Had to Become a Hacker to Get Unemployment Compensation
What Should Your Grandma Do?
Update 8/10/19: I did receive the PIN in the mail and was able to file back-dated biweekly claims pretty effortlessly. Kudos to the website for a good user experience at this point.
Foreword
While the state of affairs of the 60-year-old core unemployment system is truly a national embarrassment, I am appreciative of the engineers and staffers bearing the brunt of the calamity and keeping the system afloat. They are essential workers doing their best and deserve our respect and patience. Besides just massive volume, they also have to deal with unemployment fraud and an incomplete system (thanks IBM).
Furthermore, I’m not thrilled about the methods discussed here. But being at risk of missing mortgage payments and hospital bills, I had to consider them. They are not real hacks in any illegal or nefarious sense (ie. stealing data, compromising systems), and I hope they can help others.
There are also less-technical approaches to bettering your unemployment situation. For example, most state representatives’ web pages contain an electronic contact form. Also consider going to a local unemployment office (yes, they still exist). In addition to conventional unemployment, be aware of other programs such as COBRA (lets you keep employer healthcare if you pay the difference) and PUA (unemployment for the self-employed).
July: What a Month
In the first quarter of 2020, the startup I was working at was doing great. Our sales were up; we were growing; we were hiring. By July 7th, I was laid off, along with 15 other folks while the remaining employees all took pay cuts and the business rapidly pivoted towards new revenue streams. So here I am, PhD, 5+years experience, new house, wife newly diagnosed with a rare blood cancer and no income, severance, or healthcare. Great.
Applying for Pennsylvania unemployment is fairly straightforward, and giving credit where due, their website is actually pretty functional. The application process is straightforward; however, requires a federal employer identification number. Entering this incorrectly causes the entire form to stall (progress can’t be saved), and so I had to apply numerous times while my employer sent me guesses as to the correct suffix. This turned out to screw up my application — more on that later. After applying, you then wait for a 4-digit PIN to come in the mail. There’s no way to track this, nor to check the status of your application. The PIN should arrive in 7–10 days. After three weeks we were still waiting for ours and had to get in touch with them.
Phone System Auto Dial
Initially, I called the unemployment office about 20 times a day, only to get a busy signal each time. Doing some Googling, I realized people actually call the unemployment line 100’s of times per day and never get through!
I downloaded a free app called Auto Redial and proceeded to call them 1500 times the next day, getting through not once! At this point, I realized my wife and I were in trouble.
Eventually, I did get through this way, but check out some of the other things I did or almost did in the meantime!
Chat System JavaScript Execution
PA Unemployment has a completely useless LiveChat feature. Unlike most chat windows that accept your information and put you in a queue, this one simply disconnects you, requiring info to be reentered before retrying. Imagine manually filling out your name, email, SSN, etc.. 100 times on repeat just to get the web equivalent of a busy signal.
Enter modern hero Reddit user Computer_Mutt who created a nifty JavaScript program to automate chat form reentry. It is actually pretty easy to set up if you’re technical, but gee the average layman has no chance!
- Add and enable a Chrome browser extension called Violent Monkey.
- Copy the JS script from Reddit into Violent Monkey editor.
- Update the script with personal info for chat fields like First/Last Name.
- Associate script to chat page in Violent Monkey menu.
- Navigate to the page and voila. The script will auto-retry the chat.
Despite letting this run for probably close to 20 hours over consecutive days, I still never got through and am convinced there’s actually no one on the other end of that chat window.
Email Automation (didn’t need to use this)
The unemployment website recommends emailing if can’t get through by phone. I did so several times through July but never got a response, so considered maybe sending several hundred or thousand emails instead...
Basically, it involves a python script and AWS Simple Email Service (SES). SES integrates with an existing account such as a personal GMAIL and sends emails through it.
My reasoning was that if I send an email every 5 minutes, possibly from a different sender address to maybe trick spam filters, maybe I’d get a reply. I decided against this approach because emails are likely queued in a first-come-first-serve fashion. Hence, no matter how many I sent, they wouldn’t be seen any faster and I’d just be clogging up the system down the road. Seemed like an unproductive endeavor, and according to their help page, PA Unemployment does appear to be making best effort on emails.
PIN Cracking (didn’t need to use this either)
Going 3+ weeks without this damn snail mail PIN, I decided to just try a random PIN to see what would happen. For example, consider SSN 123–45–6789 and PIN 1234.
Being a web developer, I noticed a couple of peculiarities:
- It took about 5 seconds (a long time) between pressing login and getting a response.
- Responded with a 500 Internal Server Error.
A bug-free system would have returned a 400 error with a helpful message such as “social security number invalid” or “login not found”. Furthermore, the slow response time leads me to believe the web application is not fully separating the authorization process from the actual business logic of the system. Further, I would posit some other standard practices in the login process are lax, for example in regard to rate-limiting or rejecting too many consecutive requests from the same IP address.
All this taken into consideration, it probably would have been possible to simply try every possible 4-digit PIN (0000, 0001, … 9998, 9999) until one worked. Their system really ought to make this an 8 or 12 digit PIN.
Since there are only 10,000 possible combinations, and since web requests can be sent concurrently, could probably have tried them all in 10 minutes without putting too much strain on their system. A Violent Monkey script similar to the LiveChat solution would have sufficed, or instead have used Chrome dev tools to record the login POST request and resend that from Python or Postman.
Update: Seems that the 500 error is intermittent and sometimes the site does return a useful response, so maybe I’m not giving enough credit.
August: Finally Got Through
On August 3rd at 11AM, the redial app finally got through, at which point I sat on hold listening to elevator music for 2 hours! A very helpful associate named Danielle was able to locate my application. Apparently, it had been sitting in an incomplete state since the day it was submitted and never had started processing! This is why the PIN never arrived… a month wasted.
Before going further, consider how gross of a systemic failure this is. First, their website let me submit an incomplete application. Web forms must validate that all required information has been entered before a user can press submit. Not the case here, and I even have a confirmation receipt!
The second failure here is one of visibility. Because the PA Unemployment site has no notion of an account (ie. a username/password login) prior to receiving a PIN, I couldn’t check my application status. But the PIN was never coming because the application status was incomplete. Talk about Catch 22.
Furthermore, they lack an auxiliary reconciliation service which could notice incomplete applications and alert applicants via email or text. If I hadn’t called 2000+ times, would my application have just sat there forever? How many other filings are MIA like this? It’s truly scary — people’s lives could be ruined by this sort of incompetence!
Danielle was finally able to update the missing information and submit my application. As I alluded to earlier, because of issues with the Federal UC ID number of my employer, I had to fill out the application several times. In doing so, I got lazy and must have glossed over some details, resulting in the incomplete form. So please do be review your application carefully before submitting it.
So at least I’m getting money now, right?
Nope, all of this effort was just to get my initial application started — a process that literally takes 15 minutes for most people. I still have to wait for both the elusive PIN and approval paperwork, not to mention an “email confirmation in the next few days”… really days? Since I worked in NJ last year, the PA and NJ systems have to interface before approving my request; this will surely delay the process further. I’ve been assured that one may back-date claims so as to can recoup missed filing periods. If lucky, at this pace I’ll get my first check in October, just about the time our savings will completely run out. At which point I’ll probably have become an actual hacker, doing anything to survive…
