Send Us Your Feedback

  • We'd love to hear from you. Let us know how we're doing and how we can make your experience here more enjoyable! We are always looking for ways to improve.
  • [blogs-support@cisco]

August 31, 2009

The Check Is Not In the Mail


A bank in the United States, USAA, recently announced a new way their customers can deposit a check into a bank account: capture images on an iPhone and transmit them using an application provided by the bank.  In fact, USAA has offered the capability to deposit checks using an ordinary document scanner for several years.  Of course, scanners don’t fit in your pocket or purse and are connected to a more traditional personal computer—hence most of us are likely to trust the security of the scanner-based solution because it utilizes technology that has become familiar through regular usage in a variety of ways.  More specifically, few people question the security of the transaction when they are able to view the lock icon in their browser while connected to their bank.

A cursory read of USAA’s terms and conditions suggest that the security (and potential misuses) of the iPhone application have been duly considered.  Indeed, USAA is planning to expand the capability to other popular ‘smart’ phones as well.  Given the number of publicized security incidents at financial institutions in the last couple of years, does this have the potential to become another vector for miscreants?

Since this application was initially launched for the iPhone, that will be the focus of my thoughts.  Full disclosure: the latest iPhone (3GS) is the second one I’ve purchased.  Previously, I had the ‘first generation’—its security features were circumvented easily through shared programs developed by a clever group of grey hats.  Of course, my professional curiosity was piqued and I spent some time reading about how they went about that, as well as running the program against my original phone.  I was fully aware of the consequences (e.g. loss of warranty); I am not suggesting that you do the same.  Finally, while I am not a customer of USAA, a colleague installed it and reports that the application employs good security measures, including multiple levels of authentication and the inability to save a username or password on the device.  The bank has provided a video demonstration if you are interested in seeing it in action.

In light of my curiosity, here are some thoughts and observations regarding the USAA iPhone application—not all of them are security-related.

  • The increasing sophistication of mobile computing and smart phones has opened up new opportunities for productivity ‘on the go.’  Will this mean more opportunities for data loss and/or exploitation as well?
  • As devices become more portable, they are more prone to unintended loss (e.g. seat pocket of an airplane) or outright theft.  Does the responsibility to protect sensitive data rest with the ‘owner’ (human), ‘system’ (the mobile device and its application for accessing the bank, the provider’s network, the bank’s network and server), or some combination of both?
  • What constitutes best practices for the system and the user?  For my phone, it’s a combination of auto-locking the device after a short idle period + data wipe after N unsuccessful attempts to access it + consistent usage of secure networking between the device and ‘the cloud’ whenever possible.  For example, I will only read mail over SSL.
  • For financial transactions, there has historically been a greater level of security through trust, e.g. the customer who knows his/her banker by face and regular contact, as opposed to now when issues are often resolved by a customer service representative over the phone.  The ability to deposit checks without any physical meeting or even ‘snail mail’ further reduces face-to-face contact.  For the safety of data,  we need greater reliance on a holistic approach to the security of the systems involved, including user behaviors.  In order for the ‘human network’ to be successful over the long term, it seems to be we must be able to construct what I term ‘paradigm equivalents.’  Cisco’s TelePresence seems to be a good example of that, albeit for in-person meetings instead of banking.

What are your thoughts regarding the continuing evolution of the ‘anywhere, anytime’ flexibility to conduct business?  Does it equate to an increased security risk?  I’d like to hear from you—no need to put it in the mail, however.

Richard Aceves Posted by Richard Aceves at 12:43PM PST

Permalink, Comments (4), Trackbacks (0)

Tags: mobile security telepresence

4 Comments

Philip Gladstone Aug 31, 2009

I wonder what the document storage requirements are for the submitter of the check? How long do they have to maintain the original check?

Actually, a quick Google leads to https://www.usaa.com/inet/ent_esig/ViewDocumentServlet?documentId=DM1.FPNJ0MZ7.5115M.1JB5V93MRM8CU which (in section 3.4) says that "Member shall be responsible for the proper disposal of all Items following their transmittal to USAA. Following receipt by Member of a confirmation from USAA that USAA has received the image of the Item, member shall properly dispose of the original Item to ensure it is not represented."

Wow!

So if someone modifies my check before depositing it, then it becomes my word against his—with no physical evidence! Even if the depositor doesn’t modify my check, I can still claim that he did, and he can’t prove otherwise.

Seth Hanford Sep 1, 2009

I see a number of risks from portability:

One of the great check fraud scams is to steal a ream of actual paper checks from the supply closet at a company.  Now, the thief doesn’t even have to make off with the check inventory, simply take a photo with your phone and then put the phone back in your pocket.

Also, for the matter of paradigm equivalents, there is no person sitting down and looking at these checks like there would be at the teller window.  I’m not so naive to think that this has happened much in the past 20 years, but it’s still an abstraction for which we have not come away with an equivalent.  If a crook can find a sufficiently large bank account with sufficiently poor accounting controls, even if they’re depositing to their own account, they can store up a decent amount of money in fairly short order.

Imagine the crook having their company deposit paychecks to their bank, and then photographing and altering a check picture of their paycheck equivalent to an account with USAA every 2 weeks.  They’ve just doubled their salary, and insufficient accounting controls may not notice—same amounts, same payees, but mysteriously twice as many transactions.  And again, all they have to do is photograph a good check somewhere on company property / at home before making any alterations.

Frequency is also likely to be a learning experience for USAA. Not many people have scanners at home, but lots of people have iPhones.  There’s a large potential for the frequency to increase, which may inflate the losses that they’ve already suffered in the scanned check arena.  It may not have let them accurately predict their risk with the new, portable medium.

Philip’s point about re-presentation of checks is another good one.  USAA does not bear the risk, necessarily, if a criminal photographs a check presented to them for deposit to their own account and then modifies the check for presentation to another bank to be cashed.  In this scheme, USAA gets the real check and a second bank gets an altered-payee check drawn on the same account.  According to Frank Abagnale (The Art of the Steal 59), altered payee fraud is the liability of the first bank of deposit.  But unlike a typical altered-payee crime, the “real” check could have already been deposited and has cleared the issuers statement, when the uncontrolled check then gets modified and reused for more money.

USAA could be opening a door for the criminal get paid once and potentially twice on the same check, because the bank is not keeping control of the original instrument.

Kirk Brooks Oct 10, 2009

I am a USAA customer and have greatly appreciated the ‘deposit at home’ feature. Since the bank is in Texas the previous requirement was to mail checks for deposit - which could take up to 10 days to process. I have inadvertently attempted to deposit a check twice and once attempted to redeposit a check that bounced. In both cases the site refused to accept them. I don’t know how it determined the duplication but it did.

I think the comments about multiple images of the same check being presented to different banks are the digital equivalent of stealing the ream of blank checks. It’s a crime and it will be noticed quickly. The issue is detecting it. Unlike passing physical fraudulent checks there’s a pretty strong paper trail (as it were) here. Plus, the money has to go into an account rather than convert to cash. To convert the fraudulent digital checks to cash, or a safe account, the money has to move out of the deposited account. This is one bottleneck the bank controls - the availability of funds. I’m not suggesting it can’t be done - but given the traceability of electronic transactions I think it will be very difficult.

You know, a couple of years ago I noticed my landlord deposited my rent check 3 days early. And 3 days prior to the check date. It didn’t cause a problem but could have. I called USAA to ask what would have happened if I had been overdrawn because of that. I was told the date on the check is, essentially, irrelevant - a check becomes payable when it’s presented. Period. The reason has to do with the fact there is rarely any human review of transactions. The cost of running deposits through an ATM would make them prohibitive if a person had to read each one. This is another of the changes that have crept in to the deposit rules we rarely read but sign off on by having our account. Shifting the responsibility onto us and off of the bank allows them to work faster and more profitably. Most of us carry on as though things were the way they were when we first learned about banking. But things aren’t the same.

My point is the banks have been working to shift more and more responsibility for transactions onto consumers. Doing so they can be more responsive and agile but consumers bear more costs as well. It will be the case here too.

Richard Aceves Oct 10, 2009

@Kirk

Thank you for your thoughtful dialog. 

You raise some valid issues that I hope people will consider as we move increasingly to a ‘digital world.’  The example of a date on a check is excellent (in 2009, I will have written maybe six checks—it’s too easy to issue payments directly from a bank).

Historically, people have tried to outwit whatever systems were in place: how long ago was it that you could alter the amount of a check, have it clear and abscond with with funds before someone caught it?  That’s nearly impossible now; similarly, the technology of security will ensure that if depositing a check via iPhone isn’t foolproof today, it will be soon enough.

Post a comment

Join the conversation!

We encourage your comments, questions and suggestions. All comments are moderated and will appear as soon as they are approved by the moderator.

Please increase the validity of your comment by providing a valid first and last name. Spam, off-topic or offensive comments will not be posted.

Name:
Email:
URL:

Comments:

Notify me of follow-up comments?

Submit the word you see below:


Post a trackback

Ping this URL to post a trackback:
http://blogs.cisco.com/trackback/7785/LbptwP8B/

More blog posts

Previous post:
What Makes a Security Website Valuable To You?

Next post:
Hacking Small Businesses

Recent posts:
November 2009 Archive

Search

What We're Reading

Subscribe By Email (info)

What's on the Cisco Tube?

Video

Archives