Checks: The Most Dangerous Transaction
During this year’s Christmas shopping season, I made some large in-person transactions at the same time as my wife made an online transaction, and my credit card was suspended by the issuing bank for potential fraudulent activity. This happens relatively often, whenever someone’s spending patterns are flagged by the neural-network based automated fraud detection used by all the major credit card issuers. When calling the bank to have the card reactivated, I was told by the customer service representative, “since online transactions are, you know, more dangerous, we tend to notice those.”
This is not an uncommon perception. Many people who think nothing of handing over their credit card or writing a check when at a store or restaurant hesitate to use the same card online, regardless of communication protections (e.g. SSL/HTTPS), third-party assurances like the preposterously-named HackerSafe, or the size and stability of the vendor. After all, it’s the Internet, there are bad people out there.
However, the perception just isn’t true. There are two ways in which the Internet particularly helps thieves, though:
- Once they’ve stolen an identity or credit card number, thieves often use the card online, as they don’t have to present themselves (and thus show up to witnesses and potentially security cameras) to use the card. This is actually probably what the credit card company in my experience meant — not that the transactions are more dangerous, but that fraudsters often use stolen cards online.
- Hackers stealing credit card information online often steal entire databases. They don’t steal your credit card while you’re buying something online — they break into the online store and steal everybody’s card.
However, they could just as easily have broken into the servers of a brick-and-mortar store — it’s not the fact that you used the card online that makes it possible for them to steal it, it would have been just as at risk handing it to a cashier.
In many ways, it’s a lot more risky to make non-cash payments in person! When you hand your credit card to a waiter or clerk or cashier, they could easily copy the number, expiration date, and CCv2 code (the three-digit code on the back than an online site often won’t even get.) With a debit card, they have the opportunity to watch PINs being typed. Whereas in an online store, only relatively few, well-paid professionals will have access to your data (system administrators, etc.), every $7 per hour sales clerk can see a hundred card numbers per day, and probably has significantly more financial motivation to steal them (although in my experience, the fact that someone doesn’t need money won’t stop them from stealing it if they’re the type to steal — just look at Michael Milken, who defrauded people out of hundreds of millions of dollars at the same time he was making hundreds of millions legitimately.)
Some people — usually those of us who remember the days before debit cards — eschew all these fancy online and electronic forms of payment and instead stick to good old fashioned checks. After all, no one can possibly steal those! They’re paper, and have your signature on them. This is the ultimate in perception differing from reality — it’s hard to imagine a less secure way to make a payment than a paper check.
First of all, there’s the ease of committing fraud with checks. A thief with a stolen check (or deposit slip) has all they need to take money from your account — the routing number and account number (found at the bottom of the check in MICR letters.) Note that the thief doesn’t need any kind of ID… or a PIN… or a physical card… or a CCv2 code… or even to know your name. No, the numbers will do. What can they do with a stolen check? There are three basic things:
- Order up a whole book of checks with your information and account numbers on them. No ID is required to order checkbooks online. They can then spend these checks anywhere, and the bank will process them — you probably won’t find out until your account is empty and you start getting NSF notices.
- Remove the amount and recipient from the check and write it out to themselves instead. This is a bigger problem for institutional checks, which are often printed on a laser printer. It’s really easy to remove laser-printed text from an offset-printed check — just lay some Scotch tape over the laser text, rub it hard with your fingernail, and peel the text off. Then you can print out a new amount and recipient with your own laser printer, and it looks just like the real thing. Chemical agents (“check washing”) can do this with ball-point pen ink, too, though it’s not so easy.
- Issue a demand draft (“paperless check.”) This is what happens when you pay by phone with your checking account number, or use an automated bill pay service, or send money via PayPal. Using your routing number and account number, money is simply removed from your account and put into someone else’s. No authorization or authentication is used, your name is not even required. Yes, really. Anyone can do this from any account to any other account. For a while, you used to be able to do this from a web site.
Second, there’s the difficulty in getting your money back or even stopping the fraud! With a credit card (and to a lesser extent, a debit card), it’s pretty simple — you call the bank, say you did not authorize a charge, and the credit card company removes the charge. It is then up to them to prove you did make the charge, such as by getting a signed receipt from the merchant and matching your signature. So long as you report the fraud within 30 days, you are not liable — the worst the card company can do to you is to cancel your card (but you still don’t have to pay for the charge you didn’t make.) In theory, you’re liable for up to $50, but almost no card issuers really charge this since it’s terrible customer service (“Sorry you were stolen from! Give us $50!”)
With checks, the money is already gone. If you report a check as fraudulent, there is no federal law saying the bank is liable — it’s up to the bank’s own policies and in some cases a hodgepodge of state laws whether they have to help you at all. The bank may get back to you in 60 to 90 days (during which you don’t have the money, even if it was the entire contents of your checking account.) You have to report the fraud on a paper letter, with a notarized signature, usually by certified mail. What’s more, you have to prove that the checks were not authorized — the burden of proof is on you, not the bank or merchant — and you have to do it to each party from which you’re trying to reclaim money. If a thief wrote bad checks in 20 different jurisdictions, you may be dealing with this for years.
Worse yet, you can’t stop the fraud from taking place. The thief can keep writing checks on your account even after you’ve started reporting them as fraud, and even after you’ve closed the account. Every time the thief writes a bad check on a closed account (the classic practice known as “paperhanging”, a favorite of Frank Abagnale during his criminal youth), your bank will reopen the account and send you an NSF notice. You have to dispute all of these, too. And finally, your account (and possibly your name) will go into ChexSystems (the equivalent of the credit bureaus used to check people’s checking account history) as fraudulent, which will make it difficult or impossible to get new checking accounts for many years. On the bright side, it will make it harder for the thief to open accounts in your name, but that’s little consolation since he can keep using the closed one he already has.
From a security perspective, checking accounts are horrid. They come from a day when authentication and authorization were unheard-of, and security came mainly from the idea that no one would figure out how to subvert the system.
What can you do to protect yourself?
- Don’t use checks. If any method of payment is offered aside from checks, use that.
- Don’t use demand drafts, either — they’re checks. Don’t pay by phone using a checking account number — use a credit/debit card.
- If you must write paper checks, use them only to pay bills, dealing with relatively trusted merchants. It doesn’t make you totally safe, of course, but it helps some. Use gel ink to write checks (it’s harder to wash), or a dot-matrix printer to print them (the impact-printed ink is nigh-impossible to remove.) According to Abagnale’s The Art of the Steal, this makes check-washing nearly impossible (though ordering up new checks in your name still works.) Incidentally, The Art of the Steal is a fantastic (and very short) book, and I highly recommend it to anyone interested in security — it gives a great view into the security mindset, looking at all parts of a system and seeing how it can be subverted.
- Don’t store any more money in your checking account than you have to. You’ll still have to fight every fraudulent transaction to stop the bank trying to collect it from you, but at least you’ll still have your money while you’re doing it.
The sooner we move on from this antiquated and unsafe payment system, the better.
If you enjoyed this post, please consider to leave a comment or subscribe to the feed and get future articles delivered to your feed reader.
[...] look at before deciding to transfer funds from one account to another. (See, for example, Grant Bugher’s comments.) More and more criminals are learning about this easy way to acquire money, and devising new [...]
Hello,
Thanks for the insightful post. I have a question.
Are the online-bill-paying services the banks provide prone to the same risks as checks?
Thanks.
Google adsense?
They insist of sending out checks, nothing else. I always thought how retarded that is. Will they change? Maybe when everyone takes Google’s money by simple transfer
I knew that getting money back from a checking or savings account was hard (not as hard as getting it back from paypal, but nowhere near as easy as a credit card).
BlueFonzie’s question is a good one – and I’d be interested in that answer as well. We do a lot of online bill pay – I think the bank mails checks to anyone that isn’t in their electronic system, so I’d expect it carries the same risks.
I hadn’t realized the electronic withdrawals could be done by anyone. Why do any of us have any money in our bank accounts? Wouldn’t it be relatively easy to just take everyone’s money?
[...] are now (apparently) the most dangerous way to give someone money. Every check has both the bank routing number and your account number, and with that information a [...]
[...] to stop giving checks to those who find errors in his publications. The decision is based on the security concerns with [...]
[...] Credit card fraud isn’t the only issue to be concerned about. Checks could be a dangerous transaction. [...]
i am newbie to credit card actually i am a student and i want to ask that is it dangerous to show some one own credit card number or he saw the CVC number then can he transferre amount from that account to his own?
?reply me must on my email given….
and my other request is that if you are genius and experts says that its dangerous to buy something online (because there are still some hacker who can break through into weak systems especially pirated CD’S operating system then how can we keep us safe from this thing.or we should not buy anything online
Yes, armed with the credit card number & expiration date, someone can make charges to your credit card. The CVV2 code makes it even easier. They can’t directly transfer money — that’s a cash advance and requires a PIN code, not just the credit card number — though a service like PayPal might let them perform a sham transaction that transfers money to themselves.
And if you notice, I’m not saying it’s dangerous to buy something online — I’m saying that people worry needlessly about online transactions while blithely writing paper checks, an act far more dangerous to one’s financial security. Some ingenious hacker stealing your credit card number through electronic wizardry is far less likely than some minimum-wage employee you just handed the card to stealing it. In the online world, people worry about hackers stealing their card numbers, but then buy things from no-name web sites and eBay sellers without worrying about the actual seller misusing the card. And in the offline world, why don’t we worry about the cashiers in the stores memorizing our card numbers and misusing them? They could do so.
There are risks inherent in our financial systems. Ironically, the online transactions are often among the safest.
Checking alternatives are worse and the threat matrix is misleading. The con may order checks, but those get mailed to the account holder’s address. Chemical forgery can’t forge human signatures. New “know your customer” laws have taken hold as well. Not sure about demand drafts, but pretty sure you can call your bank to turn them off for any account.
PayPal isn’t legally defined and regulated as a bank. So they make up their own rules. Google the gripe sites. At least banks have consumer protection laws.
Credit card firms charge 3%+ on every transaction which in this electronic age should cost a penny. And recently got Congress to rewrite bankruptcy law for them. Cards have no legal interest limits. We the taxpayers bail out their crazy derivatives bubbles. Waves of mass customer list thefts recently popped in the news – 50 million cusomter records here, 30 million there.
Cancelled checks constitute proof of purchase. Cash doesn’t give that.
Consider a startup noca.com run by ex-VISA employees -
“Noca is building a system that will use verification on both sides to prevent fraud. The reason fraud in checks (using the ACH network ) is only 2% of the credit card fraud is because cashing a check requires two pieces of ID. Noca’s payment system will be built on this underlying principle.”
How does giving someone your routing number and checking account number allow them to transfer money from my account to someone else’s??? I’ve done this plenty of times when required by someone to wire transfer money into my account.
Thanks,
Alfonzo
Dave: The problem with things like signature verification is that you don’t actually need a physical signature to issue a demand draft. In addition, only the bank has the signature on file to verify (I could sign any scribble on a check and have a merchant take it), and even they only check it if they have cause to think it’s suspicious.
I can’t really speak to the security of noca.com, since they state that they “undertake an appropriate level of identity verification” but don’t actually say what that is. That’s where the security, if any, would need to come from — the whole problem with checks as a payment system is the fact that demand drafts normally come with no identity verification.
While credit cards have their issues (high transaction fees, etc.), they’re still amazingly secure from the customer’s perspective due to the fact that you can contest charges before the money’s gone. Checks and debit cards don’t offer that luxury — instead, you have to try to get the money back.
Alfonzo: There are a variety of ways. One is to just use a demand-draft system that doesn’t require identity verification — qchex.com used to let anyone do this online, but they seem to have shut down after the FTC sued them for enabling millions of dollars in fraud. There may still be similar systems on the Net in other countries. Lacking a public system, someone with a merchant account at a bank could do it, too (they’d just need to go to the trouble of setting up a fake merchant account, which obviously would require some effort since banks do verify the identity of their account holders.)
Alternately, a thief could simply order checks online with your routing number and account number, then buy stuff with them. The checks are “real”, so electronic verification systems will pass them, and they’ll get processed and the money sent. Of course, you can dispute the transactions later, and the signatures probably won’t match, so you’ll eventually win your case and get your money back from the bank. However, you’ll still have had to go through the hassle of doing it — probably with an empty checking account all the while — and the thief will already have gotten away with whatever he bought with the check.
All of those things you claim can be done with paper checks are largely fiction.
Checks can’t be “washed” since 1960′s. Try it some time. All of them have chemical protection against this sort of thing.
Even large corporate checks are printed on tamper proof paper. Try washing those some time. The larger the corporation the more tightly controlled the check stock, and the higher the quality. Even el-cheapo Quicken checks have enough protection to defeat washing and lifting.
Lifting laser printing is also fiction. You can’t really do this and not have it immediately detectable to the naked eye.
Physical reproduction with high quality copiers is a greater risk. Some of these are good enough to reproduce currency. But all of those that ARE good enough embed identifying information into every printed image.
Mountain. Mole-Hill.
I think the bank mails checks to any person who is not in their system I agreed with Hackers stealing credit card information online often steal entire databases.
Having owned and managed the largest check recovery firm in America I must report that the instance of merchants and professional practices receiving fradulant checks is minimal compared to debit/credit cards and the merchants can virtually make taking checks as safe as accepting cash, with the added advantage of creating a paper trail. The costs, both to the merchants, and the user of cards are HUGE compared to checks. The risk of a ‘bad person’ stealing your card (which often times leaves your sight at resturants,etc) is infintenitly more likely than having your check book stolen. The most important plus is that it’s harder to go into debt.
@Walter
I beg to differ. They may not be able to be washed as well as back in the day, but they can still certainly be washed. Back in 2000-2002 I worked as a teller and service manager for Wells Fargo. We would get washed checks all the time. Some we’d catch, others not–and we’d find out about them in our fraud reports. And since most tellers are really just kids in their first or second jobs who don’t have much experience, it wasn’t difficult to fool some of them when cashing–they just wouldn’t notice the fade, especially on a Friday with a high check cashing volume from non-bank holders cashing “on-us” checks. But when we did notice the fade, we’d call the cops. I had at least 2 arrests made during my stint at the bank.
Wow! I didn’t realize that cheques were so dangerous. Thanks for the heads-up on the various risks.
As far back as 1989 some neighborhood teenagers stole A batch of checks out of my mailbox then one of them got a fake I.D. and went around to stores claiming
he was my son, fortunately a got a call from a store early on so I was able to call the bank and they started checking the signatures before any of them where
paid. Normally even back then they didn’t verify signatures for most checks.
Back 1984 I had an elderly relative that had $7000 transferred from her checking account (forged signature on a letter requesting transfer of 70% of the account balance) to a a bank offshore. The bank reimbursed her.
Excellent writeup, but I wanted to make two corrections which further enforce your argument. It’s actually a 60 day window, not 30, to report fraudulent charges. And if you still have your card (only the number was compromised) you have no liability at all. The usually-waived $50 liability is for physically stolen cards.
Source: http://www.ftc.gov/bcp/edu/pubs/consumer/credit/cre04.shtm
Using a credit card online is incredibly safe.
I am 62 years old and have used checks since I was 18 years old.
I never had a problem.
I don’t use credit cards and don’t want any. I simply do not trust any credit card issurer.
I had a debit card until recently when there was fraudulant activity on my account, in spite of how careful I was using it.
The bank said they would send me a new debit card which I said I don’t want.
I will only use an ATM card now so I can get some money out of my account.
I do agree with your last tip to keep as little as possible in
your account.
I’ll keep cash on hand in spite of people telling me it is dangerous.
I have never had my purse stolen, but I sure have had thieves invade my bank account using my debit card !
i dont really get this, how can someone remove money from my account with just the routing number and account number…its making me nervous because ihave given no less than six people this info
Kenneth,
Essentially, they just print out a check with your routing & account numbers on it, print “Signature on file” for the signature line, and give it to their bank. The bank then has your bank debit your account and put the money into theirs. These days it’s usually done electronically rather than by “printing” anything.
Since I originally made this post, it’s gotten a little harder, as the bank issuing the draft is now liable for fraud, rather than the bank paying it. You still have the fundamental problem that the money is already gone and you have to get it back, but at least banks are putting more effort into preventing the fraud as they’ve started to lose their own money to it. There’s a statement from the FTC here that tells a bit more about how it works.
It’s a fraud that requires some setup time — i.e. you need to set up a fake business, get some bank accounts, process some legitimate drafts, and then commit the fraud. You can’t (anymore!) just go to a web site, enter somebody’s account number, and take all the money out. Checking account numbers are, however, still much riskier to give out than credit card numbers, and it’s still a much bigger pain to get the money back.
Just to relate my own recent experience: I dropped a check in the mail (at an official blue US mailbox in fact) – a large check of $8000 to pay off a car loan. All of a sudden, I started to see large withdrawls out of my checking account to places I had never heard of before. Obviously, I went to the bank right away and they were very good about closing my account and restoring the lost money. It took perhaps ten days or so. The sum of the missing money (done in a couple of transactions to different accounts) was nearly exactly equal to the amount of the large check I had written, which had never been received by the bank that had the car loan.
The guy who works at the bank heard a rumor that the mailbox I mailed the check at was vandalized and mail was taken.
So, yes, checks are scary things!
Many people who think nothing of handing over their credit card or writing a check when at a store or restaurant hesitate to use the same card online, regardless of communication protections.so people should more warn about their credit card when they use in restaurant,shopping and another work.
this happened to me, they used my routing number and checking acct number–i no longer use checks at all!! shreaded all checks…it could have been anyone I gave a check to–they had a credit card, then used my money from my account to pay for it!! everyone should know that checks are no longer safe people…..use a credit or debit card—-
I don’t know if people are still using checks today. That is because most of the transactions now are online. Anyway, thank you for reminding us about the risk of using checks.
This is why I go to your site for my information. Thanks!
This is scary…i dont believe this happens in US. The money in our accounts is definitely much safer in India!!! US banks need to pull up their socks and make checking accounts safer for customers. Restrict info on cheques ! Create more barriers than only a routing and account no for payments. Wake up US!
Wait, what’s the protection against a dictionary attack against checking account numbers? The routing numbers are publicly available, as is the format for check numbers.
So, any ‘legitimate’ business could claim that they had a series of attacks, in which random numbers were submitted to them by ‘prospective customers’. Bonus: once the attack succeeds, they can demand information about the victims (name, address, copy of id; purely to prove who they are and facilitate correspondence, of course) provide a full refund (makes the victim happy… for now) and move on.
Credit cards have several different factors: name, number, expiration date, ccv code. They multiply the difficulty of a brute-force attack. Easy fix for demand draft: multi-factor authorization. Call the merchant, make the order, the merchant proposes a draft to the bank. Call the bank, verify the draft, bank transfers the funds. This can still be compromised by someone capable of impersonating the user, but renders the brute-force attack useless.
This dosent happen in europe either, the US Banks arent secure and anyone can print checks with numbers… If a criminal need security paper he can get it at the local Office Depot or buy online
[...] Issue a demand draft (“paperless check.â€) This is what happens when you pay by phone with your checking account number, or use an automated bill pay service, or send money via PayPal. Using your routing number and account number, money is simply removed from your account and put into someone else’s. No authorization or authentication is used, your name is not even required. Yes, really. Anyone can do this from any account to any other account. For a while, you used to be able to do this from a web site. – PerimeterGrid [...]
[...] Quiz 2. Hackers Eavesdrop Using Legitimate Remote Control Software – Security 3. Stop using checks: Checks: The Most Dangerous Transaction | Perimeter Grid 4. Pay attention at ATM machines: All About Skimmers ? Krebs on Security 5. [...]