The case of a Kentucky man arrested this month for using mobile banking to steal thousands of dollars from a local supermarket chain highlights the security loopholes that thieves can exploit in mobile check deposit schemes being deployed by financial institutions across the country.
Louisville, Ky. based news station WDRB Inc. carried a story last week about a local man who was arrested after allegedly using mobile banking to steal more than $12,000 from multiple Kroger stores.
“Police say 34-year-old Boma Robert Spero-Jack went into several different Kroger stores and purchased at least 32 Western Union money orders. Each money order was issued for an amount between $195 and $500, according to an arrest report. Police say he would then leave the store and deposit the money order into his Bank of America checking or savings account, via a mobile deposit. Spero-Jack would then go back into the Kroger and ‘cash’ the same money order, according to the arrest report. Later, police say he would withdraw the amount of the money order from his bank account.”
The technology that Spero-Jack is accused of exploiting — known as mobile remote deposit capture (mRDC) — allows banking customers to deposit a check by taking a picture of it with a cellphone. The risk for financial institutions that allow mRDC is that the customer retains the paper check, and can potentially deposit it again and again at other institutions.
Robert McGarvey, a reporter who wrote about the Kentucky incident for Credit Union Times, said paranoids in the banking business have long fretted about this ever since MRDC started to roll out a few years ago.
“Frankly, there have been few reported cases — there have been more accidental double deposits than criminal,” McGarvey said. “But now I am hearing about small time gangs doing this.”
McGarvey and others say this is an area that is ripe for exploitation by far more organized operations — the kind of criminal gangs recently busted for extracting tens of millions from ATM cashout schemes, or from account takeovers involving fraudulently-obtained prepaid debit cards. Those schemes involved transferring funds from compromised accounts and did not require the attackers to put up 50 percent of the cost of the fraud to start with, as was the case with the Kentucky crimes.
“The key is to open an account with fake ID, then buy a throwaway phone at WalMart,” McGarvey said. “You are then in business and very, very unlikely to get arrested. Most banks set a low limit – maybe $3,000 per day on MRDC – which also tells the crook he can get $2,999 with no sweat.”
Julie Conroy, a research director with the retail banking practice of Aite Group, a Boston-based research and advisory firm, said banks are not seeing a lot of losses due to this type of fraud…yet.
“But I think ‘yet’ is the operative word there,” Conroy said. “The product is still fairly new, with many banks just rolling out their offering in the last year or so. Most banks are protecting the product through a combination of rules and velocities, and due to this approach, and the fact that the product is relatively new and doesn’t have a ton of volume yet, this has worked fairly well so far. However, the service is popular with customers, and as this report shows, the bad guys are finding it too.”
Conroy said the key challenge for banks is that they can’t detect in real-time when an item has been deposited via the mobile channel, and then deposited at a branch.
“There are some anti-fraud services that can help detect multiple presentments at multiple banks via mRDC, so to the extent that the banks are subscribing to those services, that can help minimize the risk somewhat,” Conroy said.
According to Conroy, the other aspect of mRDC that has many bankers nervous is the consequential damages provision that was part of the enabling regulation. That provision says that if an item is deposited twice, and that second deposit causes harm to the maker of the item, then the bank responsible for the second presentment has to cover any consequential damages that may result.
“So, to give you the worst case scenario, say I write you a check, and you deposit it once via mRDC, and a second time at a bank branch,” Conroy said. “The second deposit causes my account to go into overdraft status, and the very next check that would have cleared was my homeowners insurance check. That check bounces, and the next day my house burns down. Technically, the bank where that second presentment occurred could be on the hook for the cost of my house if my homeowners insurance lapsed due to that bounced check. No banks have seen much in the way of losses due to this provision, but the possibility of unlimited losses is scary — as is the potential that the consequential damages provision itself could be gamed by the bad guys.”