June 17, 2013

The case of a Kentucky man arrested this month for using mobile banking to steal thousands of dollars from a local supermarket chain highlights the security loopholes that thieves can exploit in mobile check deposit schemes being deployed by financial institutions across the country.

Source: Mybanktracker.com

Source: Mybanktracker.com

Louisville, Ky. based news station WDRB Inc. carried a story last week about a local man who was arrested after allegedly using mobile banking to steal more than $12,000 from multiple Kroger stores.

“Police say 34-year-old Boma Robert Spero-Jack went into several different Kroger stores and purchased at least 32 Western Union money orders. Each money order was issued for an amount between $195 and $500, according to an arrest report. Police say he would then leave the store and deposit the money order into his Bank of America checking or savings account, via a mobile deposit. Spero-Jack would then go back into the Kroger and ‘cash’ the same money order, according to the arrest report. Later, police say he would withdraw the amount of the money order from his bank account.”

The technology that Spero-Jack is accused of exploiting — known as mobile remote deposit capture (mRDC) — allows banking customers to deposit a check by taking a picture of it with a cellphone. The risk for financial institutions that allow mRDC is that the customer retains the paper check, and can potentially deposit it again and again at other institutions.

Robert McGarvey, a reporter who wrote about the Kentucky incident for Credit Union Times, said paranoids in the banking business have long fretted about this ever since MRDC started to roll out a few years ago.

“Frankly, there have been few reported cases — there have been more accidental double deposits than criminal,” McGarvey said. “But now I am hearing about small time gangs doing this.”

McGarvey and others say this is an area that is ripe for exploitation by far more organized operations — the kind of criminal gangs recently busted for extracting tens of millions from ATM cashout schemes, or from account takeovers involving fraudulently-obtained prepaid debit cards. Those schemes involved transferring funds from compromised accounts and did not require the attackers to put up 50 percent of the cost of the fraud to start with, as was the case with the Kentucky crimes.

“The key is to open an account with fake ID, then buy a throwaway phone at WalMart,” McGarvey said. “You are then in business and very, very unlikely to get arrested. Most banks set a low limit – maybe $3,000 per day on MRDC – which also tells the crook he can get $2,999 with no sweat.”

Julie Conroy, a research director with the retail banking practice of Aite Group, a Boston-based research and advisory firm, said banks are not seeing a lot of losses due to this type of fraud…yet.

“But I think ‘yet’ is the operative word there,” Conroy said. “The product is still fairly new, with many banks just rolling out their offering in the last year or so.  Most banks are protecting the product through a combination of rules and velocities, and due to this approach, and the fact that the product is relatively new and doesn’t have a ton of volume yet, this has worked fairly well so far.  However, the service is popular with customers, and as this report shows, the bad guys are finding it too.”

Conroy said the key challenge for banks is that they can’t detect in real-time when an item has been deposited via the mobile channel, and then deposited at a branch.

“There are some anti-fraud services that can help detect multiple presentments at multiple banks via mRDC, so to the extent that the banks are subscribing to those services, that can help minimize the risk somewhat,” Conroy said.

According to Conroy, the other aspect of mRDC that has many bankers nervous is the consequential damages provision that was part of the enabling regulation.  That provision says that if an item is deposited twice, and that second deposit causes harm to the maker of the item, then the bank responsible for the second presentment has to cover any consequential damages that may result.

“So, to give you the worst case scenario, say I write you a check, and you deposit it once via mRDC, and a second time at a bank branch,” Conroy said. “The second deposit causes my account to go into overdraft status, and the very next check that would have cleared was my homeowners insurance check.  That check bounces, and the next day my house burns down.  Technically, the bank where that second presentment occurred could be on the hook for the cost of my house if my homeowners insurance lapsed due to that bounced check.  No banks have seen much in the way of losses due to this provision, but the possibility of unlimited losses is scary — as is the potential that the consequential damages provision itself could be gamed by the bad guys.”


55 thoughts on “Double Cashing With Mobile Banking

  1. Ronm

    SAP, a software designer of ERP systems, does have a solution called HANA which can process transactions completly ‘in memory’ which makes it easy to check transactions in realtime. So the second withdraw would bounce.
    Implementing would cost only a fraction of the risks.

    BTW; a good merchant shouldn’t look at the costs but at the merites!

    1. Don Clifton

      Maybe on checks yes, but with the money orders like he was doing don’t think that would help.

    2. wanderer2575

      The second withdraw might bounce, but somebody is still out the money. What if the person deposits the check into his bank account via remote deposit and then cashes it at a party store or check cashing place? Party store will want its money; they shouldn’t be held liable for accepting a check in good faith.

  2. qka

    maybe $3000k per day on MRDC

    That’s a quote, so maybe it should be:

    maybe $3000k [sic] per day on MRDC

    as I am sure they did not mean $3 million.

    1. saucymugwump

      “$3000k”

      I am reminded of the amusing sign “Department of Redundancy Department.”

      Yes, it should either be $3000 or $3k.

      And let’s not even get into the fact that k=1024, so $3000k=$3,072,000.

      1. Mike Brown

        No 1KB equals 1024 bytes. In general kilo means a thousand. Like a kilogram is not 1024 grams its a thousand.

      2. Leander

        That’s your contribution to this article????

  3. Zeke

    A combination of deposit limits, anti-fraud services, and carefully-planned deposit hold rules mitigate these risks quite well. Some of this (such as the deposit holds) is possible because RDC is not governed by deposit availability regulations (Reg CC) and others are enabled because of cooperation between financial institutions. It’s certainly still possible to game this system, but it’s not that difficult to raise the cost for the ne’er-do-wells.

  4. LC

    Having worked for (what used to be) a major west coast financial institution, I know there is a way to accomplish this in the coding of how transactions are handled.

    Now comes the question of whether the financial institution deems it a large enough ‘risk’ to address, or whether they take the attitude that it’s the customer’s responsibility to ensure proper transactions occur.

    Will be interesting to watch how this develops.

  5. Frank

    I remember when Check 21 first came out 10 years ago. All of us bankers sat in rooms and wondered how the bad guys were going to take us for a ride with this service. After 10 years I do not think I have seen a loss due to fake IRDs (Image Replacement Documents).
    This, however, is much more concerning and I would be surprised if the smaller community banks step into this arena.

  6. neo

    Yo! *denzel washington voice* Krebs my man 🙂 thanks for the tip..me and my gang will start working on this new scheme right away..be prepared to write about us soon…see ya

  7. Conrad Longmore

    MRDC seems like an incredibly stupid mashup of nearly obsolete technologies and new ones. Who on earth thought that this was going to be a good idea? Oh yes.. *bankers*..

    1. Moike

      The whole trust system of Checks and ACH seems backward in the current times. It requires multiple layers of patchwork policies on top to try to add some level of security.

  8. mactenchi

    Seems like this would be hard to get away with long-term. I mean, you’re depositing checks into an account in your name, right?

    1. Richard Steven Hack

      No, you use a fake ID to open an account. Unless one is an idiot – and there’s no shortage of those.

      Police apparently had no difficulty finding “Boma Robert Spero-Jack” – and what kind of a name is that anyway? My guess is he was one of the idiots… 🙂

  9. voksalna

    I can think of so many ways to fix/prevent this that it makes me wonder if the designers of these systems are incredibly stupid. Nonrepudiation fun.

  10. Neej

    Is anyone else who has not heard of this system utterly dumbfounded that this was implemented in the first place? Maybe it’s just me.

    1. voksalna

      Reminds me of how amazed I was at the little miniature stop and wipe keychain “credit card” fad from some years back in the USA. You are not alone.

    2. Cliff

      My Ghast was also Flabbered. I had never heard of this, so you can imagine that I am stunned 1) that it was ever created and 2) that nobody stopped it dead saying ‘this is a stupid idea, we’re going to get reamed’, and 3) that it wasn’t even more widely abused yet.

      I feel so 21st Century here in Old Europe.

  11. The Utah Data Center/N.S.A.

    I am sure the banks with the cooperation of the US government can use the super top secret N.S.A. surveillance and computers to keep track of where the checks are being deposited or the location where they are cashed out.

  12. Richard Steven Hack

    “they can’t detect in real-time when an item has been deposited via the mobile channel, and then deposited at a branch.”

    This would seem to be a relatively easy fix – depending on how crappy and poorly documented the bank’s software is, of course.

    I’d say this is a short-term risk for banks implementing mRDC – unless of course they ignore it. And thus a short-term – and rather lame – method of stealing for criminals.

    1. Chris Hansen

      A good criminal is one that avoids capture. So they will seek out areas that are being ignored…No glorious crimes, just quick payoffs and get rid of the risk.

      Going for the million dolla’ paydays is going to bring the heat. Also, going $1 under the $3k limit is going to bring the heat.

    2. Chris Hansen

      depending on how crappy and poorly documented the bank’s software is, of course.

      BTW, some gov’t services still use dial-up…so it made me wonder if they also still bit bang.

    3. Ben

      The problem is not in detecting if the item was deposited to your bank twice. It’s in detecting if it was first deposited somewhere else when presented to your banking center staff.

      The risk is not in taking the deposit remotely, it’s in the mere existence of remote deposit software.

      For instance, I could use Bank of America’s app to deposit an item and then take it into a Community Bank to deposit it.

      Community Banks cannot avoid this risk by ignoring mRDC. They will have to deal with it anyway.

  13. David

    This shouldn’t be too big of an issue due to the fact that you need to deposit it into your own account. Seems somewhat ignorant… Just my opinion

    1. pboss

      As noted, the idea is that the smart crook opens a fake account and withdraws the money before the bank catches on. Essentially, this is just a twist on a classic check fraud scheme.

      1. voksalna

        I was thinking of the Micker encoding trick from years ago — double-cashing and kiting based on routing taking a long time. In this case the time frame is shorter, but same general idea — it is a race condition.

    2. wanderer2575

      You don’t have to deposit into your bank account twice. Deposit it once via remote capture and then cash it at a party store or check cashing place. That’s the scary part.

  14. GeorgeH

    Why don’t we all just take pictures of money and coins and deposit those too.

    Yeah you can get caught exploiting something like this, but its more of a hassle than it is some special feature.

  15. Stefan Misaras

    I was watching, “Catch me if you can” the other day, and this article reminded me of the check problem again. WHY are there checks anymore? With a combination of the mobile banking and taking pictures of a check, the possibilities for fraud are infinite!

    Here in England checks are more for companies and payroll / salary, no one uses checks and no store takes checks anymore. It’s all chip-and-pin, and it works great! And the online banking, whether through mobile or PC, works really good! I love it like that, and I literally shiver when I hear the word, Check!

    1. voksalna

      This is probably stupid question but why are “checking accounts” called “current accounts” there?

      1. Cliff

        Not sure when it dates back to (possible pre-America TBH), but it is distinct from a deposit or savings account, and I suppose in essence for paying current liabilities

    2. wanderer2575

      Stefan, checks still exist because lots of people still don’t have/can’t get bank accounts and/or don’t trust banks and refuse to get a payroll card or other reloadable debit card. They want that paper check, even though it costs them high fees every time they run to a party store to cash one. (It’s also a way to hide funds from the spouse.)

      I disagree with laying the blame on people who won’t stop using checks. I lay the blame on banks that allow mRDC without requiring surrender of the physical instrument. How could the geniuses who came up with mRDC not have realized the potential problem here?

  16. Darevsek

    Here is the best fix, photo’d via APP checks hold at bank for 3 business days. Then if cashed some place else, then don’t deposit funds to account. Period. If you have a physical check/money order, and need the money right away, use the physical locations to do that. Use the APP to deposit, wait 3 business day’s, then they will add the funds to your account. Not rocket science, not chess, heck not even checkers people… Their are electronic ways to send money, and to receive same way.

    1. maniac

      So what happens if I wait three days to cash the check at the grocery store. How did that protect the bank?

  17. Meh

    Seems funny that most payments hit my account 10 seconds after I click approve but banks can’t track incoming funds for days.

  18. gipsyking

    good story i will try it now . see if i can get rich that way .

  19. Geordie Stewart

    Checks? Those were those pieces of paper that people used to accept as promise of payment back in the 20th century?

  20. Cateyes

    In Kentucky what’s is the name of the crime and how many years in jail do you think he will serve? Will they release him?

  21. xilibot

    this is not anything close to what carbep can do, millions of dollars will be stolen in the coming months, because finally the source code leaked carbep botkit darkod, the largest vazamenento of recent times, since the source code costs 40k and a lot of money, someone will compile and create a new botnet, let’s see what happens, will be that we will have a new botnet carbep in the coming months? ……….

  22. wanderer2575

    Very interesting that the bank that allowed the mRDC without requiring that the payee surrender the check is not the bank held responsible for damages caused by a second deposit. How would the second bank know about the original mRDC?

    1. Ben

      The whole point of mRDC is not to require the user to surrender the check. Otherwise, they may as well come into the bank.

      the second bank would find out when the bank on which the check is drawn is returned. Then, their customer has been in violation of the terms of their agreement and has committed check fraud.

      The bank will try to recover funds by pulling from the account, but if the customer was fraudulent, the bank will be left to write off the fraud as a loss.

      Of course, all of the outcomes vary by scenario, but the constant is that bank’s still need to follow good Know Your Customer rules as much as possible and enforce reasonable limits on mRDC.

      1. wanderer2575

        How would the second bank’s customer know the check was originally deposited via mRDC? I would think an accusation of check fraud would be pretty shaky when they have no knowledge of previous history elsewhere.

        And how does this tie in with Holder in Due Course? Suppose I deposit a check into my bank account via mRDC and then also cash it at a party store. The party store accepts the check in good faith, for value, and with no knowledge of defense — they have no way of knowing about the previous mRDC. You would accuse the party store of check fraud?

    2. Chris

      How would you require them to surrender the check? The whole purpose of MRDC is to provide a way for the customer to deposit the check without having to visit the bank. “Surrender the check” means having to come to the bank, or mail it in. How long does the bank wait to receive the check before making the decision to give credit or not?

      Also, committing check fraud at check-cashing places isn’t always a good idea. Most places I know verify their customers ID before cashing a check. If you commit fraud, they will come looking for you, and you better hope that the authorities find you first…..

  23. Mark

    “According to Conroy, the other aspect of mRDC that has many bankers nervous is the consequential damages provision that was part of the enabling regulation.” Brian, is Conroy referring to Check 21 (the Check Clearing for the 21st Century Act)? We are searching the Act for language relating to such consequential damages and we’re not seeing it.

        1. BrianKrebs Post author

          Mark,

          This is the reply I received back from the folks at Aite.

          ECCHO has a website with frequently asked questions pertaining to Check 21; here is the link: http://www.eccho.org/index.php?p_resource=history_implementation_questions
          The Electronic Check Clearing House Association is the industry body that sets standards for check images and many other standards.

          I also copied the FAQs related to the liability issue in case you didn’t have time to look at the website:

          D.3.
          Q.
          Is there the potential for consequential damages under Check 21 and who would be responsible for those damages?

          A.
          Yes. Any bank that creates a substitute check (e.g. is the reconverting bank) is potentially liable to an indemnified party for consequential damages when there is a breach of a Check 21 warranty.
          D.4.
          Q.
          What other financial liability is incurred under the indemnity?

          A.
          The indemnity amount for a non-breach of warranty is for the amount of the loss up to the amount of the check plus interest and expense.
          D.5.
          Q.
          Do the warranties cover both paper and electronic representation of a substitute check?

          A.
          Yes. The Check 21 warranties cover both paper and electronic representation of a substitute check for which a bank receives consideration in either forward or return presentments.
          D.6.
          Q.
          Can a non-bank create a substitute check and if so who would make the warranties under the Act?

          A.
          Under the Act, the first bank that transfers or presents a substitute check becomes the reconverting bank and as such takes on all the warranties and liabilities under the Act. It is possible that banks may allow their customers to create substitute checks, but would likely require agreements to allocate the Check 21 liabilities back to those customers. Bank’s deposit agreements should state that a customer can create and deposit a substitute check only with prior agreement.

          1. Mark

            This helps a lot. Thanks for the additional info.

          2. Eric Nelson

            This passage troubled me as well, and I’ve been searching for anything that would make this a true statement.

            Pointing at the ECCHO Rules is neither here nor there; ECCHO is not a regulatory agency in the sense that the passage above conveys (although they do regulate their own members, I’m sure). Certainly parties who trade imaged items pursuant to the ECCHO Rules might be “nervous”, but anyone NOT involved with ECCHO would not be subject to any consequential damages as part of any “enabling regulation” (unless their own agreements specify such, and that would be on an institution by institution basis).

            I think the paragraph in question is unnecessarily alarmist, and in the interest of accuracy and responsible reporting should either be modified or removed entirely.

            If anyone can point to any “enabling regulation” that covers the industry as a whole (because that’s what I feel that paragraph implies to the reader), I’d love to hear of it. No check payments experts I’ve consulted can (and mRDC is certainly not referenced in any way in the UCC or Check 21 Act).

            Eric Nelson, AAP, NCP

  24. Ed

    The technology exists to make this fraud nearly impossible but the banks will never spend the money. They would want to pass that cost on to their customers, but then those customers might go to bank elsewhere. Its the same with all bank and credit card fraud. The banks look at it in the light of profit and loss. Lose some money to fraud – gain some customers for the convenience.

Comments are closed.