CHICAGO (WLS) -- The Illinois unemployment system may not be doing enough to protect benefits recipients from scammers who hijack their accounts and move money in their own accounts.
Some believe the Illinois Department of Employment Security could have prevented this if they had taken one more simple security step: two factor authentication.
Two factor authentication is a text or email sent to a device you possess to confirm you made a change to an account. The text or email includes a code which is used to confirm the change. It's often used for social media, credit cards and bank accounts, among other things.
"In general, whenever an entity is getting a request to change the routing of funds, they should definitely verify the authenticity of that request, and the easiest cheapest way of doing it is through two factor authentication," said William Kresse, fraud expert at Governors State University.
Kresse was surprised to learn that IDES does not use two factor authentication if account and routing numbers are changed. IDES confirmed that after the I-Team spoke to a victim who showed the potential opening.
"It never gives you the opportunity to put in a numbers where you can get an SMS text," said scam victim Russel McFeely.
McFeely lost $1,800 when a criminal hacked his IDES account and moved the benefits into another account.
"It's commonplace in today's ordering online, your banking information, you know, they will send you that text and it stops you in your tracks and many times that text has a code that you have to put into the website," said Kresse.
When the hijacking scam was initially reported, the state said claimants should make sure their password and security questions are strong and secure so account information can't be changed.
"I will tell you that my password consists of symbols, numbers, uppercase, lowercase and it ranges between 10 and 16 characters, so it is it is pretty secure," said Kresse.
IDES said if a claimant is a victim of fraud, it will conduct an investigation. If a payment was diverted, IDES will reimburse the victim. The state acknowledges investigations can take "quite some time" as they subpoena banking information.
McFeely restored his legitimate account information but is still trying to recover his $1,800.
Kresse said changes to the system should be made.
"It's a no brainer. Any organization not using that's not using 2 factor authentication for this purpose, they are being irresponsible," he said.
An IDES spokesperson also said they would "explore options" to implement two factor authentication.
IDES told the I-Team in a statement:
"If a claimant experiences this type of fraud, we encourage them to call and report it to IDES at 800.814.0513; their call will be returned in the order it was received. Additionally, a claimant should take steps to better secure their password and security questions they've selected and answered as part of the password reset process. It's important to use complex passwords and answers to these questions so that it is much harder for their account to be logged into, and have their information changed, by anyone other than the claimant.
"If a claimant believes they have experienced this type of fraud, the IDES fraud division will conduct an investigation and payment tracer to determine if benefit payment was sent out or not. If the investigation leads to the conclusion that a person's account information has been changed and payment was diverted elsewhere, payment will be reissued to the affected claimant. However, it is important to note and understand that these investigations can take quite some time to complete due to the need to subpoena banking information from financial institutions.
The IDES callback feature has been up and running and working since July 9. Between July 9 and July 29, nearly 135,000 callbacks have been made."
IDES also added that victims should be prepared to provide a photo ID and a copy of their Social Security Card.
REPORTING IDES FRAUD:
Call IDES Benefit Payment Control Division at (800) 814-0513. Please Note: Our call volume is high due to an increase in reports of fraud, so please be patient in waiting for your scheduled call back. When prompted:
Select English or Spanish language option;
Select option #1 for claimants, and;
Select option #5 to report identity theft.
The Illinois Attorney General's Identity Theft Hotline has several resources to help you, including trained advocates to guide you through the process: 1-866-999-5630; TTY: 1-877-844-5461.
You can also report it to the Federal Trade Commission. Report identity theft online or call the FTC at 1-877-FTC-HELP (1-877-382-4357) or TTY 1-866-653-4261. The FTC operator will give you the next steps to take.