The state of Kentucky is so desperate to stop rampant fraud that Kentucky Govenor Andy Beshear is shutting down the states unemployment benefits site for four days starting tonight.
The move comes after cybercriminal fraudsters using bots were able to get into about 300,000 unemployment accounts to reset the victims 4 digit PIN numbers. After resetting the PIN numbers, the fraudsters would change the bank account information to have direct deposits sent into fraudulent or money mule accounts.
After the unemployment website is re-opened next Tuesday April 13th, every unemployment claimant will have to re-register using an 8 digit PIN that they will receive in the mail in the next couple of days.
Those letters containing those new PIN numbers are set to be mailed today in hopes that claimants will be able to go back online by next Tuesday.
For now, however the site is unavailable so hundreds and thousands of state residents are locked out.
These drastic measures are similar to “Block and Reissue” tactics that credit card issuers use when large numbers of credit card accounts have been compromised and they need to get victims new cards.
“I hate that we have to do it, but there is no other option other than to let people’s money get stolen,”Gov Andy Bashear
Easy to Guess PIN Numbers Were To Blame
The state believes that applicants to the program might have used unsophisticated 4 digit PIN numbers that were easy for credential stuffing BOT’s to conquer. Kentucky Career Center General Counsel Amy Cubbage pointed out the many flaws that were exposed in the cyber attack.
“Although the UI PINs are encrypted, it is possible for a person with enough computing power to guess an encrypted PIN by testing particularly weak or obvious four digit combinations,” said Cubbage.
“We had 3,995 users who used a PIN that was 1234, more than 1,500 users who set PINs that were 2020 and more than 1,200 users whose PINs were set to 1111.”
This is not unusual that 4 digit PIN’s are almost useless in thwarting BOT attacks, for example, TechTimes released a study that the most popular PIN numbers that BOT’s are able to guess are
And oftentimes claimants might use their month and year of birth which is easily available off social media and the dark web.
Just the fact that it’s happening at this scale means we got to stop it,” Beshear said. “…We’ve got to make sure that this type of attack, where they basically run through every possible four-digit PIN for these clients, that they can no longer do that.
In addition to changing to 8 digit PIN’s the online website will also use 2 factor authentication and 12 character passwords to thwart the BOT’s.