The Fraud Blog with Tracy Kitten

Outdated Tech Opens Doors to Fraud

Outdated Tech Opens Doors to Fraud

Here's a riddle for you: What do you get when you mix antiquated security technology with the Internet? The answer: A security breach.

Two incidents highlighted last week drove that point home, loud and clear. One involved our old friend the counterfeit check. That tried-and-true fraud scheme continues to plague financial institutions. And it seems that our foray into the realm of check imaging is making it even easier.

A report hit the wire last week about an innovative check-counterfeiting scheme out of Russia that involved the interception and duplication of information from check images. Now that we've moved into an imaged environment, instead of storing warehouses full of paper checks, most institutions simply store images of checks for their backup and records. Those images have to be housed for seven years, to comply with NACHA - The Electronic Payments Association requirements. Rather than keeping that backup in-house, banks and credits unions more often than not outsource the storage to third parties that specialize in check-image back-up.

Some smart crooks in Russia figured out that accessing those databases is pretty easy, since the databases are not encrypted. The criminals got in and then downloaded check images that included all kinds of good information, such as routing numbers, as well as accountholder names, addresses and signatures. From there, the fraudsters printed out fake checks with the duplicated information and began sending those checks to money mules in the United States.

The money mules then deposited the bogus checks into accounts from which the Russian hackers withdrew funds. SecureWorks Inc., the security company that uncovered how the hackers were getting in, discovered that more than 1,200 legitimate accounts had been hit with fraudulent withdrawals totaling at least $9 million.

Since banking institutions themselves have little control over how the images are secured, they can't really do anything beyond relying more heavily on analytical software to detect when checks coming in from certain accountholders appear suspicious. Unfortunately, too many institutions continue to rely on outdated check-verification methodology, which, surprising to me, often involves whole departments of human beings tasked with manually reviewing suspicious checks that come through.

In today's day and age, that kind of thing can be automated. And without strong, detailed rules in place about specific accountholder behavior, this type of fraud won't be detected. It definitely won't be detected by a person who does not have a 360 perspective of the account or the accountholder's normal activities.

It's interesting that check fraud continues to be a big problem for U.S. financial institutions. In fact, low-tech fraud still seems to cause some of the industry's greatest headaches. Michael Benardo, who heads up the Federal Deposit Insurance Corp.'s Cyber Fraud and Financial Crimes Section, says banks have to balance their efforts to stay ahead of new cybercrimes, while also watching the tried-and-true low-tech fraud schemes - namely counterfeit checks and mortgage fraud, which continue, he says, to pose significant threats.

"Even though the volume of checks is going down, there is still a high volume of counterfeiting going on, especially counterfeiting of bank cashier's checks and bank-official checks," Benardo says.

Beyond checks, ATMs also continue to pose unnecessary points of risk. The highly publicized staged hack of two entry-level ATMs - the Triton RL2000 and the Tranax 1700 - got a lot of media attention last week. Everyone I called about the hack told me that opening an ATM's enclosure is simple, since the vast majority of financial institutions and retailers continue to rely on universal access keys. That's an outdated practice, especially in a day and age when anyone with an IP address can quickly find and order a universal key over the Internet.

The industry has made several strides in identity protection and account security, but stuff like this just makes you wonder. Until every link in the chain is secure, how can the process work? Much of the problem continues to fall back on banks and credit unions that still rely on siloed perspectives, which don't bring the whole picture into focus. Until they get some focus, you can bet fraudsters will discover a way to exploit any opportunity they find.



About the Author

Tracy Kitten

Tracy Kitten

Former Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

Kitten was director of global events content and an executive editor at ISMG. A veteran journalist with more than 20 years of experience, she covered the financial sector for over 10 years. Before joining Information Security Media Group in 2010, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.eu, you agree to our use of cookies.