Facing criticism that they provided space for Web predators, such online job sites as Monster.com and CareerBuilder.com have responded by posting warnings about work-at-home schemes and jobs forwarding money or potentially stolen goods.

But they have failed to adopt straightforward reforms that could have prevented the rampant fraud that recently swept Monster, according to security experts.

Two of the recommended safeguards are: more rigorous background checks to certify that advertising employers are legitimate and identity authentication methods that make it harder for hackers to access the database.

“They should read the job descriptions and ask themselves if they sound like legal jobs — that’s the least they could do,” said Elisa Felix, a San Diego communications worker who responded to a 2005 ad by “Heinkel Intersales” and wound up in a scam funneling stolen money abroad. “I had a trust in CareerBuilder that they would only post a legitimate job.”

In the latest and most sweeping attack, 1.3 million Monster users’ names, e-mail and street addresses were stolen from the site and discovered last month on a computer in the Ukraine. The thieves used the information to personalize e-mails to the victims in attempts to steal their money. Monster a week later said it couldn’t determine how many others of its tens of millions of users were at risk from previous electronic incursions that it hadn’t detected before.

The admission pointed up some long-lasting vulnerabilities of some online job sites: Bogus companies like Heinkel are opening up accounts that allow them to defraud job seekers, even as the legitimate accounts of employers have become easy targets for evil-doers like those in the Ukrainian operation.

The Monster breach is the largest known instance of fraud is the use of legitimate accounts as an entry point, according to executives at Monster and CareerBuilder.

In an interview, Monster Vice President Patrick Manzo said that gaining access to the corporate accounts that were compromised recently required only a user name and password. “There’s a balance between ease of use and security,” he said.

To security experts like Chuck Allen, who heads a technology effort jointly funded by Monster and other personnel specialists, that practice is unwise.

If someone is searching for a handful of candidates a couple of times a year, a user name and password might be enough protection, Allen said. But the giant staffing companies that set off no alarms when they look at thousands of resumes daily should have to prove their identities by using electronic certificates or a key fob with constantly updating code numbers — something they physically have — in addition to something they know, such as a password.

“The Monster news was sad and surprising — and not surprising, all at once,” Allen said. “Some of these job boards probably have to step up to some manner of two-factor authentication.”

CareerBuilder and Monster each have fraud teams of about 20 people that look for suspicious searches and listings by possible scammers.

The job sites cover themselves against liability in the fine print. In its “terms of use,” Monster’s says that the company “does not screen or censor the listings. … Monster has no control over user content, the quality, safety or legality of the jobs or resumes posted (and) the truth or accuracy of the listings.”

Site policies on granting database access to new customers vary.

On CareerBuilder, employers pay $600 to gain access to 50 resumes a day for two weeks, and must supply a taxpayer identification number and its own Web site address, according to spokeswoman Jennifer Sullivan.

Monster’s Manzo would not say what checks new customers go through before getting national search packages that start with access to 500 resumes for $975. In a minority of cases, he said, companies get access before the verification procedures kick in.

Of the largest sites, only Yahoo Inc.’s HotJobs requires a conversation before an order for database access can be placed.    (Lee Enterprises, which owns the Lincoln Journal Star, is a part of a national newspaper consortium participating in an alliance with Yahoo! using HotJobs.) 

“There are a lot of things job sites could be doing to make them more secure,” said Pam Dixon, a researcher whose nonprofit World Privacy Forum wrote an extensive report about job-site scams three years ago warning that criminal access was a bigger problem than the sites were admitting.

In her 2004 report, Dixon documented advertising on online job sites by 23 bogus companies that said they needed financial managers, accountants or other representatives to consolidate incoming payments and forward the proceeds. The companies conducted convincing phone interviews and asked for bank account numbers.

Some hires who had provided banking information to their new employers later found out money had been transferred without their knowledge into the accounts of other new workers, who kept a percentage and wired the rest overseas.

That’s the scheme that ensnared Felix, the San Diego woman. She signed a “sales representative” agreement with Heinkel and opened a Wells Fargo account, as she had been instructed by a company officer, actually a con man working with others.

After securing the bank account numbers of other people who had applied for work, the criminals fraudulently transferred their money into Felix’s account. Thinking those funds legitimately belonged to the company, Felix wired more than $1,000 to Italy. The bank discovered the fraud in progress and tried to collect the other customers’ lost money from Felix, since it had gone into her account. Wells Fargo failed to recover the money after Felix filed for bankruptcy protection.

After Dixon’s report, the major job boards said they were working hard to stop the scams.

But U.S Postal Service spokesman Doug Bem said federal mail inspectors are still seeing a trend toward job-board recruitment for illicit money transfers.

Users of all three boards have complained that companies to which they applied for work didn’t pay them for work and appeared to be stockpiling Social Security and bank account numbers, as well as e-mail addresses for resale or other misuse.