Threat of the Week: Looting via Mobile Remote Deposit Capture
Boma Robert Spero-Jack suddenly has many mouths in banking security making worried sounds.
That’s because the Louisville, Ky., man apparently used mobile remote deposit capture and a Bank of America account to deposit 32 Western Union money orders that he also cashed out at a Kroger. That means he used mobile RDC to in effect double his money.
And this theft now is reigniting old fears that mobile RDC could easily be harnessed by crooks intent on double dipping with the same financial instrument.
One fact makes mobile RDC special. “The payment instrument stays in the hands of the depositor. That’s the unique thing,” said John Leekley, CEO of RemoteDepositCapture.com.
With traditional deposits -- be it at a teller window, an ATM, or via mail - the financial institution physically retains the deposited item, making it difficult for a crook to attempt to deposit it twice.
Not impossible, however, because multiple sources indicated there is a small but continuing problem of photocopied checks that indeed are deposited multiple times.
But with mobile RDC, the thinking is that, somehow, it is easier – safer for the crook – because it is all done remotely.
“We are starting to see more of this,” said Glen Fossella, chief operating officer of branch optimization company CTS North America.
Warned Paul Henninger, an executive with security company Detica, “It’s on the verge of becoming an epidemic.”
Note: there is a vulnerability inherent in today’s mobile RDC. Alan Bernstein, president of Vertifi, the technology-focused subsidiary of Eastern Corporate Federal Credit Union in Burlington, Mass., explained in an email: “Vertifi’s systems send a warning to the FI administrator if a duplicate is detected, and the administrator is able to review both (or several) items to see if the images are indeed the same. If they are, the administrator simply deletes the duplicate(s).
Of course, Vertifi can only warn of a duplicate that has been sent through our systems one or more times, i.e. if the check is deposited electronically through a Vertifi FI customer….and then physically deposited with, say, the Bank of America; there is no way for Vertifi to know this and warn its FI customer. This is indeed one of the inherent risks in this activity.”
Right now, the mobile RDC failing is that communication between institutional systems about the status of a deposited item is laggard. This opens a window of time a crook can exploit.
How much fraud is occurring with MRDC? Nobody knows. There is no central clearinghouse that collects numbers. But Bernstein is adamant that his best guess is that the incidence is minimal.
“What we have for evidence of system abuse through five years of experience is almost exclusively anecdotal,” the EasCorp executive said. “In this regard, the number and dollar losses attributable to outright fraud, such as the type described in the [Boma Robert Spero-Jack] story, and which we have learned about, is absolutely incidental.”
For its part, Bank of America – in response to a Credit Union Times request for comment on the Louisville incident -- emailed this: “The controls and polices to prevent the fraudulent use of our mobile deposit products are very comprehensive. This particular incident was detected and identified, leading to the apprehension of the alleged perpetrator. The security controls established for mobile deposit services as well as all Bank of America products incorporates numerous measures which help deter, prevent and avoid the fraudulent use of our products. Further, Bank of America continuously updates and improves on existing controls when new fraud tactics and methods are identified.”
Are the fraud issues a threat to mobile RDC’s mounting popularity? Not so fast. Said Ricardo Villadiego, founder of security firm Easy Solutions, “This definitely is a solvable problem. It’s a matter of check-clearing institutions agreeing to share information. That will stop fraudulent deposits.”
Danne Buchanan, executive vice president at Fundtech, stressed that, in his mind, there is a lot more security possible via mobile RDC – at its heart a digital transaction, meaning it is easy to apply data science – then there is via deposits made at the analog teller window where a harried employee with scant training in fraud prevention can hardly be counted on to screen out bad items. “I would bet you the risk mitigation is far better with MRDC,” said Buchanan.
Meantime, vendors are racing to offer real-time duplicate detection databases. Early Warning, a security company, said in an interview that it expected to introduce real-time detection probably in 2014. Early Warning said it already is getting perhaps 95% of deposited items on a nightly basis but now the drive is for real-time analytics to shut the window some crooks are seeking to exploit. “Financial institutions really want this. There is a lot of demand,” said Early Warning executive Tony Selway.
Experts also stressed that even without real-time duplicate detection, good security hygiene practiced around MRDC ought to keep the channel relatively safe. Some financial institutions do not offer it at all to new accounts - making accountholders wait perhaps six months before gaining access.
Many withdraw MRDC privileges if there is more than one duplicate deposit irregularity in a year. Almost all cap the amounts that can be involved in MRDC – $3,000 is an oft-cited ceiling – thus also limiting potential losses.
Take those kinds of steps – where MRDC access is tiered to the particulars of an individual accountholder – and suddenly risks shrink and the worries of a Spero-Jack type heist simply vanish.