INTERNET - Sleeping on the job? Security at work-applicant sites faulted - Experts say safeguards could have prevented the massive data breach at Monster.com.
In the face of criticism that they provided fertile ground for Web predators, online job sites have responded by posting warnings about work-at-home schemes and positions forwarding money or potentially stolen goods.
But they have failed to adopt straightforward reforms that could have prevented the rampant fraud that recently swept Monster.com, security experts say. Two of the recommended safeguards: more rigorous background checks to certify that employers are legitimate and identity authentication methods that make it harder for hackers to access the database.
"They should read the job descriptions and ask themselves if they sound like legal jobs -- that's the least they could do," said Elisa Felix, a San Diego communications worker who responded to a 2005 ad by "Heinkel Intersales" and wound up in a scam funneling stolen money abroad. "I had a trust in CareerBuilder that they would only post a legitimate job."
In the latest and most sweeping attack, about 1.3 million Monster users' names, e-mail and street addresses were stolen from the site and discovered last month on a computer in the Ukraine.
The thieves used the information to personalize e-mails to the victims in attempts to steal their money. Monster a week later said it couldn't determine how many others of its tens of millions of users were at risk from previous electronic incursions that it hadn't detected before.
The admission pointed up some long-lasting vulnerabilities of today's online job sites: Bogus companies like Heinkel are opening up accounts that allow them to defraud job seekers, even as the legitimate accounts of employers have become easy targets for evildoers like those in the Ukrainian operation.
The Monster breach is the largest known instance of fraud involving the use of legitimate accounts as an entry point, executives at Monster and CareerBuilder.com say.
In an interview, Monster Vice President Patrick Manzo said that gaining access to the corporate accounts that were compromised recently required only a user name and a password.
"There's a balance between ease of use and security," he said.
To security experts such as Chuck Allen, who heads a technology effort jointly funded by Monster and other personnel specialists, that practice is unwise.
