn’t determine how many others of its tens of millions of users were at risk from previous electronic incursions that it hadn’t detected before.
The admission pointed up some long-lasting vulnerabilities of today’s online job sites: Bogus companies like Heinkel are opening up accounts that allow them to defraud job seekers, even as the legitimate accounts of employers have become easy targets for evildoers like those in the Ukrainian operation.
The Monster breach is the largest known instance of fraud involving the use of legitimate accounts as an entry point, executives at Monster and CareerBuilder.com say.
In an interview, Monster Vice President Patrick Manzo said that gaining access to the corporate accounts that were compromised recently required only a user name and a password.
“There’s a balance between ease of use and security,” he said.
To security experts such as Chuck Allen, who heads a technology effort jointly funded by Monster and other personnel specialists, that practice is unwise.
If someone is searching for a handful of candidates a couple of times a year, a user name and a password might be enough protection, Allen said. But the giant staffing companies that set off no alarms when they look at thousands of resumes daily should have to prove their identities by using electronic certificates or a key fob with constantly updating code numbers -- something they would physically have -- in addition to something they would know, such as a password.
“The Monster news was sad, and surprising and not surprising, all at once,” Allen said. “Some of these job boards probably have to step up to some manner of two-factor authentication.”
CareerBuilder and Monster each have fraud teams of about 20 people that look for suspicious searches and listings by possible scam artists.
Site policies on granting database access to new customers vary.
On CareerBuilder, employers pay $600 to gain access to 50 resumes a day for two weeks and must supply a taxpayer identification number and its own website address, company spokeswoman Jennifer Sullivan said. CareerBuilder is co-owned by Tribune Co., which also owns the Los Angeles Times.
Monster’s Manzo wouldn’t say what checks new customers go through before getting national search packages that start with access to 500 resumes for $975. He said that in a minority of cases, companies got access before the verification procedures kick in.
Of the largest sites, only Yahoo Inc.'s HotJobs requires a conversation before an order for database access can be placed.
“There are a lot of things job sites could be doing to make them more secure,” said Pam Dixon, a researcher whose nonprofit World Privacy Forum wrote an extensive report about job-site scams warning that criminal access was a bigger problem than the sites were admitting.
In her 2004 report, Dixon documented advertising on online job sites by 23 bogus companies that said they needed financial managers, accountants or other representatives to consolidate incoming payments and forward the proceeds. The companies conducted convincing phone interviews and asked for bank account numbers.
Some hires who had provided banking information to their new employers then had money transferred without their knowledge into the accounts of other new workers, who kept a percentage and wired the rest overseas.
That’s the scheme that ensnared Felix, the San Diego woman. She signed a “sales representative” agreement with Heinkel and opened a Wells Fargo account, as she had been instructed.
After securing the bank account numbers of other people who had applied for work, the criminals fraudulently transferred their money into Felix’s account. Thinking those funds legitimately belonged to the company, Felix wired more than $1,000 to Italy.
The bank discovered the fraud in progress and tried to collect the other customers’ lost money from Felix because it had gone into her account. Wells Fargo failed to recover the money after Felix filed for bankruptcy protection.
After Dixon’s report, the major job boards said they were working hard to stop the scams.
But U.S Postal Service spokesman Doug Bem said federal mail inspectors were still seeing a trend toward job-board recruitment for illicit money transfers.
Users of all three boards also have complained that companies they applied to didn’t pay them for work and appeared to be stockpiling Social Security and bank account numbers, as well as e-mail addresses for resale or other misuse.
In one wide-ranging operation that attracted attention this year, a series of companies that placed advertisements that used similar wording sought people for jobs that included writing for an online newspaper called USA Voice.
After numerous complaints and media scrutiny, job sites pulled down recruitment ads for USA Voice and related firms. USA Voice had posted 1,200 listings on HotJobs alone.
“Consumers allege that the only thing they have received is bulk unsolicited e-mail,” Chief Executive Edward J. Johnson III of the Better Business Bureau in Washington, where USA Voice was based, told the Washington Post in February. The companies appear to be “a scheme to amass and sell personal contact information.”
After the media accounts, USA Voice dipped below the radar and changed its name to World Voice. The successor website, WorldVoiceReport.com, listed the company’s address as 1140 W. Olympic Blvd. in Los Angeles.
But that address doesn’t exist. After an inquiry from The Times, World Voice quickly changed its listing to 11400 W. Olympic, Suite 200, which World Voice marketing chief Ken Gibson said was a “virtual office” for receiving mail.
He said the company didn’t send spam and had paid thousands of contributors for their work. Gibson also said CareerBuilder and Monster had never pulled USA Voice ads, although the sites say otherwise. He said World Voice had no connection to another controversial firm, Instant Human Resources, but admitted later in the interview that they were both part of the same company.
World Voice hasn’t been deterred by any ban on recruitment at big job sites. In addition to soliciting writers and editors to work at World Voice, the site offers its own general “free posting board for job seekers,” who are invited to supply their names, e-mail addresses, phone numbers and other information.
And of course, any job seeker must agree not to hold “WorldVoice and/or it’s [sic] affiliates liable or responsible for the loss, theft, duplication, or fraud [sic] of any information I provide through the service.”