Cyber thieves are stealing the shine off of Remote Deposit Capture by presenting duplicate check images to multiple banks. Some estimates of total duplicate check fraud in the U.S. are now topping $864 million per year.
Remote Deposit Capture (RDC) roared onto the banking scene only five years ago with the promise of capturing new commercial deposits without building branches. Early adopters praised the new technology, claiming it had extended bank geographic footprints at zero cost.
Security for RDC focused on the bank’s commercial customers as they scanned the checks in their deposits. A tight customer agreement plus careful monitoring of activity seemed to protect everyone involved. Unfortunately, the industry didn’t look carefully enough at cyber thieves who have since learned how to intercept check images and present them at multiple financial institutions.
In a recent incident, a group of Russian criminals broke into an online check-image database, reproduced 3,000 checks and sent them to money “mules” for deposit, after which they wired the proceeds to the thieves. Approximately 1,200 U.S. bank accounts lost $9 million in total.
Unfortunately, this is just one statistic in a growing wave of duplicate check presentments. In 2006, banks expected five to seven duplicate items per million payments processed. Today, CONIX reports that high-volume banks intercept between 40 to 100 duplicate items per million payments processed, an increase of more than 1100%.
The reasons for the increase are simple: thieves have discovered a few gaps in the security surrounding RDC and check image databases. First, the thieves have seen that the same payment can be processed through multiple banking channels without detection. Second, the same check payment can be submitted to multiple institutions without detection as well.
The big question is: How quickly can a bank stop a duplicate check? If the duplicate is stopped at the deposit window, there is no impact. If the duplicate is stopped at the end of Day 1, the costs are minimal. If the duplicate is stopped on Day 2 or later, the cost and time to rise exponentially while customer trust plummets.
A further weak point is unencrypted check image databases. Bank regulators do not require their check image databases to be encrypted, and while the NCUA recommends that such databases be encrypted – credit unions aren’t required to encrypt them either. When the machines hosting these databases are infected by botnets, encryption is the institution’s last line of defense.
The good news is that most check image processors do encrypt their databases and duplicate detection systems are available to financial institutions. These systems review check images in two ways: they look for duplicate items within the deposit, and for duplicate items in previous deposits. The bank can set the time frame for how far back the system will look.
Additional solutions include aggregators of check image images – such as check processors, payment clearinghouses, and consortiums which scan check images from hundreds of financial institutions and return items with duplicate MICR lines. An Early Warning System that scans items at the time of deposit can do wonders to cut down on duplicate check fraud.
The ultimate solution will be ‘live payment’ at the time of deposit. That is, the check is processed for payment when deposited, and financial institutions will be prohibited from process it a second time.
Unfortunately, “live payment” technology hasn’t taken hold in enough financial institutions to protect us from duplicate check images. But with proper vigilance, bankers can hold the line against duplicate check images and keep Remote Deposit Capture free of check fraud.
Betsy Didan manages Document Processing for Avon, Conn. – based COCC, Inc., (www.cocc.com), a 44 year old firm specializing in outsourced information technology and support.