Posted by: David Schneier
ACH, bank, banking, checks, compliance, identity management, identity theft, regulations, regulatory, Regulatory Compliance, remote capture, remote deposit capture
Before I even get into the nitty-gritty of the post I have to point out that in the time it took me to choose the topic and start writing I’ve already thought of three perfect ways to steal your money via remote deposit capture. Seriously, this is a hugely bad idea that will lead to hundreds of millions (if not billions) in stolen funds before someone finally pulls the plug or figures out a way more secure way of doing this sort of thing.
Before you read any further please fire up Netflix or hit up Redbox and rent “Catch Me If You Can” the DiCaprio-Hanks movie about Frank Abagnale Jr. the infamous check forger. The movie covers in sufficient detail how Mr. Abagnale figured out how to forge checks and stay one step ahead of the law for years. Take sufficient notes and then consider remote deposit capture and how it solves so many of the issues he had to figure out work-around’s for.
I’ve written in the past about how insane I think it is that we send unsecured documents via the mail that contains all of our bank account information including name and address without so much as a second thought. When you consider how relatively pervasive ACH payments are these days (I pay at least a half-dozen of my monthly bills that way) I’m amazed that hasn’t become the newest criminal hot spot. And now we’ve gone and made it that much easier to exploit this antiquated and poorly designed system of moving our money around. You no longer need to even steal a persons check book, you only need to make copies of their blank checks so that later on you can fill in the appropriate details and use remote capture to process it. When you consider the amount of time it would take to even figure out what just happened the thieves will be long gone. First a person has to get their monthly statement and even figure out that a rogue check was presented against their account (and if you keep the amount small enough that might not even happen). Then they’d need to contact the bank who would have to investigate and pull up check images to try and verify the customers claim. By the time that all happens it’s potentially been at least a month, plenty of time for the perpetrators to close the account where funds were deposited and move on. And with bank accounts being setup online all the time you wouldn’t even have video footage or images of the people behind the theft. And that’s only one possible way to use remote deposit capture to rig the system (I’ll keep the other ideas I have to myself lest this post become a self-fulfilling prophecy).
Seriously, if the banks introduced a new service offering where you can pay for purchases by simply sending a copy of your credit card you’d all think it insane and no one would use it. How is this any different? If the stores and restaurants we frequented required that they make back-and-front photo copies of your credit card for their records you’d stop using your credit card. But with checks it’s not so big a deal?
With regards to remote deposit capture, all because you can doesn’t mean you should.