SubscribeDuring this year’s Christmas shopping season, I made some large in-person transactions at the same time as my wife made an online transaction, and my credit card was suspended by the issuing bank for potential fraudulent activity. This happens relatively often, whenever someone’s spending patterns are flagged by the neural-network based automated fraud detection used by all the major credit card issuers. When calling the bank to have the card reactivated, I was told by the customer service representative, “since online transactions are, you know, more dangerous, we tend to notice those.”
This is not an uncommon perception. Many people who think nothing of handing over their credit card or writing a check when at a store or restaurant hesitate to use the same card online, regardless of communication protections (e.g. SSL/HTTPS), third-party assurances like the preposterously-named HackerSafe, or the size and stability of the vendor. After all, it’s the Internet, there are bad people out there.
However, the perception just isn’t true. There are two ways in which the Internet particularly helps thieves, though:
- Once they’ve stolen an identity or credit card number, thieves often use the card online, as they don’t have to present themselves (and thus show up to witnesses and potentially security cameras) to use the card. This is actually probably what the credit card company in my experience meant — not that the transactions are more dangerous, but that fraudsters often use stolen cards online.
- Hackers stealing credit card information online often steal entire databases. They don’t steal your credit card while you’re buying something online — they break into the online store and steal everybody’s card.
However, they could just as easily have broken into the servers of a brick-and-mortar store — it’s not the fact that you used the card online that makes it possible for them to steal it, it would have been just as at risk handing it to a cashier.
In many ways, it’s a lot more risky to make non-cash payments in person! When you hand your credit card to a waiter or clerk or cashier, they could easily copy the number, expiration date, and CCv2 code (the three-digit code on the back than an online site often won’t even get.) With a debit card, they have the opportunity to watch PINs being typed. Whereas in an online store, only relatively few, well-paid professionals will have access to your data (system administrators, etc.), every $7 per hour sales clerk can see a hundred card numbers per day, and probably has significantly more financial motivation to steal them (although in my experience, the fact that someone doesn’t need money won’t stop them from stealing it if they’re the type to steal — just look at Michael Milken, who defrauded people out of hundreds of millions of dollars at the same time he was making hundreds of millions legitimately.)
Some people — usually those of us who remember the days before debit cards — eschew all these fancy online and electronic forms of payment and instead stick to good old fashioned checks. After all, no one can possibly steal those! They’re paper, and have your signature on them. This is the ultimate in perception differing from reality — it’s hard to imagine a less secure way to make a payment than a paper check.
First of all, there’s the ease of committing fraud with checks. A thief with a stolen check (or deposit slip) has all they need to take money from your account — the routing number and account number (found at the bottom of the check in MICR letters.) Note that the thief doesn’t need any kind of ID… or a PIN… or a physical card… or a CCv2 code… or even to know your name. No, the numbers will do. What can they do with a stolen check? There are three basic things:
- Order up a whole book of checks with your information and account numbers on them. No ID is required to order checkbooks online. They can then spend these checks anywhere, and the bank will process them — you probably won’t find out until your account is empty and you start getting NSF notices.
- Remove the amount and recipient from the check and write it out to themselves instead. This is a bigger problem for institutional checks, which are often printed on a laser printer. It’s really easy to remove laser-printed text from an offset-printed check — just lay some Scotch tape over the laser text, rub it hard with your fingernail, and peel the text off. Then you can print out a new amount and recipient with your own laser printer, and it looks just like the real thing. Chemical agents (”check washing”) can do this with ball-point pen ink, too, though it’s not so easy.
- Issue a demand draft (”paperless check.”) This is what happens when you pay by phone with your checking account number, or use an automated bill pay service, or send money via PayPal. Using your routing number and account number, money is simply removed from your account and put into someone else’s. No authorization or authentication is used, your name is not even required. Yes, really. Anyone can do this from any account to any other account. For a while, you used to be able to do this from a web site.
Second, there’s the difficulty in getting your money back or even stopping the fraud! With a credit card (and to a lesser extent, a debit card), it’s pretty simple — you call the bank, say you did not authorize a charge, and the credit card company removes the charge. It is then up to them to prove you did make the charge, such as by getting a signed receipt from the merchant and matching your signature. So long as you report the fraud within 30 days, you are not liable — the worst the card company can do to you is to cancel your card (but you still don’t have to pay for the charge you didn’t make.) In theory, you’re liable for up to $50, but almost no card issuers really charge this since it’s terrible customer service (”Sorry you were stolen from! Give us $50!”)
With checks, the money is already gone. If you report a check as fraudulent, there is no federal law saying the bank is liable — it’s up to the bank’s own policies and in some cases a hodgepodge of state laws whether they have to help you at all. The bank may get back to you in 60 to 90 days (during which you don’t have the money, even if it was the entire contents of your checking account.) You have to report the fraud on a paper letter, with a notarized signature, usually by certified mail. What’s more, you have to prove that the checks were not authorized — the burden of proof is on you, not the bank or merchant — and you have to do it to each party from which you’re trying to reclaim money. If a thief wrote bad checks in 20 different jurisdictions, you may be dealing with this for years.
Worse yet, you can’t stop the fraud from taking place. The thief can keep writing checks on your account even after you’ve started reporting them as fraud, and even after you’ve closed the account. Every time the thief writes a bad check on a closed account (the classic practice known as “paperhanging”, a favorite of Frank Abagnale during his criminal youth), your bank will reopen the account and send you an NSF notice. You have to dispute all of these, too. And finally, your account (and possibly your name) will go into ChexSystems (the equivalent of the credit bureaus used to check people’s checking account history) as fraudulent, which will make it difficult or impossible to get new checking accounts for many years. On the bright side, it will make it harder for the thief to open accounts in your name, but that’s little consolation since he can keep using the closed one he already has.
From a security perspective, checking accounts are horrid. They come from a day when authentication and authorization were unheard-of, and security came mainly from the idea that no one would figure out how to subvert the system.
What can you do to protect yourself?
- Don’t use checks. If any method of payment is offered aside from checks, use that.
- Don’t use demand drafts, either — they’re checks. Don’t pay by phone using a checking account number — use a credit/debit card.
- If you must write paper checks, use them only to pay bills, dealing with relatively trusted merchants. It doesn’t make you totally safe, of course, but it helps some. Use gel ink to write checks (it’s harder to wash), or a dot-matrix printer to print them (the impact-printed ink is nigh-impossible to remove.) According to Abagnale’s The Art of the Steal, this makes check-washing nearly impossible (though ordering up new checks in your name still works.) Incidentally, The Art of the Steal is a fantastic (and very short) book, and I highly recommend it to anyone interested in security — it gives a great view into the security mindset, looking at all parts of a system and seeing how it can be subverted.
- Don’t store any more money in your checking account than you have to. You’ll still have to fight every fraudulent transaction to stop the bank trying to collect it from you, but at least you’ll still have your money while you’re doing it.
The sooner we move on from this antiquated and unsafe payment system, the better.
October 31st, 2008 at 2:19 am
[...] look at before deciding to transfer funds from one account to another. (See, for example, Grant Bugher’s comments.) More and more criminals are learning about this easy way to acquire money, and devising new [...]
October 31st, 2008 at 8:50 am
Hello,
Thanks for the insightful post. I have a question.
Are the online-bill-paying services the banks provide prone to the same risks as checks?
Thanks.
November 1st, 2008 at 6:48 am
Google adsense?
They insist of sending out checks, nothing else. I always thought how retarded that is. Will they change? Maybe when everyone takes Google’s money by simple transfer
November 1st, 2008 at 7:30 am
I knew that getting money back from a checking or savings account was hard (not as hard as getting it back from paypal, but nowhere near as easy as a credit card).
BlueFonzie’s question is a good one - and I’d be interested in that answer as well. We do a lot of online bill pay - I think the bank mails checks to anyone that isn’t in their electronic system, so I’d expect it carries the same risks.
I hadn’t realized the electronic withdrawals could be done by anyone. Why do any of us have any money in our bank accounts? Wouldn’t it be relatively easy to just take everyone’s money?
November 3rd, 2008 at 2:01 pm
[...] are now (apparently) the most dangerous way to give someone money. Every check has both the bank routing number and your account number, and with that information a [...]