Schneier on Security

Since [s]he gives you the pin: could it be the ink isn't washable... it's the dry up to nothing kind so [s]he never washes the check. Of course, the signature would dry up to so he would probably have to trace it with real ink before it vanished then wait for the other part to disappear before changing everything else.

Bruce> Why does this sort of attack still work?

Maybe because banks don't even look at checks any more.

On multiple occasions I've had checks paid by my bank in the wrong amount, despite the correct amount's being clearly written in both the numeric and text field. When I've visited them to fix it they've told me it was an "encoding" error and that it happens all the time. In response to my assertion that, given that correct handling of monetary amount is the primary function of a bank, this kind of error is unacceptable, a shrug.

As far as I can tell, the banks all stick checks in an OCR/scanner machine and that's the end of it as far as they're concerned. If they don't notice an incorrectly "encoded" paymount amount, they certainly aren't doing anything to inspect the security features of the check.

Add to that most banks are delivering only fax-quality electronic scans of the checks (and many are pushing customers to online statements), so the paper record is lost and the electronic one is too degraded to prove to anyone that an alteration occurred.

In this particular scam, if the con refrains from changing the amount, the mark may well never even notice the transgression, since a lot of folks just make sure the amount in their registers matches the amount reported on their bank statements, which is still true if only the payee is modified.

"Just make the payable to 'Citizens Alliance to Save Humanity', or just abbreviate it. Thanks!"

The checks generally reveal erasure only if the fibers/suface lines are physically distrubed by the physical process of erasing. The ink in this case is bsed on a opto-chemical change and leaves the paper undisturbed except for the initial indentation in the paper due to the pen pressing on it, so felt tips are preferred by these con-artists. Most people would never think about invisible/disappearing ink being in the pen. This is one case where "the paper it is written on" IS more valuable than what is written on it.

Maybe we should make sure the banks checks are printed on this paper instead (lol).
http://hardware.slashdot.org/article.pl?sid=06/11/27/0549252
Just make sure the paper "recycles" faster than the ink!

Similar concept: people at a checkout signing credit card receipts with their own pens (I typically do so cause its in my pocket and handier for me to get at, as well as to avoid sharing germs) but with disappearing ink.

Of course the credit card companies dont require signatures, they expect you to pay even when they have no signature and a merchant fantasized the transaction, so this scam probably would fizzle pretty quickly.

They wouldn't even have to trace the signature in the U.S.; almost all banks do not verify signatures on checks under $5,000.00, which would pretty much cover most personal transactions. Once the bogus amount/payee check is cashed, the consumer is responsible for the overdrafts until they can file a complaint. Even if the bank decides to reimburse the customer the amount of the bad check (which is not a certainty, and at least one bank has successfully used the "it's too small of amount" defense for processing checks with bogus signatures under $25K), the downstream effects for the consumer can get pretty severe. The bank has up to 30 days to review the claim, and the consumer is in the meantime trying to cover their legitimate checks and fend off various late/bounce/overdraft fees from those accounts.

In a similar situation, a bank stopped payment on a sizeable check that I had deposited from their consumer, claiming "double posting." What happened was that the check processing bank (which was separate from the depository bank) had posted the payment to the depository bank twice while I only received one payment. The depository bank correctly (in their eyes) issued the stop payment, and the check processing bank, instead of noting the one pay/two post situation, forwarded on the stop payment to my bank. The reason I won that dispute was not because the banks realized their error (because my bank's records of one deposit were not "sufficient proof"), but because they filed the stop payment more than 30 days after the check cleared, and had lost the right to stop payment for that particular reason.

Finally, since most fraudsters can easily obtain commercially available check stock and check printing programs for their home computer, they don't need to go through all this; they can simply obtain account numbers (and preferably a near current check number) and print their own checks.

@Bruce
"Why does this sort of attack still work?"

I certinly wouldn;t be surprised to see this work on the "specialty" cheques one can purchase from magazines (the ones that print pictures of your family, special interest themes, etc.) -- as they do not use the same robust security measures as most bank-issued cheques.

I was the fraud officer at my company credit union in the late 80's. Folks don't fake many checks because they get caught too easily. Not by the bank, by the customer. The bank can't afford to spend (aka waste) resources on verifying checks. It's lots cheaper to have the customers do it. You don't have to worry about scaling to a large number of accounts or about agenda. Each account has its own customer, and they all want to avoid being robbed.

The bank accepts all the checks, the customers complain about the bad ones, you give those customers their money back, as a cost of doing business. No problem. You put the local cops onto the bad checks, and let them pay for the CSI types.

Makes me more and more convinced that the only answer to door-to-door solicitors of any form involves pointing a weapon at them and telling them "get off my land".

Here in the UK there's a big problem with "charity-muggers" - or 'chuggers' - who accost you in the street/mall and try to get you to sign up to making monthly payments to some supposedly-worthy cause. Seems that these slime are operating on front-loaded commission and of the first year's monthly payments you make, the charity sees very little.

A few years ago, a common way of handling checks for banks was to have clerks using a system called TWS (hardware reader and software) to have a human read the amount and the reader OCR the magnetic ink strip and the application would match the amount and strip. This would go into an Oracle database.

Once in the database, a machine called a DP-500 would write the amount on the check in the same OCR font with magnetic ink. The machine would also sort the cheques based on financial institutions.

The hardware was sold and supported by Unisys. Throughput was abour 400-500 deposit envelopes per hours per operator (about 1000 items (cheques, cash, proofs and/or payments) or so).

The thing I'm baffled by is why they would prefer a check? Wouldn't a credit card imprint + CVV be just as good? And I'd imagine that cash would be acceptable, although that would be hard to change the amount of... but it's *cash*. The crook doesn't get as much, but it sure is a lot easier to anonymize.

This would not be a problem if banks were 100% liable for fraudulent transactions (much like credit card companies are today).

If I deny authorizing a transaction involving my checking account under any circumstances, the bank should be legally obligated to
1) refund my account immediately, plus pay some fixed penalty percent (5% or so) and
2) reimburse me for any interest or penalties I incurred as a result of this fraudulent transaction.

Of course, it must be illegal to falsely deny a transaction or to instigate a false transaction - both enforced with stiff penalties.

This would quickly eliminate "identity theft" as well as scams such as this stupid check scam.

I fill out my checks by biting hard into my finger and writing in blood.

I deposited a computer generated $300 check from a major financial institution into my checking account with a 'blank' deposit slip (maybe not so bright) via a real/live teller. When I checked the deposit receipt later that evening it only showed $100 got deposited. (I did NOt request cash back). I checked my account online and it showed the proper deposit. I've actually refrained from manually writing/printing checks... Maybe 8 checks per yr., else I use plastic

The place it happened is a little to close to home for my likeing (same place as the Smart Water Bruce bloged about some time ago). So,

"pointing a weapon at them and telling them "get off my land"

Sounds good. Then reality strikes and you realise that the UK has realy severe gun laws these days (still does not stop drive bys though).

@Chuck

"biting hard into my finger and writing in blood"

In the UK all DNA samples are greatfully received, cataloged and put on a Gov computer DB just for the fun of it (or is it kick backs into political party funds...)

Why are checks still used, what an outdated technology? There's this thing called wire transfers that can be done via the Internet - even on an unsecured network like the Internet, the protocol is safer, easier, and better.

This reminds me of a recent pub incident I had. A woman carrying a can walked through asking for donations for breast cancer.

She wore a tag around her neck and carried a yellow can that just said "Melody".

While many people unwittingly gave her their change, often not even looking at the woman or the can, I felt I had to ask "who or what is 'Melody' -- is that you?"

The woman scowled, said "look it up online" and rushed out of the pub.

So, sure enough, I found it online:
http://www.melody.org.uk/

The site's registered in Dorset "56 St Clements Rd, Boscombe, Bournemouth, Dover, BH1" but has no contact info other than phone and email. Wonder if they are operating out of that warehouse, or the church:

http://maps.google.co.uk/maps?f=q&hl=en&q=56+St.+Clements+rd,+boscombe,+Bournemouth,+BH1&ie=UTF8&z=19&ll=50.728554,-1.851051&spn=0.000774,0.001813&t=k&om=1

I suppose it could be just a variant on the same scam without the need to re-write signed checks...and even if you did write a check to them it would presumably be to "Melody", which seems to have no public records or identity.

Sad how people prey on others' goodwill. That seems to be the real weakness -- human susceptibility to social engineering -- and so the countermeasures are perhaps less about things like pen and paper and more about identity and relationships.

I've wondered about the invisible ink issue at house closings. They insist I use their pen, presumably because mine might have invisible ink. But really, why should I trust them any more than they trust me? Because they're a "company"? Yeah, right, pull the other one.

Modern checks have solid security, but are vulnerable to a "known ink attack". By using a special ink that has a pigment that can be removed by a solvent that has no affect on the check / made non visible easily by chemical means/ that breaks down under UV light( or over time via chemical means) they can bypass the the security measures that are intended to protect against people doing the same thing but versus 'conventional' inks. It is dificult if not impossible for the printers of checks to protect against this without encountering usability issues for the typical user.

The moral of the story is always use your own pens if you are in an insecure environment.

@gigs94

Drying up ink would work fine - I have a friend whose parents have picked up his chequebook by mistake and written out cheques (with their own signature, obviously). The cheques went through (which is how he discovered this) and when he complained, he was told that they don't check the signatures on cheques under £10,000.

"I've wondered about the invisible ink issue at house closings. They insist I use their pen, presumably because mine might have invisible ink. But really, why should I trust them any more than they trust me? Because they're a "company"? Yeah, right, pull the other one."

That's a good point. The safest option would be to sign twice, once with your pen and once with their pen. But there's already too much signing at a house closing.

In the original check case, the person
writing the the check should use their
own pen for amount and payee. But it
should be signed used the accepting
person's pen.

@L8shift:

This is normal. Most banks will credit you the first $100 of check deposits (or ATM deposits of any sort) each day, and then provide you the full amount when it can be verified. This usually happens overnight, but occasionally will happen mid-day.

I dont want to be rude, but are you still using checks as a payment method in UK and US? This possibility has ceased to exist in sweden many years ago, due to many reasons (high cost, security,...)

Secure transactions with credit card is the solution, not spending time on who to solve a problem with an out-to-date technology

@ David Ottenheimer:

I notice that 'The Mirror' have come across these miscreants as well:

http://www.mirror.co.uk/news/mirrorinvestigates/tm_column_date=01062006-name_index.html
(Further down the page - search for 'melody')

I couldn't find anything at companies house or the charities commission about them.

Michael: what is this "secure transactions with a credit card" of which you speak?

Bruce said:
"That's a good point. The safest option would be to sign twice, once with your pen and once with their pen. But there's already too much signing at a house closing."

In house closings, the signator should be suspicious of the printer, not the pen used to sign.

@Michael

"This possibility has ceased to exist in sweden many years ago"

Yup and if I remember correctly from what I was told six years ago you also have 2% savings tax on capital as well as further tax on any interest earned.

I like cheques for a number of reasons most of which are the same as why I do not like Direct Debit Cards and to a lesser extent Credit Cards.

With a cheque I have a greater degree of legal protection and control, and more importantly verification that can be presented / tested for any legal action (including fairly well understood forensic techniques).

Effectivly the criminal has in the UK to obtain a cheque from your book, and forge your signature, and for most cheques (crossed) also pay it into an account, which leaves two financial institutions liable if a fraud is commited.

Forging the cheque is at best difficult and each is unique (unlike Credit Card slips) and I have control over them.

My signature likewise needs to be forged, which is a bit harder than getting a copy of a four digit pin number.

Also I can put a cheque in the post to companies without endagering anything other than my signiture, which is not true for Credit or Debit Cards.

Electrons still cannot be tested for fraud in any meaningfull maner, and please do not talk about digital signatures most implimentations are not worth the paper their specs are writen on.

To a certain extent the Legal System in the UK still has faith in this concept, of a unique financial instrument endorsed with a persons signature, and it's implicit and testable safe gaurds.

Even these cheques that have had invisable ink used, will still leave evidence that can be tested for fairly easily, and a court will accept that it has been tampered with and is no longer valid. It is then upto the Bank to prove who has commited the fraud.

Obviously, fraud happens, and people get away with it and other people get hurt.

I think...

Several years ago I was the victim of debit card fraud and credit card fraud (just a few months apart). After making a few phone calls, going to the bank to fill out a report, and putting fraud holds on my credit... nothing bad happened. The money was all returned or transactions removed, and I presume the banks or credit company ate the fraud. Perhaps they chased the perps, but probably not, because I was never called to testify.

So, I'm not sure that banks aren't taking 100% liability for it. This was a large national bank chain and a large national credit card company.

Bruce, My company's bank has cashed a photocopy of a check on several occasions.

The banks don't look at checks anymore and they are not required to keep physical copies either. In fact, the bank is not even required to receive a physical copy of a check (in the US) for cashing. A company (a merchant) can scan your check and send the image of the check to their bank for cashing. The fact that a merchant can cash an electronic image of a check and then destroy the physical check leaves the consumer open to various kinds of fraud.

Re: "Just make the payable to 'Citizens Alliance to Save Humanity', or just abbreviate it. Thanks!"
---

In the US, there have been warnings about writing out Internal Revenue Service tax cheques payable to "IRS". The reports claim that criminals can add three strokes to turn the IRS into MRS and, then, add whatever name they want. I am still looking for statistics on how often this has this really happened.

By the way, the IRS->MRS reference can be found on a Uni-ball pen news release concerning identity theft fraud at http://uniball-na.com/main.taf?p=5,8

I'm with Clive on the use of checks, but there's one additional factor for me that he didn't mention. I use carbon-copy checks, which provides the dual benefit of giving me a permanent paper trail for record-keeping and vastly upping the bar for fraud.
Not that the actual checks are any more difficult to fake, but given that I packrat receipts and have carbons of the check, it's much more difficult for the bank to make me eat any error/fraud. Nothing similar is available for any electronic method, particularly in the US, since we're sadly behind in all sorts of financial security areas.

In the UK I'm not sure I could notice anyone attempting to use this to defraud me.

My Bank doesn't show the payee on my statement for cheque transactions only the cheque number. Chnaging this would at least make it possible to the qccount holder to detect the scam.How many people check their statements is another question.

Of course in lieu , of this chnage electronic transactions are possiblly more secure. In fact this week I detected a number of fraudalent transactions made on my buisness partner's debit card against our company account - purely becuase I knew he wouldn't have made any purchases from those outlets.

The bank have promised to refund all the fraudulent transactions which is good news. Less good is AFAICT from other web fora it seems to depend on having a good relationship wiht your bank.

@michael
"I dont want to be rude, but are you still using checks as a payment method in UK and US? This possibility has ceased to exist in sweden many years ago, due to many reasons (high cost, security,...)

Secure transactions with credit card is the solution, not spending time on who to solve a problem with an out-to-date technology"

Personal transactions are not suitable for credit card, one needs a commercial credit card account to receive payment, and there is a charge of several percent.

Checks are preferrable to cash for individuals because they provide some level of receipt.

A while back I received a payment check from my medical insurance company after a review of a claim (normally they pay the doctor directly).

The check looks like it was done in a laser printer or photo copier, because despite plain wording on the check about confirming the color transitions and water mark, there was no such characteristic.

I called to confirm that this was the actual check and not a receipt, and they assured me it was. I deposited it, and it was never questioned.

@Davi: Ironically, melody's web site designer is TDEVIANT.co..., how apt.

"Why does this sort of attack still work?"

Because Americans still use antiquated stone-age payment systems like checks. What is wrong with cash for smaller payments and direct bank account-to-bank account money transfers for larger sums?
Checks are completely outdated, an anachronism from hundreds of years ago.
And don't get me started on plastic money. Why involve a third party in a transaction involving two legal entities? Said third party certainly doesn't do what it does because they are such nice people. They do it to earn money, increasing the price that everyone (even those that refuse to use credit cards) has to pay. And they collect data which is then totally out of your hands and is sold to anyone willing to pay for it (including the government).
"But it's oh so CONVENIENT!" you say? Yeah whatever.

> Because Americans still use antiquated stone-age payment systems

Let me correct that statement: Apparently Americans AND Brits....

@Clive Robinson "With a cheque I have a greater degree of legal protection and control, and more importantly verification that can be presented / tested for any legal action"

Spot on, also, as a small trader, you know you have been paid (... yes, I know...)
but the conditions associated with 'new' electronic methods have allowed UK Banks & UK Gov to reduce/externalise their liabilities and costs.
Bet they'll try to charge us for chequebooks next...

Surprised no one has mentioned anything about squid ink...

Earlier:

As far as I can tell, the banks all stick checks in an OCR/scanner machine and that's the end of it as far as they're concerned. If they don't notice an incorrectly "encoded" paymount amount, they certainly aren't doing anything to inspect the security features of the check.

Checks are handled in an extremely labor-intensive process.

Checks submitted to a bank go through the bank's proof system, which involves a person in front of a machine typing in totals and verifying them against totals defined by the tellers that take in the checks. Tellers are generally responsible for check security, though proof personnel might notice flaws (as they do look at all fields on the check.) Some large receivers of checks perform their own encoding. Once the proof room is finished with a batch of checks, it goes to the sorter to make sure that said check goes to the clearing facility. Check 21 allowed the post-sorter process to occur electronically, so that the physical checks no longer must be flown to their destination. (This is why you do not get your physical checks back in the mail from the bank like you used to, although I think you can still ask for it in some places.) Once the data reaches the payor bank, the payor bank then transfers funds to cover the check amounts to the payee bank. Accounts on either side are reconciled to match the new balance.

There's a lot more that goes on in checks than a simple OCR (indeed, given how most people write, OCR is almost impossible!) I personally wish we were rid of the things, but that's just because I look at all the payroll that goes into processing them :)

At my Real Estate closing, a representative of the abstract company (at whose offices the closing was held) had an unopened bag of cheap ballpoint pens that they opened when all the signing was going to begin and then passed out to everyone. I thought it was just good planning for details, but now I wonder if it wasn't done to prevent this "what about invisible ink?" issue.

I have lots of erasable ink pens. Most are like felt-tip markers. They're for marking fabric while sewing. The ink disappears through water, heat, or simply air exposure.