ID theft risk: checks

The risk of identity theft is increasing daily and the exploitation of technology by criminal minds plays a central role in this growing epidemic.

Whether it's remote deposit or a small-business customer using a funds-transfer application from his desktop or mobile phone, technology fundamentally has replaced traditional face-to-face interaction at the branch and the relationship-based safeguards that have been used in the past. Loan applications, deposit accounts, and investments, just to mention a few, are fully internet enabled. Criminals know this and they can use technology to establish multiple relationships with multiple financial institutions. And if they possess stolen but correct financial information, they can wreak havoc.

Getting to Know Your Customer is no longer just a relationship-building experience that occurs over time. It is also one of your first lines of defense in a very dangerous world.

As we'll show in this special investigative report, even the most mundane of banking activities—check ordering—can create huge new risks by virtue of supply chain changes facilitated by technology.

Obtaining checks is all too easy

Even though check volume is declining, the risk associated with checks and remote deposit is increasing. The Copper River Group conducted a limited research project focused on checks and the many ways they can be produced outside of a traditional and security-controlled banking relationship model. The objective was to determine how easy it is to produce checks that sail through the payments system, be it printing your own or having them printed for you.

Everything you need, right on the shelf

Most big-box office-supply stores offer a wide variety of software for business purposes. The functionality of these applications can vary, but if you are looking for a software program that can design and print checks, it is on the shelf and its cost is surprisingly affordable. Also available on the shelf is a good selection of blank check stock. More importantly, the only controls that we observed as we purchased the software and check stock pertained to the security number on the credit card used at the point of sale.

We interviewed the store managers at two retailers and asked about store policies relating to the purchase of check printing software and blank check stock. The response from one manager was that they had more controls around the selling of canned air to minors than check printing software and blank check stock. The bottom line: both store managers stated that anybody can buy any check product in the store. No proof of identity or banking relationship is required.

MICR printer? No problem

For bankers under 40 or those not grounded in Operations, the MICR line printed at the bottom of a check contains the financial institution routing number, customer account number, check number, and other information. The MICR (magnetic ink character recognition) line is specified by the American National Standards Institute. The design of checks can be found in the ASC X9 TR 2–2005 standards published by ANSI, and can be purchased on the internet.

The magnetic ink is read by a wide range of check processing equipment, from manual one-at-a-time devices to the high-speed check sorters. If a check does not have MICR ink, it would most likely be rejected by the check processing equipment and have to be processed manually. There is an alternative to MICR called Optical Character Recognition, but OCR is not universally installed on check processing equipment. So, no MICR in most cases would cause a check to be rejected and that would potentially cause additional scrutiny.

With respect to MICR check printers, we searched the internet and purchased a moderately priced printer (less than $350) that came with MICR ink.

We reviewed the security notices on the website. Upon ordering the printer, the vendor did not ask us to go through any additional verification steps, even though the printer was being shipped to an address that was different from the credit card. In addition, this was a corporate purchase. The vendor did not contact our main office to verify the card, the purchase itself, or the purchaser.

Next step, customer direct checks

The Copper River Group selected two customer-direct check printing companies. This aspect of the project was a two-step approach. The first step was ordering checks via the internet for both commercial and retail check products using real routing numbers, but fictitious account numbers. After several days we were contacted by email asking for more information. We did not respond and the orders were cancelled by the vendors after several weeks.

Next, we contacted the same vendors by phone and again ordered commercial and retail checks. We used the correct account information and our order was accepted and processed. In addition, we also ordered a rubber "For Deposit Only" stamp and asked that the order be processed via an ACH debit to the accounts of the checks we just ordered, as opposed to a credit card. In both cases, our ACH debit request was accepted.

After the check orders were processed and we received confirmation of shipment, we contacted both vendors about our orders and security concerns. We asked them why the first orders rejected. The answer was that they have a database of routing numbers and account number scenarios. Most likely, in their opinion, our order did not match up to the institution database due to an input error.

More importantly, we contacted our financial institutions (customer service call centers) and asked if they were contacted by a check printer regarding our account and check orders to verify information. In both cases, they indicated that they would not verify the information as it is their policy not to do so if contacted, due to information security and privacy concerns. In addition, they could not recall the last time a check printer contacted them in attempt to confirm check order information on a customer.

Finally, we use the checks

We produced checks using our newly purchased check printing software and MICR printer and then used them for various payments. The checks that had been ordered from the check printers were also used in the same context. Both performed as expected with no complications.

Furthermore, the ACH debits used to purchase our check orders were posted to accounts without incident or verification. A possible scenario would be, if an identity thief possessed your account information they could not only create checks on your account, they could also use an ACH debit charge you for printing the checks they are going to use to steal your money!

Assessment of the risks

The research project, however limited, identified a number of significant risks associated with checks. First, MICR ink and MICR check printers (which are a regular printer that comes with MICR ink) are readily available on the internet and can be purchased without any form of verification of banking relationship or purchase authority. By the way, this is not news to criminals.

Second, at the office supply stores we visited, blank check stock, check design, and printing software can be purchased by anybody. They are not stored in a locked case or behind the counter. No questions are asked at time of purchase. No verification of banking relationship or an individual's authority to purchase occurs. In addition, the store managers we interviewed stated that no policies or procedures were in place to control access to these products.

Third, if you have accurate financial institution and checking account information, regardless of how it was obtained, you can order checks or print checks that function as designed. Very few controls exist. Again, this is not news to criminals.

In all three of the above scenarios, when you add remote deposit capture, a distance banking relationship, a new customer or business banking relationship, or using the internet for establishing new customer relationships, you have a combination of factors that can produce significant risk.

What needs to be done

Establishing a relationship with a new customer or business is not a one-time event. To protect their customers and institutions from the kinds of events described here means that bankers not only need to retool controls to keep up with this evolving risk, but also to constantly monitor all transaction activity.

These strong monitoring tools will need to be real-time in some cases to identify rapidly changing customer-use activities that could signal suspicious or fraudulent activities well in advance of the customer bringing it to your attention. Examples include multiple deposits, withdrawals, returned items, customer complaints, small-dollar deposits from widespread areas, or activities involving repeat transaction scenarios from the same financial institutions.

This concept is not different from the fraud management tools, such as Falcon, that are used to monitor credit and debit card activity.

The point to be made is: If you change how you use technology in regard to your banking relationships, you also need to change your risk monitoring tools.