I discovered somebody had filed for unemployment insurance using my identity. As a security professional I’m pretty cognizant of usernames/passwords, reuse, complexity, etc.

So I was curious how someone could have filed a claim in my stead.

First, they would go to cdle.colorado.gov., select returning claimants, then click on MyUIClaimant.

Next, when the website pops up, they select, “I forgot my username.” They populate the Email ID with an email address of a Colorado resident and…

Well, actually if they know scripting at all they could use a tool like burpsuite or CURL.

Anyway they populate the email ID and FOUR DIGIT social security number check with 0000. And then they have a computer script (trivial to put together) do the other 9999 possibilities. After a few seconds they have identified the UserID based on the email.

Then they take the email address they just used, with the last four digits of the SSN and do the same thing to get the password.

The attacker logs in to the account with the log in and password of the victim provided by the State of Colorado and changes the email address to one the attacker has access to. Then they force a change of PIN number to be sent through regular mail to the victim.

When the victim receives a PIN number they didn’t request in the mail goes to the Colorado State Website to have the virtual assistant help with changing the PIN number.. Several questions are asked. The victims SSN, their birthdate, their zip code.

And after the victim provides the Virtual Assistant all of this information to verify their identity…

The State of Colorado sends the new PIN number to the attackers email address instead of mailing a new one. The attacker can now access all of the victims personal information.

Thanks, Colorado. I appreciate you sending all MY personal information to…

I guess it doesn’t matter who you sent it to, not like you would know.

So what can I do about this? Nothing. Colorado’s unemployment office is so backed up, a human won’t interact with you on the phone. They are scheduling calls a month out. The system is so backed up it’s not scheduling more calls. Call the local police? The detective responsible for fraud investigation is on vacation. Call the state department of labor? They won’t answer the phone and it doesn’t go to voice mail.

So, here is how you will have your identity stolen if you live in the state of Colorado. I tried to provide this information to the State, but no one gives a damn. As a Colorado resident your personally identifiable information is of no concern to the state.