People seeking Illinois unemployment benefits online will soon face additional steps to ensure they’re not using stolen identities, officials told state lawmakers Thursday.
The “ILogin” system is part of a beefed-up effort to battle fraud that has ripped through the state’s unemployment agency during the pandemic. The system includes safeguards already used by some states and in much of the private sector, such as multifactor authentication.
“In some ways, this is standing in for going to a location and presenting your secretary of state driver’s license in front of someone, where they would view it,” said Adam Ford, the Illinois Department of Innovation and Technology’s chief information security officer.
Ford spoke about the program at a Thursday hearing held by the Illinois House Committee on Cybersecurity. The hearing focused on impostors who looted the Illinois Department of Employment Security over the past 18 months using the stolen personal information of state residents.
A Tribune investigation published in June found IDES was late to adopt fraud-fighting tools pushed by federal officials or other anti-fraud techniques long used by banks and retailers as well as some government agencies. A separate Tribune report in July found IDES was struggling to stop another type of fraud in which thieves hijack the claims of legitimate filers.
A state audit covering the early months of the pandemic, released in July, found IDES paid hundreds of claims to people whose birthdays would have made them older than 90 or younger than 14, sometimes just weeks old. Lawmakers have since directed state auditors to do a deeper review of IDES’ unemployment programs after Senate Republicans accused the administration of Gov. J.B. Pritzker, a Democrat, of hiding the scope of problems.
IDES has offered no estimate of how much money was stolen. At Thursday’s hearing, IDES’ acting director, Kristin Richards, said the agency was “continuing to work to quantify” the amount — something she has been telling lawmakers and reporters since November.
Richards and others in the Pritzker administration have noted that widespread unemployment fraud has been a national problem, compounded by state agencies being starved of funding before the pandemic and then told to start new programs while handling far more claims than usual. IDES’ offices were closed until only recently, putting even more emphasis on claims filed online.
The administration said the multifactor authentication — using a code sent to a phone or email in addition to a password — is the latest step in upgrading the state’s fraud-fighting efforts.
Ford told lawmakers the system would be implemented “soon” at IDES and eventually at other state agencies. Representatives of the Pritzker administration did not immediately respond to questions seeking more specifics on the program.
Ford said the ultimate goal is to provide a way for state agencies to be comfortable they know the true identity of people they’re helping online, while also allowing Illinoisans to use a single user name and password to access the websites of various state agencies.
Ford’s agency — known by its acronym DoIT — works with agencies on cybersecurity and other computer issues. He acknowledged that the system, to succeed, requires a system to handle phone calls and visits from people whose identities can’t be verified online right away.
The state also will need to work continually to match the efforts of criminals who are constantly developing better techniques, Ford said.
Cybersecurity experts agree but say the state will need to step up its spending and devote more attention to meet the challenge.
“The state has been very reactive, and not proactive,” Maurice Dawson, director of the Illinois Institute of Technology’s Center for Cyber Security and Forensics Education, told the Tribune after watching Thursday’s hearing.
“It’s difficult to mitigate new threats with old technology,” he said.
jmahr@chicagotribune.com
