Changes to prevent the kind of rampant fraud that recently swept Monster and CareerBuilder haven't been made, security experts say.
In the face of criticism that they provided fertile ground for Web predators, such online job sites as Monster.com and CareerBuilder.com have responded by posting warnings about work-at-home schemes and jobs forwarding money or potentially stolen goods.
But they have failed to adopt straightforward changes that could prevent the kind of rampant fraud that recently swept Monster, according to security experts. Two of the recommended safeguards: more rigorous background checks to certify that employers are legitimate and identity-authentication methods that make it harder for hackers to access the database.
“They should read the job descriptions and ask themselves if they sound like legal jobs — that’s the least they could do,” said Elisa Felix, a San Diego communications worker who responded to a 2005 ad by “Heinkel Intersales” and wound up in a scam funneling stolen money abroad.
Most Read Business Stories
- Tacoma's housing market is now the hottest in U.S. — and Seattle knows why
- How do I get rid of pesky pop-up notifications in Chrome? | Q&A with Patrick Marshall
- CEOs get $800,000 pay raise, leaving workers further behind
- Where US home affordability is the worst
- Boeing faces preliminary SEC investigation into its 737 MAX disclosures
In the latest and most sweeping attack, 1.3 million Monster users’ names, e-mail and street addresses were stolen from the site and discovered last month on a computer in Ukraine.
The thieves used the information to personalize e-mails to the victims in attempts to steal their money. Monster a week later said it couldn’t determine how many others of its tens of millions of users were at risk from previous electronic incursions that it hadn’t detected.
The admission pointed up some vulnerabilities of today’s job sites: Bogus companies like Heinkel are opening up accounts that allow them to defraud job seekers, even as the legitimate accounts of employers have become easy targets for evildoers like those in the Ukrainian operation.
The Monster breach is the largest known instance of fraud involving the use of legitimate accounts as an entry point, according to executives at Monster and CareerBuilder.
In an interview, Monster Vice President Patrick Manzo said that gaining access to the corporate accounts that were compromised recently required only a user name and password. “There’s a balance between ease of use and security,” he said.
To security experts like Chuck Allen, who heads a technology effort jointly funded by Monster and other personnel specialists, that practice is unwise.
If someone is searching for a handful of candidates a couple of times a year, a user name and password might be enough protection, Allen said.
But the giant staffing companies that set off no alarms when they look at thousands of résumés daily should have to prove their identities by using electronic certificates or a key fob with constantly updating code numbers — something they physically have — in addition to something they know, such as a password.
“The Monster news was sad and surprising — and not surprising, all at once,” Allen said. “Some of these job boards probably have to step up to some manner of two-factor authentication.”
CareerBuilder and Monster each have fraud teams of about 20 people that look for suspicious searches and listings by possible scammers.
Site policies on granting database access to new customers vary.
On CareerBuilder, employers pay $600 to gain access to 50 résumés a day for two weeks, and must supply a taxpayer-identification number and its own Web-site address, according to spokeswoman Jennifer Sullivan.
Monster’s Manzo would not say what checks new customers go through before getting national search packages that start with access to 500 résumés for $975.
Of the largest sites, only Yahoo’s HotJobs requires a conversation before an order for database access can be placed.
“There are a lot of things job sites could be doing to make them more secure,” said Pam Dixon, a researcher whose nonprofit World Privacy Forum wrote an extensive report about job-site scams three years ago warning that criminal access was a bigger problem than the sites were admitting.
In her 2004 report, Dixon documented advertising on job sites by 23 bogus companies that said they needed financial managers, accountants or other representatives to consolidate incoming payments and forward the proceeds.
The companies conducted convincing phone interviews and asked for bank-account numbers.
Some hires who had provided banking information to their new employers then had money transferred without their knowledge into the accounts of other new workers, who kept a percentage and wired the rest overseas.
That’s the scheme that ensnared Felix, the San Diego woman. She signed a “sales representative” agreement with Heinkel and opened a Wells Fargo account, as she had been instructed by a company officer, actually a con man working with others.
After securing the bank-account numbers of other people who had applied for work, the criminals fraudulently transferred their money into Felix’s account. Thinking those funds legitimately belonged to the company, Felix wired more than $1,000 to Italy. The bank discovered the fraud in progress and tried to collect the other customers’ lost money from Felix, since it had gone into her account. Wells Fargo failed to recover the money after Felix filed for bankruptcy protection.
After Dixon’s report, the major job boards said they were working hard to stop the scams.
But U.S Postal Service spokesman Doug Bem said federal mail inspectors are still seeing a trend toward job-board recruitment for illicit money transfers.
In one wide-ranging operation that attracted attention earlier this year, a series of companies that placed advertisements that used similar wording sought people for jobs that included writing for an online newspaper called USA Voice.
After numerous complaints and media scrutiny, job sites pulled recruitment ads for USA Voice and related companies. USA Voice had posted 1,200 listings on HotJobs alone.
“Consumers allege that the only thing they have received is bulk unsolicited e-mail,” CEO Edward Johnson III of the Better Business Bureau in Washington, D.C., where USA Voice was based, told The Washington Post in February. The companies appear to be “a scheme to amass and sell personal contact information.”
After the media accounts, USA Voice dipped below the radar and changed its name to World Voice. The successor Web site WorldVoiceReport.com listed the company’s address as 1140 W. Olympic Blvd. in Los Angeles.
But that address doesn’t exist. If the address existed, it would be under the 110 freeway near Staples Center just west of downtown. After an inquiry from the Los Angeles Times, World Voice quickly changed its listing to 11400 W. Olympic, Suite 200, which World Voice marketing chief Ken Gibson said was a “virtual office” for receiving mail.
He said the company doesn’t send spam and has paid thousands of contributors for their work. Gibson also said that CareerBuilder and Monster had never pulled USA Voice ads, although the sites say otherwise.
He said World Voice had “no connection” to another controversial company, Instant Human Resources, but admitted later in the interview that they were both part of the same company.