Schneier on Security
A blog covering security and security technology.
« Privacy Policies: Perception vs. Reality |
| Contest: Cory Doctorow's Cipher Wheel Rings »
September 5, 2008
Using Shredded Checks as Packaging Material
This seems like a really dumb idea.
Posted on September 5, 2008 at 6:44 AM
• 42 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
...I cannot believe that. It's The Onion news, isn't it? Isn't it? Please... :(
"Partially Shredded Checks" would be more accurate...check out the picture of that check, the name of the depositor would be clearly visible to the person holding the check fragment.
My advice: don't use checks...ever. Use a bank bill pay service; they send checks that don't have your account number of signature on them.
Yes, its a dumb idea, but come on, its not like bank routing numbers are secret. Everybody has access to them. Pretty much the same with account numbers. There is nothing on a check that should give any criminal the ability to get money out of my account without my permission. As long as my bank is doing its job, that is. . . .
Actually, I don't have a problem with them using SHREDDED (like, to GSA TS standards) checks as packing; the problem here is they are using NON-shredded checks as packing. Of course the risk is that sensitive info slips through unshredded and the cost of preventing it would overwhelm any savings over using popcorn or peanuts.
As far as banks doing their jobs, caveat emptor. When I had a construction loan, the finance company gave the builder THREE draws (~$90,000 in today's money) when I only signed for ONE - then he declared bankruptcy. And I was unable to find a lawyer who thought I could win a suit against them for giving away 60,000 of my dollars where their only responsibility was to hold on to it.
^^ Why are you people complaining? Because Bruce suggested its a "dumb idea" ^^
Initially this seems like a good idea - saving the planet by recycling. But there is an issue. Which maybe Bruce is aware of and maybe the aforementioned posters are aware of. Although no one has clarified it.
The issue is not the leaking of "routing and account numbers for hospitals, medicare, schools, businesses, and personal accounts." This information is public, although for some obscure reason the banks don't really like this notion. I have no idea whom Michelle McBride considers to be the "wrong people" whom would have a "heyday" given such information. Although one should be aware of http://news.bbc.co.uk/1/hi/entertainment/...
So what's the issue? Privacy. Every check has information intended for only the eyes of the buyer and seller (and trusted intermediaries - i.e. banks). This includes the names of seller/buyer and the amount of the transaction. There are good reasons why this information should remain private.
With nothing but the bank routing number and account number someone used my checking account to pay their electric and phone bills.
My bank reversed the charges after I signed a notarized statement that they were fraudulent. Then I had to close the checking account as the only way to prevent them from doing it again.
And because I got the money back, the local police said "no crime was committed".
Years ago, at my request, my bank stopped putting my name and address on my checks. Minimize the available information and you minimize what's there to steal.
Privacy is a real issue, which is why I'm confused the bank isn't "shredding" the documents sideways rather than lengthwise. But, its not like this is a reliable way to get private information.
The situation is that there is really very little risk here to any of the banks customers, but it looks bad and people get emotional over this sort of thing. That's why its a dumb idea.
At a college I went to, they used to shred all the student records with a standard shredder, no crosscut.
This, coupled with the fact that they used wide fan-fold paper and shredded sideways means that they'd leave entire trashbags FULL of little strips of complete student information...
@jeff: If its shredded properly, it doesnt matter which direction it is oriented. The resultant pieces should be small enough that no single alphabetic character would fit entirely on a single shred.
@Roy: Dont you have a lot of trouble getting people to accept your checks without address?
The routing number is public information; the account number is not. The combination of the two - especially with your name, address, and phone number - can allow a miscreant with the right resources to steal from you via electronic transfers.
Is it really private -- let's see the number of people who see accounts/routing numbers:
Buyer + Buyer's Bank
Seller + Seller's Bank
Seller's Accountant (potentially)
Selelr's Auditor (Potententially)
Both Bank's Auditors (potentially)
Multiply that by the number of checks written for a given account, I'd consider the information on a check public (routing number, account number, etc).
Now, the information of person a having written a check for x or y is another story. But if some stranger happens to see that I wrote a check to some pharmcy they still have very little information that they *should* be able to use for anything reliable.
If someone is allowing a transaction soley off of information from a check.. that's just bad.
"The routing number is public information; the account number is not."
You give out your account number every time you write a check. That seems public to me. Also, at my bank, I can figure out the account number of pretty much anyone with an account. Its not published, but its not secret either.
Google "unshred" -- there have been at least academic research demonstrations where all the shredded pieces are scanned, and the software does the "jigsaw puzzle" with the original document emerging whole. Commercial-grade shredding only raises the bar, it won't keep your secrets secure. As Bruce says, attacks only get easier with time!
I've seen a different company ship products in boxes that used shredded customer records as packing material. Shredded sideways and usually stuck together enough that you could find whole pages.
Contact information, billing details, purchase history, etc.
Using shredded checks as packaging material in food would also be a bad idea. Sure wouldn't surprise me if some type of food might taste better with checks in it.
I wish I could just stop writing checks altogether. I currently manage 4 checking accounts (business included).
Ever tried paying for anything online with a check? Guess what information is neccissary: routing number, account number, and checkname.
Regardless of how "public" you consider the information to be, real harm can be done with it. Yes allowing payments to be made with just this information is stupid. We live in a very stupid world with very stupid people in it. This blog should be proof enough of that.
@ Brent J. Nordquist
> Google "unshred"
For a second there I thought you meant Google had a service called "Unshred". That would be interesting, in an insane kind of way. :)
There are actually some pros and cons here, I think. In a perfect world the bank would use one of those companies that brings a mobile destruction truck to shred and burn all of the documents. If the bank isn't going to do that, it might actually be better to distributed the shredded garbage by using it in packaging instead of just setting a bag full of the stuff out behind the bank.
However, it wasn't the bank using the cheques as packing material, it was another company that got the cheques from the bank for use as packing material. Not sure from the information given whether the cheques were shredded before or after the second company got them. One would hope before.
I had an issue with $1200 disappearing. According to the bank, anyone with access to the ACH network and my account/routing numbers can withdraw and the bank is not liable -- I have to take it up with whomever performed the withdrawal.
The bank was completely unhelpful for > 1 month until I discovered and (finally! they listened!) communicated that the contact phone on the withdrawal was internal to the bank. After that it was magically fixed in 3 minutes.
Evidently I could turn off ACH entirely on my account but could not (again, according to the bank -- I didn't talk to an attorney) actually make the bank liable for getting my authorization.
I used to shred my junk mail and old financial documents and use it for small-animal cage bedding, then throw it away. I figured that anyone who assembled doucments from that state had earned some of the money :-)
The problem with shredders in general is that the finer the shred (more secure), the more prone to jamming, burning out, dulling, etc. they tend to be. The only reliable, high security shredders I've ever used were big industrial Defense dept shredders that were made of cast iron and about the size of a minivan and fed by a conveyor belt. This thing could take a ream of paper (500 pages) per second and turn it into a powder. Of course the fibers were destroyed so bad that it couldn't be recycled at the time.
A co-worker pointed the following out to me:
"If its FDIC insured, they are required to cross-cut and filter for remnants size and re-shred. Second, They are supposed to be (banking regulations) placed in a locked trash container until the disposal company collects. Third, even if unlocked, it is illegal to dumpster dive. The company using the shredded paper is liable for the illegal conversion of the bank's trash."
So it would seem there is something far more wrong here than a privacy breach. Not that breach notification laws haven't been triggered here since the information was both PII and financial.
A lot of commenters are focusing on the problem of account information (account number, routing number, name and address, signature).
However, there is a bigger privacy issue with this practice: checks tell who paid how much to whom. Knowing that Jane Doe's address was 123 Fake Street and account number was 123456789 is one thing, but knowing what Jane paid for is another issue entirely. (Posting bail for her child? Paying for breast augmentation surgery? Paying the minimum on her credit card?)
sad that only one customer complained...
I don't think Jane Doe is making a check out to: Breast Augmentation R Us,the check is probably made out to a doctor's office or surgery center.
And besdies, those that know Jane know she did so is it really private?
A little over 20 years ago, we were looking for a less expensive alternative to the wood shavings and sawdust we had been using to bed the stalls of the three horses we kept. We'd heard of people who used shredded paper, and we found a near-local source. Turns out that this was a company (one of several) in the business of accepting paper trash for destruction. A lot of companies generated more paper than they could easily deal with, and it was more cost effective to pay someone to haul it away for destruction (or recycling) than to deal with it in-house.
So we drove down to their lot, and took a few large bags already packed with shredded paper. It turned out to be a poor substitute for the bedding we had been using, so we only did this for a month. The content was a mix, but financial documents seemed to predominate. I never tried to piece anything together, but it was strip shredded (the strips were cut to a maximum length of 2") and partial and occasionally complete account numbers from checks were visible once in a while.
This was, of course, before privacy and identity theft were the prominent issues they are now.
One search on 'ACH fraud' should be enough to convince anyone that not shredding such docs *properly* is quite foolish.
Shredding, per se, is not an issue. If it were, "Fed Shreds" (http://www.chicagofed.org/news_room/images/fedshreds72.jpg) would not be trivially available.
First this is not new I posted some time ago that a company I used to work for used it's shreded financial docs to package goods for dispatch (it took a lot of effort to convince them it was a bad idea, so this "be green" and "save money" idea appears to be quit common...).
Secondly I'm not that familier with U.S. banks but in the U.K. when you open a "current" (cheque) account it is quite normal to recieve a cheque book and a book with paying in and withdrawel slips. The cheques have all sorts of printed features to improve their security, however the slips are done on a lazer printer on plain paper.
What most pepole in the U.K. are not aware of is that if you go to any branch of a (particular) High Street bank with the book of slips and fill out a withdrawel slip and sign it they check if the funds are available and hand over the cash.
When this happened to me the first time I was amased and asked if they wanted to see my passport, and the lady told me quite sweetly that it was not required as I had the book...
The second time it happened I thought about it overnight and closed the account the following morning.
Why because they never actually checked the book of slips, only the slip I pulled out of it.
All that was on the slip was the account name, number and bank sort code. The thought occured to me that I could photoshop a slip with any valid account info in a few seconds and simply print it out cut it to size and put it in my book, then in the bank fill it out and pull it from the book and hand it over...
All the account info and a valid signiture are available on a cheque. Now I don't know about the U.S. but some U.K. Banks have very distinctive cheque colours and patterns that would make sorting a bag of comercially shreded documents and cheques relativly trivial.
Jeff has it right. Routing numbers and account numbers are easy to get, so if those are all someone needs to take money from your account, you're not safe.
The solution, I think, is for the bank to be required to get written permission (or an electronic equivalent requiring a password or PIN that isn't written anywhere) for EACH person or entity that you authorize to take money from your account via "bill paying" services. And for actual checks they should be required to verify signatures.
In California at least, the banks have gotten a law enacted saying best practice no longer requires a bank to check signatures, because it's too much trouble for them. I say repeal it, then if the banks want to continue operating as they do now, they can but they have to bear ALL of the resulting risk.
@Brent J: Indeed - google it. Better still: google "unshred stasi records" (Stasi was the Secret Police of East Germany) to see a practical, working application of the concept.
I don't really understand why cheques are still used so frequently in the US. I live in central Europe, and within the last ten years, I received about 5 cheques (and last time I signed a cheque myself was more than ten years ago). This is though I have several bank accounts and do quite a lot of financial transaction. I am really interested in that question, since the US are a technologically advanced country...
it might actually be better to distributed the shredded garbage by using it in packaging instead of just setting a bag full of the stuff out behind the bank.
Especially if the bag is clearly identified as "confidential waste".
It would also probably be a good idea to shred all waste paper. Not only does this avoid the possibility of someone forgetting to shred something they should it also makes any document reconstruction task harder.
This reminds me of something I read (no sources, sorry):
When former East Germany dissolved, the secret policy did not have the resources to properly shred some of their files so they did it by hand. This resulted in a large number of bags with roughly one to two square-inch sized paper bits in them.
After the good guys got their hands on the bags, the paper bits were scanned and an algorithm was developed that automagically puzzled them together. It seems the same approach would be applicable here.
I think it's a pretty neat idea, reusing shredded materials as packaging, but they need to get a better paper shredder at the bank.
*That's* the real problem. The canning company shouldn't be blamed for using the shredded material as packaging; that's a great idea, and they should be commended for it.
It's the BANK that should be taken to task for letting incompletely-destroyed documents out the door for use as packaging. The stuff they were giving to the canning company hadn't really been destroyed (as evidenced by how easily it was reconstructed, and the information individual pieces had on it), and thus it should never have left the bank's custody.
But assuming the bank was using a better paper shredder, one that actually reduced documents into indecipherable pieces, and tossed non-sensitive papers into the shred bin as well (just to further reduce the S/N ratio), there's no reason why they shouldn't have been able to sell it as packaging material.
If the shredding is done properly, it shouldn't matter what the bank does with it. Sell it as packaging, toss it in a dumpster behind the local prison, use it as compost ... if they can't do any of those things, then they're doing something wrong during the destruction process.
Unfortunately, by concentrating our attention on the business that was using the shredded material as packaging, rather than on the bank that was using a lousy shredder, the problem won't be addressed. The company stopped using it as packaging materials, but that doesn't mean the shredding has improved -- I suspect it's probably just being placed out with the rest of the bank's garbage, now.
If I were a customer of the bank in question, that certainly wouldn't feel like an improvement.
Another question: Why don't postal box rental stores uses all the boxes that get trashed there as shredded packing material. Oh! Right! Because it isn't "blessed" by UPS. That would make too much sense.
In a similar way, a office supplier of mine once* sent a package using "strip-shredded" printouts of credit card names, numbers, expirations, zip-codes for address verification checks, and CVV2s, along with approved-or-denied results at the time of their respective transactions... in a "full database entry of info per strip" manner. Crazy.
* My account didn't stick around to learn if they continued after having it reported to their office and a few others.
Well, I shred everything -- financial and non-financial (except the Victoria's Secret catalogs). Makes it harder to distinguish the financial stuff from the advertisements.
Oh -- and I dump used kitty litter in the bag with the shreds as well. You want to read it? Fine. Wear gloves.
My step daughter just found out that someone has been using her checking account routing number and account number to pay a cell phone bill. The evidence so far points very strongly to someone she knows......her fiance's ex-wife. How can she prove it? Can she call the cell phone company and ask them to give her the name on the account of the bill she has been paying for the last 3 months? Will they give her that information? What would be any other advice for her?
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.