Schneier on Security
A blog covering security and security technology.
« More on Kish's Classical Security Scheme |
| Petnames »
February 8, 2006
Check washing is a form of fraud. The criminal uses various solvents to remove data from a signed check -- the "pay to" name, the amount -- and replace it with data more beneficial to the criminal: his own name, a larger amount.
This webpage -- I know nothing about who these people are, but they seem a bit amateurish -- talks about check fraud, and then gives this advice to check writers:
WHAT TYPE OF PEN TO USE WHEN WRITING A CHECK:
If you are a ballpoint pen lover, switch to black ink when security is important. Among water-based inks, remember that gels are the most impervious. But when you're writing checks to pay the monthly bills, only one type of ink, the kind in gel pens, has been found to be counterfeit proof to acetone or any other chemical used in "check washing." Most ballpoint and marker inks are dye based, meaning that the pigments are dissolved in the ink.
Based on recent ink security studies, we highly recommend that you use a gel pen, like the Uniball 207 that uses gel ink that contains tiny particles of color that are trapped into the paper, making check washing a lot more difficult. The pen sells for about $2. Personally I sign all my checks and important documents with one. But if you don't want to switch, do not hesitate to to use your favorite fountain pen. Just fill it with ink in one of the more durable colors and enjoy!
I just wish they footnoted this statistic, obviously designed to scare people:
Check washing takes place to the tune of $815 million every year in the U.S. And it is increasing at an alarming rate.
Posted on February 8, 2006 at 7:57 AM
• 57 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
haven't check washers gone high-tech? A simple scan, photoshop, color print seems easier than all this acetone. Seems most color scanners are good enough to override quite a bit of the anti-copying tricks used on some checks.
Magnetic ink toner cartridges are available too, so even that part of the check could be duplicated (although most places don't check for magnetic ink before accepting a check).
Amateurish is a good way to describe the site.
I found Frank Abagnale's book, The Art of the Steal, to be a better (and more entertaining) resource for information on this topic.
"Personally I sign all my checks and important documents with one."
Shouldn't he be more worried about filling out the amount and payee of the check with this pen, then? It seems like the signature would be the one thing you would WANT to get washed off by would-be fraudsters.
"I just wish they footnoted this statistic"
I find that particularly annoying.
There's a well known author on security matters who quoted many facinating statistics in a couple of his books, with no footnotes to ease follow on reading ;)
On a slightly lighter note, should the NSA be monitoring laundromats for signs that folks are leaving their checkbooks in their clothes? ;-)
In the grand scheme of things, strengthening defense against checking washing will likely have little effect on the overall security of checks as a method of payment.
The truth is, fraudsters don't need to tamper with the original check, they can simply print another one with the same routing/account/check numbers. The vast majority of checks are processed without any verification of the signatures.
Be careful regarding fountain pen ink. Most fountain pen ink is designed to be water soluable, so the nib can be cleaned should the ink dry up. I've actually spilled a cup of water and washed Waterman Blue right off the paper.
If you must sign a check with a fountain pen, I recommend using Noodler's Ink Black, which is waterproof and bleachproof. (www.noodlersink.com)
There actually is a market for all sorts of specialty inks. I like writing with fountain pens and bottled ink. Noodler's Ink is an interesting company that sells small batch inks, including "Bulletproof Ink" which claims to be impervious to water, bleach and light. They also have polar ink for below freezing conditions.
Went to look up the link, and learned that they now have Blue Ghost Ink, which is invisible in visible light, but shows up under black light. I have no need for this product, but don't know if I'll be able to resist.
Note: they have pages up with pictures of their various ink tests in progress.
Noodler's Ink... I came here to comment on it, but I see I've been beaten to it.
Fountain pen ink is perhaps the most easily soluble of all inks. Noodler's Ink makes a permanent black. (They also make the mulberry-colored ink I prefer to use when signing copies of my book.)
Now I need Blue Ghost ink...
This is reminds me the Hollywood film: "Catch me if you can" ;) (that was indeed based on a true story).
Once upon a time my boss gathered up all the pens in our lab, wrote their names on a couple pieces of paper in their own ink, and then visited the papers with comon lab solvents. Water and ethanol were on the list, I don't remember if he also tried methanol, acetone or acetonitrile or not.
The winner in his little experiment was the "Pentel Hybrid Gel Roller", but he was approaching this from the "Oh hell, my notebook!" point of view rather than the "Could you remove this if you really really wanted to?" point of view.
I'm not vouching for anyone's web design.
The final product of "washing" is rarely convincing. To view the process see:
Project Check Washing : www.celtickane.com/projects/washing/
I can't verify any statistics, but I can verify the crime--but that's only part of the story.
A while ago, this was a big deal where I lived. I am not making up how this works. People in need of money would steal a truck, ram the truck into a public mailbox. If the mailbox opened, they'd take all the mail and leave. If it didn't open, they'd take the mailbox away and beat on it with sledgehammers until it opened. Then they got lots of mail to look for checks.
They'd wash the checks with solvents, as described, and then they'd go to a place where you can buy large appliances (microwave ovens, etc) and write a check. Below a certain dollar amount, no ID check was required, and they made sure to stay under that set amount. They would then wait several days (for "their" check to get deposited), then they'd return with the receipt and ask for a refund. The result? Hundreds of dollars in more-or-less untraceable cash.
How do I know? My checks got washed just like this--it was a big pain in the ass clearing that up.
The security holes exploited? Flimsy public mailboxes (mostly rectified in problem areas with monster mailboxes), and far too relaxed ID-checking rules at stores (not fixed yet, because, as Bruce says, the cost of fraud caused by their bad policies is an externality). Hope that provides some more information/entertainment.
@pst re: the movie "Catch Me I You Can"
That move is based upon Frank Abagnale's exploits in the early 1960s and his book, "The Art of the Steal" was mentioned by WLWEsq in an earlier comment.
my worry budget is fully subscribed right now. absolutely no additional worries will be entertained until the beginning of the next worry planning period.
Uni-ball,eh? Not likely. My Cairn Terrierist went through a chew-it-up phase and got hold of one of those Uni-ball pens, yes, a black one, and created a magnificent ink-blot stain on the sofa. Hot water and dish detergent soap REMOVED that "wash resistant ink" from every fiber visible on that sofa cushion. You cannot detect that there was a solid black stain right there in the middle. So what gives? Are the Uni-ball people just jerkin us around here? Permanent ink my eye...
One of my outgoing checks was stolen from my mailbox a few weeks ago. Instead of washing the check, the thieves used the account number to make fake checks (with a fake business name on them) and to setup ACH payments at various places. When I went to my bank to close the account and get the charges reversed, the manager told me that one or two people come in because of stolen checks every day. If you're worried about your checks getting stolen, the best thing is to either use a locking mailbox or send your mail from the post office. And never leave mail in your mailbox overnight.
Why does my bank not let me enable cheques one by one on its web site and let me enter the amount and payee at the same time? It could then cross check when processing the cheques.
I still have to use cheque due to people that can’t cope with electronic payments. E.g. it is possible for someone to not cash the cheque if the don’t have any space left, but they can not reject a electric payment, or even link it easily to the paper forms. A cheque that is stapled on the forms is VERY easy to match up!
Ian, your bank (in the UK) doesn't want you to use cheques at all. Cheques have a strong audit trail: if your bank gets a payment wrong, you can ask them to produce the cheque to show what it really said. With electronic payments the audit trail is much weaker; they have much more opportunity to claim that whatever their computer says is always correct, and/or to claim that you made the mistake. Of course, their excuse for suppressing cheques is that cheques are expensive to process.
Heh, heh... "Recent Case" ... "March 18, 1998"
gotta love the professionalism
Purely a side issue (or maybe a reflection of temporal mores) but I remember, a couple of decades ago on television -- it may have been on Tom Snyder's show -- a Security Expert explaining that you should -always- write checks with fountain pens rather than ballpoints, to avoid readable grooves on the check below.
This is not in itself implausible, but it definitely has a movie-plot component, as in all those films where the detective scrubs a soft pencil over the blank notepad to bring out a copy of The Crucial Note.
Surely it can't be hard for banks to print blank checks with ink which is soluble in pretty much everything except water?
Here's an interesting additional feature of gel pens from http://en.wikipedia.org/wiki/Gel_Pen
"A tremendous advantage of gel pens is that they resist laboratory analysis. The American Secret Service has maintained the International Ink Library for many decades. Because manufacturers change their ink formulas slightly from year to year, thin-layer chromatography can be used on ink from traditional pens to trace the manufacturer and date of manufacture of most inks. The pigments in gel ink do not dissolve, and therefore cannot be analyzed with TLC."
It's funny to be reading this today.
I just had a batch of outgoing mail soaked overnight by a cat / citrus cleaner mashup. All the checks were completely washed clean of ink, while the printed bill inserts were all fine.
There was a nice blue watercolor field left over on the paper from the "security" envelopes that washed out their coloring.
checks? I have not written out a check for 10 years. So we do still use them then eh?
Filias: Indeed, that's one of the several security measures most cheque-printing companies use, and have for a long time. Apply solvent to a cheque and you're likely to end up with obvious stains from the dyes embedded in the paper. I'm surprised we're hearing about this threat now, because I thought standard precautions had already rendered it pretty much obsolete.
I did some digging and found that this is actually a project of the National Consumer council. It looks to me as if the group has not actually done much on this project since 1999 which eplains the look of the site. It also means that following up the statistic is next to impossible.
I tried to send a trackback link but it seems to be turned off, more info at:
I write all my checks in technical drawing ink with a graphic pen. Actually I write pretty much everything that way. I'd had enough handwritten memos unintentionally obliterated by the washing machine, so I switched to something indelible some years ago. If you don't feel like using a Marsmatic or Rapidograph, art stores sell some fairly inexpensive india pens. Besides being indelible, quality drawing ink is much blacker than the crap that comes out of a ballpoint pen; after a short while you start to appreciate how much sharper and easier to read it is.
The problem with graphic pens is you can never loan them to anyone. I've had two nibs destroyed by people who treated them like ballpoints or felt-tips. It's very pathetic to see the tip bent over like that. Brutes.
Shortly after 9/11 my post office removed all the street mail drops from my area--I assume because they are lazy bastards (which they are). When I complained to the postmaster she told me to leave my mail in the slot for the carrier to pick up. No, thanks.
This happened to my brother about four years ago:
He ususaly wrote out his checks with a marker pen. The pen did not have enough pressure to leave a mark on the carbon-paper, so he traced over the ink with a regular pencil. Somebody stole his mail and attempted to wash the checks. It turns out that their washing procedure removed the ink, but not the pencil tracing. The criminals were too incompetent to notice; apparently they had a big table where they washed dozens of checks at a time. They didn't notice that a small set of checks were simply not washing clear, those pencil-traced checks stayed on the table for weeks while hundreds of other checks were washed all around them. Nor did they think to take an eraser to the pencil marks.
Eventually, the police raided the place and figured this all out. Thus, the pencil is even mightier than the pen.
In Europe, all cheques are printed on CBS1 security paper, which visibly reacts to solvent attack.
Fugitive inks can be used to print the background which will 'bleed' when attacked.
Surely the US has adopted these standards?
All too many North American banks implement personal account security on something of a capabilities model: anyone who knows the account number has access to the account. There's no point in using fraud-resistant cheques when many banks will honor a sheet of plain paper with an account number on it.
I've been working for a while in a cheque-processing center, and we've seen cheques were transparent tape had been applied on the amount and beneficiary.
I am sure that is "solvent-proof", tho.
Why on earth checks don't have some part of it printed in a way that it would be bleached with those solvents.
If the field part of the check had a background printed in two inks, one that is resistent to bleach and other that is not when a crook would try to blank the check it would remove some of the ink and make it invalid.
It could even have a string of "Void Void" writen after one of the inks is removed.
Remember that, unlike checks which are designed to absorb ink, couches are chemically treated to repell anything from the fibers. Stain resistant technology has gotten pretty good.
"I've been working for a while in a cheque-processing center, and we've seen cheques were transparent tape had been applied on the amount and beneficiary."
Do check processing machines have a problem with checks like that?
>>I write all my checks in technical drawing ink with a graphic pen. Actually I write pretty much everything that way<<
Actually 'India' type drawing inks are considered less desirable for security because they sit ON the paper and do not tend to penetrate the fibers. This is an issue that museum conservators need to be careful with, as the ink can actually begin to fall off of old drawings.
"There's no point in using fraud-resistant cheques when many banks will honor a sheet of plain paper with an account number on it."
I wonder how long it will take before every crook prints his own checks instead of washing them.
There are reasons I just generally don't use checks. I hate them. They are a waste of money for the most part. And nowadays, they pretty much just function as a stand-in for an electronic transaction anyway.
Since I don't get originals back anymore, I really have no use for them.
A couple of years ago, after a number of questions over a disputed bill, my medical insurer issued me an additional check, which was apparently simply printed with a b&w laster printer.
I called and questioned them, because the printing on the check told the receiving party to look for the color change in the light and other special security features. The insurance company told me to go ahead and deposit it.. I did, the bank accepted it and nothing else came of it.
So much for security features.
jayh> Actually 'India' type drawing inks are considered less desirable for security because they sit ON the paper and do not tend to penetrate the fibers.
That's more a factor of the paper than the ink. Yes, thick layers of true india ink deposited on slick pages act more like paint than ink. Check paper, however, and most writing paper, takes up technical drawing ink quite nicely. You'd have to take a lot of paper away to get under it. Far more, in fact, than with ballpoint or gel, since the drawing ink is actually a liquid.
jayh> A couple of years ago, after a number of questions over a disputed bill, my medical insurer issued me an additional check, which was apparently simply printed with a b&w laster printer... So much for security features.
Sounds to me like the security feature worked perfectly. You verified the check before you accepted it. Of course the bank didn't scrutinize it; they don't care one way or the other. You're the one who loses if the check is fake.
Hmmm - I honestly can't remember the last time I wrote a cheque - I make about 10 payments a month, all by direct debit or Internet banking. FWIW, I work in the internet banking division of a bank, and am EXTREMELY aware of any (all? ;)) security concerns.
>>You verified the check before you accepted it. Of course the bank didn't scrutinize it; they don't care one way or the other. You're the one who loses if the check is fake.
Yes, normally that's true. In this particular case, if the check failed I could have gotten the insurance company to replace it with a 'real' check.
I work for a check printing company, and would not use a pen to write out a check. I print all my checks using a laser printer with a MICR toner cartridge and fuser. If they want to wash off my signature, they are more than welcome to. If they somehow manage to scrub the check, it will still be magnetic and can be disputed.
That being said, writing a check for somebody is the easiest way to invite identity theft that I can think of.
I read about this some time back and had just purchased some pens recommended by CoolTools (Uniball Signo Bit), so I decided to do a test. I only used three solvents--Acetone, Ethanol, and Amonia--but I use quite a few pens. The article is at http://willmores.org/?q=node/45
I'm looking for suggestions for more pen types and for more solevent types--keep in mind it has to be a pen/solvent that I can *find* commonly. Unless you want to send me some, that is. :)
willmore> I'm looking for suggestions...
These are all very bad for you but found at many hardware stores in the paint/lacquer thinner section. You may have to read side labels until you find them, since they tend to be branded with less scary names.
Methyl ethyl ketone
Trichloroethane in particular is an excellent solvent for practically any kind of adhesive or gum, and leaves no residue. It's also non-flammable at most reasonable temperatures, which is a big reason it is used in vapor degreasers, which heat the stuff to vapor temperature at about 160F. That said, I don't know how it would do against most of those inks, but if you have access to a vapor degreaser and a decent health insurance plan, try putting your test subjects in the vapor for a few minutes.
For bleaching agents, don't forget to try good ol' chlorine bleach.
I'm confused, here you say ethanol, but on your page you say methanol. Which was it? Did you try the old standby isopropanol?
I have to hand it to you--you've found a great new context for the term "pen testing". :^)
Frank Abagnale has been working this issue for a while, and recommends a specific type of pen (he worked with the manufacturer on the specs). See
Probably he's making money on this, but given his expertise, I'm inclined to trust the recommendation.
The type of "Royal Blue" fountain pen ink that is most commonly available here in The Netherlands, and that is used in some elementary schools, turns into something colorless when it reacts with a chemical sold in felt-tip pens called "inktwissers". I don't know what the chemical is. I believe that "Royal Blue" is not common in the US; at least, I cannot remember running across that color when I lived there and occasionally bought fountain pen cartridges.
I'm trying to wash my own travelers cheques, lol. Long story short, I signed in the wrong place on all 200.00 worth of cheques and both my bank and the cheque company refuse to reimburse me or cash the cheques, even though I have proof of purchase (from my own bank no less) and the cheques in hand. I tried acetone, but all it does is eat through the background color of the cheque, not the actual ink itself. Guess I have to eat 200.00. Last time I ever purchase the godforsaken things.
What is the wash? The stated principles versus reality. The stated law versus reality.
The $815 million figure is utter crap.
I happened to be reading about ACH fraud the other day (yes, I need a life..) and came across a reference to an American Banker article from April 6, 2006 -- ""Shifting Payment Patterns Altering Fraud Landscape".
According to what I read, that article claims that:
Check fraud in 2003 was $677 million, and ACH fraud was $65 million in 2005.
Even if we ASSume that the $815 million is a proper number, it undoubtedly refers to all check fraud, not just the "checkwashing" kind.
Better ID-checking policies don't matter much unless everybody has a tamper-resistant, forgery-resistant ID.
I really can't believe that one of the most technologically advanced nations on the earth is still using checks.
Almost *NOBODY* here in Australia (at least nobody under the age of 60 or so) uses checks at all.
We have this amazing thing these days called the internet. Banks are on it too! All internet banking sites in Australia allow you to make a deposit into someone else's account - all you need is the bank number and the account number. And we've been doing this for more than 10 years.
If you pulled out a checkbook at a supermarket, chances are that the cashier wouldn't even recognize it.
I charge a $20 fee to anyone who wants to pay me by check - because I have to make a special trip to the bank to cash it.
Checks should be consigned to the trashcan of history.
A friend had some outbound cheques stolen from the mailbox. The thieves washed the checques and used one to pay their electric bill. They wrote their account number in the memo field, which made it easy for the police to catch them, along with their trays and chemicals.
if ur thinking of trying to earn some money by check fruad just sell the cheque books and the garuntee card with it its that simple
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.