Only a smattering of the total 2,046 voters were registered outside the three districts.

What alerted the elections department to trouble was how quickly the requests rolled in from the same IP addresses.

Jane Watson, president of Tallahassee-based VR Systems, which provides elections software to Miami-Dade and 52 other Florida counties, said the software flags suspicious activity, such as when five or more requests originate from a single IP address.

There are other safeguards, too. When a voter submits an absentee request online, Miami-Dade doesn’t automatically send a ballot. The request is reviewed by an elections department staffer, who must manually sign off on sending it.

The online ballot-request form requires voter information available on a public database of registered voters. It also asks for an email address — which doesn’t have to be real.

Most of the email addresses on the phantom requests were formulaic and clearly fake — the voter’s first name at AOL, Gmail or Yahoo, for example — but the email addresses on at least some of the early requests were accurate. That is significant, because while those addresses are not publicly available from the voter file, political campaigns routinely compile email addresses through other sources.

To submit an online ballot request, the voter must verify a series of skewed letters and numbers — an extra step intended to make automated requests more difficult.

“That’s a barrier, but I’m told that for someone who’s sophisticated enough as a programmer, they can get over that hurdle,” Watson acknowledged.

In the past, Watson said her company has brought in online security experts from Florida State University to test the software and look for loopholes.

But neither the county nor the software vendor have changed their programs or policies since the August primary, Watson and the elections department said. The reason: The existing procedures worked, they said. The phantom requests were caught.

No special skills

Creating a computer program to automatically fill online ballot requests using voter information is not difficult, said Rambam, the private investigator. Pre-written programs, known as scripts, are available online and easy for amateur hackers to modify.

With a little more skill, the hacker behind the phantom requests could have included computer code to keep the program from triggering the elections department’s safeguard, Rambam said.

Once the program has been set up, purposely obscuring its origins through foreign IP addresses is also inexpensive, he added.

“And that, of course, is the most frightening thing: that any moderately or even marginally skilled programmer could have done this,’’ Rambam said.

That’s why the grand jury recommended requiring at least a login and password for voters to submit absentee ballot requests, said Pankey, the group’s foreman. It was one of 23 recommendations proposed by the grand jury, convened after Deisy Cabrera and Sergio Robaina, two Hialeah absentee ballot brokers, known as boleteros, were arrested shortly before the primary last August and charged with voter fraud. Both have pleaded not guilty.

No county official has followed up on the online security recommendation, which, unlike other grand-jury proposals, could be addressed locally, Pankey said Friday.

“You can’t go to your bank account — you can’t go to anything that is secured — without putting in at least a name and a password,” he said.

“Why should the elections be any different?”