Advertisement

INTERNET

Sleeping on the job? Security at work-applicant sites faulted

Experts say safeguards could have prevented the massive data breach at Monster.com.

September 11, 2007|Joseph Menn | Times Staff Writer

In the face of criticism that they provided fertile ground for Web predators, online job sites have responded by posting warnings about work-at-home schemes and positions forwarding money or potentially stolen goods.

But they have failed to adopt straightforward reforms that could have prevented the rampant fraud that recently swept Monster.com, security experts say. Two of the recommended safeguards: more rigorous background checks to certify that employers are legitimate and identity authentication methods that make it harder for hackers to access the database.

"They should read the job descriptions and ask themselves if they sound like legal jobs -- that's the least they could do," said Elisa Felix, a San Diego communications worker who responded to a 2005 ad by "Heinkel Intersales" and wound up in a scam funneling stolen money abroad. "I had a trust in CareerBuilder that they would only post a legitimate job."

In the latest and most sweeping attack, about 1.3 million Monster users' names, e-mail and street addresses were stolen from the site and discovered last month on a computer in the Ukraine.

The thieves used the information to personalize e-mails to the victims in attempts to steal their money. Monster a week later said it couldn't determine how many others of its tens of millions of users were at risk from previous electronic incursions that it hadn't detected before.

The admission pointed up some long-lasting vulnerabilities of today's online job sites: Bogus companies like Heinkel are opening up accounts that allow them to defraud job seekers, even as the legitimate accounts of employers have become easy targets for evildoers like those in the Ukrainian operation.

The Monster breach is the largest known instance of fraud involving the use of legitimate accounts as an entry point, executives at Monster and CareerBuilder.com say.

In an interview, Monster Vice President Patrick Manzo said that gaining access to the corporate accounts that were compromised recently required only a user name and a password.

"There's a balance between ease of use and security," he said.

To security experts such as Chuck Allen, who heads a technology effort jointly funded by Monster and other personnel specialists, that practice is unwise.

If someone is searching for a handful of candidates a couple of times a year, a user name and a password might be enough protection, Allen said. But the giant staffing companies that set off no alarms when they look at thousands of resumes daily should have to prove their identities by using electronic certificates or a key fob with constantly updating code numbers -- something they would physically have -- in addition to something they would know, such as a password.

"The Monster news was sad, and surprising and not surprising, all at once," Allen said. "Some of these job boards probably have to step up to some manner of two-factor authentication."

CareerBuilder and Monster each have fraud teams of about 20 people that look for suspicious searches and listings by possible scam artists.

But the job sites cover themselves against liability in the fine print. In its "terms of use," Monster says the company "does not screen or censor the listings. . . . Monster has no control over user content, the quality, safety or legality of the jobs or resumes posted [and] the truth or accuracy of the listings."

Site policies on granting database access to new customers vary.

On CareerBuilder, employers pay $600 to gain access to 50 resumes a day for two weeks and must supply a taxpayer identification number and its own website address, company spokeswoman Jennifer Sullivan said. CareerBuilder is co-owned by Tribune Co., which also owns the Los Angeles Times.

Monster's Manzo wouldn't say what checks new customers go through before getting national search packages that start with access to 500 resumes for $975. He said that in a minority of cases, companies got access before the verification procedures kick in.

Of the largest sites, only Yahoo Inc.'s HotJobs requires a conversation before an order for database access can be placed.

"There are a lot of things job sites could be doing to make them more secure," said Pam Dixon, a researcher whose nonprofit World Privacy Forum wrote an extensive report about job-site scams warning that criminal access was a bigger problem than the sites were admitting.

In her 2004 report, Dixon documented advertising on online job sites by 23 bogus companies that said they needed financial managers, accountants or other representatives to consolidate incoming payments and forward the proceeds. The companies conducted convincing phone interviews and asked for bank account numbers.

Some hires who had provided banking information to their new employers then had money transferred without their knowledge into the accounts of other new workers, who kept a percentage and wired the rest overseas.

Advertisement
Los Angeles Times Articles
|
|
|