A US man in Louisville, Kentucky has manifested a nightmare that has long been haunting bankers: 34-year-old Boma Robert Spero-Jack has been arrested for allegedly double-cashing checks by using mobile banking with good old-fashioned Western Union money orders.
According to local news outlet WDRB News, the arrest report says that Spero-Jack went into several Kroger stores and bought at least 32 Western Union money orders, each for between $195 and $500.
He allegedly then left the store and deposited the money into his Bank of America checking or savings account via mobile remote deposit capture (MRDC).
What that entails, quite simply, is capturing an image of a check - which can be done with a plain old consumer scanner, as shown in this video from insurer USAA - and sending it to your bank.
Some banks even allow customers to capture the check image with their mobile phones or other consumer device cameras.
Police allege that after he remotely deposited the money orders, Spero-Jack then turned around and headed right back to a Kroger store to cash the same money order.
Next, he'd withdraw the same amount from his bank account, according to police, for a total of $12,620 worth of double-dipping.
Spero-Jack was charged with theft by unlawful taking.
According to the Credit Union Times' Robert McGarvey, the incident is stirring up long-held fears about MRDC.
There are no clearinghouses to track incidents of MRDC fraud. Whether it's growing more common depends on whom you talk to.
McGarvey talked to Paul Henninger, an executive with security company Detica, who told him that this type of fraud is verging on “an epidemic.”
But Alan Bernstein, president of Vertifi, the technology-focused subsidiary of Eastern Corporate Federal Credit Union, says it's anything but:
"What we have for evidence of system abuse through five years of experience is almost exclusively anecdotal... In this regard, the number and dollar losses attributable to outright fraud, such as the type described in the [Boma Robert Spero-Jack] story, and which we have learned about, is absolutely incidental."
At any rate, what we do know, as Bernstein pointed out, is that there's an inherent vulnerability in today's MRDC technology.
Vertifi's systems do send a warning if it detects a duplicate image, allowing an administrator to review items to check if they're really the same.
If the images are the same, the administrator just deletes the duplicate.
However, there's lag time between flagging duplicates, giving criminals a window of time to exploit the system.
The risk vanishes, McGarvey writes, if and when:
- Vendors manage to offer real-time duplicate detection databases - something they're rushing to do;
- Good security hygiene is practiced, such as if banks were to offer MRDC only to customers after they've had access to their accounts for, say, six months; and
- MRDC privileges are revoked if an account holder has more than one duplicate deposit in a year.
From a crook's perspective, the scheme has an upside - it seems, somehow, easier and safer because it's done remotely - and the downside of having to pony up the money to buy, for example, a Western Union money order.
As Krebs and others, such as McGarvey, note, a particularly worrisome prospect is that organized criminal gangs will latch onto the exploitation of MRDC.
Examples of such gangs include the Chicago woman sentenced in August 2012 for managing an ATM-sucking gang of money mules who used bogus accounts, PINs and ATM cards to drain more than $9 million from WorldPay US in what was called the "most sophisticated and organised computer fraud attack ever".
The MRDC vendors are said to already be hard at work to get the technology more scam-proof.
Hopefully, this Kentucky bust will fan the fire and get them to the desired goal before organized crime does latch onto this exploit, and banks will further lock down requirements for using MRDC.