The case of a Kentucky man arrested this month for using mobile banking to steal thousands of dollars from a local supermarket chain highlights the security loopholes that thieves can exploit in mobile check deposit schemes being deployed by financial institutions across the country.
Louisville, Ky. based news station WDRB Inc. carried a story last week about a local man who was arrested after allegedly using mobile banking to steal more than $12,000 from multiple Kroger stores.
“Police say 34-year-old Boma Robert Spero-Jack went into several different Kroger stores and purchased at least 32 Western Union money orders. Each money order was issued for an amount between $195 and $500, according to an arrest report. Police say he would then leave the store and deposit the money order into his Bank of America checking or savings account, via a mobile deposit. Spero-Jack would then go back into the Kroger and ‘cash’ the same money order, according to the arrest report. Later, police say he would withdraw the amount of the money order from his bank account.”
The technology that Spero-Jack is accused of exploiting — known as mobile remote deposit capture (mRDC) — allows banking customers to deposit a check by taking a picture of it with a cellphone. The risk for financial institutions that allow mRDC is that the customer retains the paper check, and can potentially deposit it again and again at other institutions.
Robert McGarvey, a reporter who wrote about the Kentucky incident for Credit Union Times, said paranoids in the banking business have long fretted about this ever since MRDC started to roll out a few years ago.
“Frankly, there have been few reported cases — there have been more accidental double deposits than criminal,” McGarvey said. “But now I am hearing about small time gangs doing this.”
McGarvey and others say this is an area that is ripe for exploitation by far more organized operations — the kind of criminal gangs recently busted for extracting tens of millions from ATM cashout schemes, or from account takeovers involving fraudulently-obtained prepaid debit cards. Those schemes involved transferring funds from compromised accounts and did not require the attackers to put up 50 percent of the cost of the fraud to start with, as was the case with the Kentucky crimes.
“The key is to open an account with fake ID, then buy a throwaway phone at WalMart,” McGarvey said. “You are then in business and very, very unlikely to get arrested. Most banks set a low limit – maybe $3,000 per day on MRDC – which also tells the crook he can get $2,999 with no sweat.”
Julie Conroy, a research director with the retail banking practice of Aite Group, a Boston-based research and advisory firm, said banks are not seeing a lot of losses due to this type of fraud…yet.
“But I think ‘yet’ is the operative word there,” Conroy said. “The product is still fairly new, with many banks just rolling out their offering in the last year or so. Most banks are protecting the product through a combination of rules and velocities, and due to this approach, and the fact that the product is relatively new and doesn’t have a ton of volume yet, this has worked fairly well so far. However, the service is popular with customers, and as this report shows, the bad guys are finding it too.”