The implementation of the Check Clearing for the 21st Century Act (Check 21) begins Thursday and could make it more difficult to prosecute check-fraud crimes in the future. Some security experts also warn that converting checks to digital images opens the door to mass fraud if these images are accessed by an attacker.
"A check can be photographed and stored and then destroyed immediately," said Donald Smith, IT auditor at The Mechanics Bank in Richmond, Calif. "If there is fraud, there is no way to check for fingerprints, writing depressions, etc. -- any evidence of check fraud disappears without a trace."
Check 21 provides the right, but is not a requirement, to convert paper checks to digital images, drastically increasing the speed of check handling and collection. But experts worry that it may have unintended security consequences.
A Unisys white paper by three fraud experts, including Frank Abagnale, describes the emerging risks of using such technology in the financial services industry and details the potential for a new wave of fraud. Ori Eisen, CEO and president of Phoenix-based The 41st Parameter, a developer of fraud prevention systems, and Elazar Katz, director of the Active Risk Monitoring Practice at Blue Bell, Penn.-based Unisys Corp., also contributed.
"Much has been discussed recently about phishing -- the exploitation of large-scale spoof e-mail campaigns to steal customers' login credentials," Katz said in an interview. "Recently, we have come across check-fraud versions of this scam, attributed to international gangs. The potential for the mass-production of this type of fraud is staggering."
In the white paper, Eisen said the scam begins with a spoof e-mail campaign to trick bank customers into disclosing their user name and login passwords. Then, using the fraudulently-obtained information, customers' monthly statements and check images are retrieved. Criminals can then create high-quality counterfeit checks that are nearly identical in appearance, drawn for an amount that is appropriate for the account, and bears a scanned signature.
The Gartner Group estimates that in the last year, 57 million U.S. adults received phishing e-mails, of which 11 million clicked on the provided links, and 1.78 million provided passwords and other sensitive personal information. In total, the scams resulted in fraud losses of $2.4 billion.
In addition, financial institutions may not be as impervious to attacks that could expose this information as they would like to think.
Nine out of 10 financial Web sites contain security flaws that could expose them to phishing attacks, according to a recent study by Surrey, U.K.-based Next Generation Security Software.
The trade off in time and cost savings for financial institutions may result in creating yet another avenue by which criminals can perpetrate fraud, Katz said.
"Financial institutions that choose to convert paper checks to digital images assume considerable risk and liability," Abagnale said in the white paper. "Placing both check images and monthly statements online offers fraudsters intelligence on both the visual aspects of the checks and the behavioral history of the account. This type of aggregated intelligence would significantly enhance fraudsters' ability to create counterfeit checks that circumvent both behavior-based and image-based detection systems, should the customer's log-in credentials be compromised. As recent phishing scams indicate, large-scale compromise of customer credentials is a very real possibility.
"The decision regarding which checks to convert should include risk considerations," Abagnale added. "Banks should also recognize the risk implications of placing check images online and think of ways to mitigate the impact of large-scale compromise of log-in credentials."
Smith believes insiders pose more of a threat to the Check 21 system then hackers do. "A hacker inserting a check into the [process] without being detected isn't really viable," he said. "They would have an easier time breaking into the system and modifying account balances."
Many banks will wait to implement the technology due to expensive equipment needed to process the checks and will take a wait-and-see approach.
"Some will want to wait until the new system is tried and true before converting," Smith said.