Outdated Tech Opens Doors to Fraud
Two incidents highlighted last week drove that point home, loud and clear. One involved our old friend the counterfeit check. That tried-and-true fraud scheme continues to plague financial institutions. And it seems that our foray into the realm of check imaging is making it even easier.
A report hit the wire last week about an innovative check-counterfeiting scheme out of Russia that involved the interception and duplication of information from check images. Now that we've moved into an imaged environment, instead of storing warehouses full of paper checks, most institutions simply store images of checks for their backup and records. Those images have to be housed for seven years, to comply with NACHA - The Electronic Payments Association requirements. Rather than keeping that backup in-house, banks and credits unions more often than not outsource the storage to third parties that specialize in check-image back-up.
Unfortunately, too many institutions continue to rely on outdated check-verification methodology.
Some smart crooks in Russia figured out that accessing those databases is pretty easy, since the databases are not encrypted. The criminals got in and then downloaded check images that included all kinds of good information, such as routing numbers, as well as accountholder names, addresses and signatures. From there, the fraudsters printed out fake checks with the duplicated information and began sending those checks to money mules in the United States.
The money mules then deposited the bogus checks into accounts from which the Russian hackers withdrew funds. SecureWorks Inc., the security company that uncovered how the hackers were getting in, discovered that more than 1,200 legitimate accounts had been hit with fraudulent withdrawals totaling at least $9 million.
Since banking institutions themselves have little control over how the images are secured, they can't really do anything beyond relying more heavily on analytical software to detect when checks coming in from certain accountholders appear suspicious. Unfortunately, too many institutions continue to rely on outdated check-verification methodology, which, surprising to me, often involves whole departments of human beings tasked with manually reviewing suspicious checks that come through.
In today's day and age, that kind of thing can be automated. And without strong, detailed rules in place about specific accountholder behavior, this type of fraud won't be detected. It definitely won't be detected by a person who does not have a 360 perspective of the account or the accountholder's normal activities.
It's interesting that check fraud continues to be a big problem for U.S. financial institutions. In fact, low-tech fraud still seems to cause some of the industry's greatest headaches. Michael Benardo, who heads up the Federal Deposit Insurance Corp.'s Cyber Fraud and Financial Crimes Section, says banks have to balance their efforts to stay ahead of new cybercrimes, while also watching the tried-and-true low-tech fraud schemes - namely counterfeit checks and mortgage fraud, which continue, he says, to pose significant threats.
"Even though the volume of checks is going down, there is still a high volume of counterfeiting going on, especially counterfeiting of bank cashier's checks and bank-official checks," Benardo says.
Beyond checks, ATMs also continue to pose unnecessary points of risk. The highly publicized staged hack of two entry-level ATMs - the Triton RL2000 and the Tranax 1700 - got a lot of media attention last week. Everyone I called about the hack told me that opening an ATM's enclosure is simple, since the vast majority of financial institutions and retailers continue to rely on universal access keys. That's an outdated practice, especially in a day and age when anyone with an IP address can quickly find and order a universal key over the Internet.
The industry has made several strides in identity protection and account security, but stuff like this just makes you wonder. Until every link in the chain is secure, how can the process work? Much of the problem continues to fall back on banks and credit unions that still rely on siloed perspectives, which don't bring the whole picture into focus. Until they get some focus, you can bet fraudsters will discover a way to exploit any opportunity they find.