Boma Robert Spero-Jack suddenly has many mouths in bankingsecurity making worried sounds.

That's because the Louisville, Ky., man apparently used mobileremote deposit capture and a Bank of America account to deposit 32Western Union money orders that he also cashed out at a Kroger.That means he used mobile RDC to in effect double his money.

All in all, Spero-Jack made off with $12,620, according to police reports.

And this theft now is reigniting old fears that mobile RDC couldeasily be harnessed by crooks intent on double dipping with thesame financial instrument.

One fact makes mobile RDC special. “The payment instrument staysin the hands of the depositor. That's the unique thing,” said JohnLeekley, CEO of RemoteDepositCapture.com.

With traditional deposits — be it at a teller window, an ATM, orvia mail – the financial institution physically retains thedeposited item, making it difficult for a crook to attempt todeposit it twice.

Not impossible, however, because multiple sources indicatedthere is a small but continuing problem of photocopied checks thatindeed are deposited multiple times.

But with mobile RDC, the thinking is that, somehow, it is easier– safer for the crook – because it is all done remotely.

“We are starting to see more of this,” said Glen Fossella, chief operating officer of branch optimizationcompany CTS North America.

Warned Paul Henninger, an executive with security companyDetica, “It's on the verge of becoming an epidemic.”

Note: there is a vulnerability inherent in today's mobile RDC.Alan Bernstein, president of Vertifi, the technology-focused subsidiary of Eastern CorporateFederal Credit Union in Burlington, Mass., explained in an email:“Vertifi's systems send a warning to the FI administrator if aduplicate is detected, and the administrator is able to review both(or several) items to see if the images are indeed the same. Ifthey are, the administrator simply deletes the duplicate(s).

Of course, Vertifi can only warn of a duplicate that has beensent through our systems one or more times, i.e. if the check isdeposited electronically through a Vertifi FI customer….and thenphysically deposited with, say, the Bank of America; there is noway for Vertifi to know this and warn its FI customer. This isindeed one of the inherent risks in this activity.”

Right now, the mobile RDC failing is that communication betweeninstitutional systems about the status of a deposited item islaggard. This opens a window of time a crook can exploit.

How much fraud is occurring with MRDC? Nobody knows. There is nocentral clearinghouse that collects numbers. But Bernstein is adamant that his best guess is that the incidenceis minimal.

“What we have for evidence of system abuse through five years ofexperience is almost exclusively anecdotal,” the EasCorp executivesaid. “In this regard, the number and dollar losses attributable tooutright fraud, such as the type described in the [Boma RobertSpero-Jack] story, and which we have learned about, is absolutelyincidental.”

For its part, Bank of America – in response to a CreditUnion Times request for comment on the Louisville incident —emailed this: “The controls and polices to prevent the fraudulentuse of our mobile deposit products are very comprehensive. Thisparticular incident was detected and identified, leading to theapprehension of the alleged perpetrator. The security controlsestablished for mobile deposit services as well as all Bank ofAmerica products incorporates numerous measures which help deter,prevent and avoid the fraudulent use of our products. Further, Bankof America continuously updates and improves on existing controlswhen new fraud tactics and methods are identified.”

Are the fraud issues a threat to mobile RDC's mountingpopularity? Not so fast. Said Ricardo Villadiego, founder ofsecurity firm Easy Solutions, “This definitely is a solvableproblem. It's a matter of check-clearing institutions agreeing toshare information. That will stop fraudulent deposits.”

Danne Buchanan, executive vice president at Fundtech, stressed that,in his mind, there is a lot more security possible via mobile RDC –at its heart a digital transaction, meaning it is easy to applydata science – then there is via deposits made at the analog tellerwindow where a harried employee with scant training in fraudprevention can hardly be counted on to screen out bad items. “Iwould bet you the risk mitigation is far better with MRDC,” saidBuchanan.

Meantime, vendors are racing to offer real-time duplicatedetection databases. Early Warning, a security company, said in an interview that itexpected to introduce real-time detection probably in 2014. EarlyWarning said it already is getting perhaps 95% of deposited itemson a nightly basis but now the drive is for real-time analytics toshut the window some crooks are seeking to exploit. “Financialinstitutions really want this. There is a lot of demand,” saidEarly Warning executive Tony Selway.

Experts also stressed that even without real-time duplicatedetection, good security hygiene practiced around MRDC ought tokeep the channel relatively safe. Some financial institutions donot offer it at all to new accounts – making accountholders waitperhaps six months before gaining access.

Many withdraw MRDC privileges if there is more than oneduplicate deposit irregularity in a year. Almost all cap theamounts that can be involved in MRDC – $3,000 is an oft-citedceiling – thus also limiting potential losses.

Take those kinds of steps – where MRDC access is tiered to theparticulars of an individual accountholder – and suddenly risksshrink and the worries of a Spero-Jack type heist simplyvanish.