Mobile banking presents new fraud risks

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

By Bob Sul­li­van, ThirdCertainty

Can some­one cash a check you’ve writ­ten more than once? Yes, thanks to the inter­sec­tion of old and new bank­ing tech­nol­o­gy. Impos­si­ble until recently—payees for­mer­ly were required to hand over paper checks dur­ing a deposit —some experts pre­dict “dou­ble pre­sent­ment” will be the source of a new fraud wave com­ing soon. And even if you don’t use mobile bank­ing, you might have to foot the bill.

It hap­pened to Louise Moon Ros­ales of Ver­mont. Twice in the past year, she wrote checks to pay for small ser­vices such as yard work. Both were cashed … and then cashed a sec­ond time a few months lat­er. Her bank hon­ored both pay­ments. For exam­ple: a $100 check she wrote to a high school stu­dent for yard work was cashed in Decem­ber, and then again in April. How?

Free resource: Stay informed with a free sub­scrip­tion to SPWNR

The stu­dent used a new, pop­u­lar check­ing account tool called “remote deposit cap­ture,” and deposit­ed the check with his cell phone. Check recip­i­ents who do that get to keep the paper check, rather than hand it over to a teller or an ATM. That means the check can be deposit­ed a sec­ond time, a prob­lem known in bank­ing as “dou­ble presentment.”

I total­ly could have missed it,” Ros­ales said. “I use online Quick­en to rec­on­cile the accounts, and that’s how I found it.”

Deal­ing with duplicates

It seems almost too sim­ple: crim­i­nals re-deposit­ing the same check mul­ti­ple times. But with the mete­oric rise of mobile bank­ing and remote deposit cap­ture, banks are rac­ing to com­pete with one anoth­er to offer the ser­vice. That means they’re begin­ning to favor speed over safety.

And there’s anoth­er ele­ment that makes mobile bank­ing ripe for the next wave of fraud, pre­dicts ana­lyst Shirley Inscoe of Aite Group. With EMV” cred­it card chips final­ly becom­ing a real­i­ty in the Unit­ed States, elim­i­nat­ing one pop­u­lar kind of fraud, crim­i­nals will aggres­sive­ly hop to anoth­er tech­nique to replace lost income.

I pre­dict that orga­nized fraud rings—which will be active­ly look­ing for new tar­gets as EMV becomes more wide­ly used—will dis­cov­er (mobile remote deposit cap­ture) in a big way,” she said.

Spot­ting fraud takes time, and use of fraud-fight­ing tech­nolo­gies is always a tight bal­anc­ing act of con­ve­nience vs. secu­ri­ty. It seems log­i­cal that a bank would quick­ly scan check num­bers to make sure the same check hasn’t been deposit­ed before, but for small dol­lar amounts, even that lev­el of delay can be seen as unnec­es­sary. Still, banks have his­tor­i­cal­ly been good at catch­ing dou­ble pre­sent­ment at the same insti­tu­tion using the same chan­nel, says ana­lyst Bob Meara of Celent, a research and con­sult­ing firm focused on IT in the finan­cial ser­vices sector.

Cash­ing the same check twice

But if crim­i­nals use dif­fer­ent channels—first time on a phone, sec­ond time at an ATM—that gets trick­i­er. And deposit­ing the same check into mul­ti­ple dif­fer­ent check­ing accounts at mul­ti­ple banks? Well, that’s a big problem.

Even the most rig­or­ous deposit review mech­a­nisms are pow­er­less to iden­ti­fy and reject items that have been pre­vi­ous­ly deposit­ed at oth­er finan­cial insti­tu­tions,” Meara writes.

Acci­den­tal dou­ble pre­sent­ment” occurs when a con­sumer isn’t sure if she/he (or a spouse) pre­vi­ous­ly cashed a check. The prob­lem is a new one for con­sumers, who aren’t used to hang­ing onto phys­i­cal checks after they’ve been cashed. Some banks tell con­sumers to hold onto them for a month or more, lead­ing to inevitable con­fu­sion over what’s been cashed and what hasn’t.

Until recent­ly, banks have been very judi­cious about grant­i­ng remote deposit priv­i­leges to account hold­ers, which has kept fraud rates very low. Tenure with the insti­tu­tion, deposit his­to­ry, and aver­age dai­ly bal­ances have dic­tat­ed which con­sumers or busi­ness­es were grant­ed mobile deposit eli­gi­bil­i­ty. Banks also have estab­lished low max­i­mum dai­ly deposit lim­its, anoth­er dis­in­cen­tive for fraud. Meara says fraud has been extreme­ly low.

But with the new, high­ly com­pet­i­tive envi­ron­ment, pres­sure to accept remote deposits from any­one, and for high deposit lim­its, has led to low­er­ing of stan­dards, Inscoe said. That means more fraud.


Watch for checks cashed twice. Don’t rely on your bank’s depart­ment to catch the problem.

Even if you don’t use mobile bank­ing, you can be a vic­tim. All that mat­ters is the crim­i­nal/ab­sent-mind­ed pay­ee uses remote deposit cap­ture. All you have to do is write an old-fash­ioned check to be vic­tim or the lat­est bank­ing fraud.

More on emerg­ing threats
Cor­po­rate use of cloud apps spikes risk of breaches
Word­Press emerges as a cyber­crime hotbed
Mali­cious ads pose insid­i­ous, elu­sive threat


Posted in Data Privacy, Data Security, News & Analysis