Kentucky man charged with using scans of checks to double-dip funds

Filed Under: Featured, Law & order, Security threats, Vulnerability

Western Union. Image courtesy of ShutterstockA US man in Louisville, Kentucky has manifested a nightmare that has long been haunting bankers: 34-year-old Boma Robert Spero-Jack has been arrested for allegedly double-cashing checks by using mobile banking with good old-fashioned Western Union money orders.

Security reporter Brian Krebs spotted the news as reported by the Credit Union Times.

According to local news outlet WDRB News, the arrest report says that Spero-Jack went into several Kroger stores and bought at least 32 Western Union money orders, each for between $195 and $500.

He allegedly then left the store and deposited the money into his Bank of America checking or savings account via mobile remote deposit capture (MRDC).

What that entails, quite simply, is capturing an image of a check - which can be done with a plain old consumer scanner, as shown in this video from insurer USAA - and sending it to your bank.

Some banks even allow customers to capture the check image with their mobile phones or other consumer device cameras.

Mobile banking. Image courtesy of ShutterstockPolice allege that after he remotely deposited the money orders, Spero-Jack then turned around and headed right back to a Kroger store to cash the same money order.

Next, he'd withdraw the same amount from his bank account, according to police, for a total of $12,620 worth of double-dipping.

Spero-Jack was charged with theft by unlawful taking.

According to the Credit Union Times' Robert McGarvey, the incident is stirring up long-held fears about MRDC.

There are no clearinghouses to track incidents of MRDC fraud. Whether it's growing more common depends on whom you talk to.

McGarvey talked to Paul Henninger, an executive with security company Detica, who told him that this type of fraud is verging on “an epidemic.”

But Alan Bernstein, president of Vertifi, the technology-focused subsidiary of Eastern Corporate Federal Credit Union, says it's anything but:

"What we have for evidence of system abuse through five years of experience is almost exclusively anecdotal... In this regard, the number and dollar losses attributable to outright fraud, such as the type described in the [Boma Robert Spero-Jack] story, and which we have learned about, is absolutely incidental."

At any rate, what we do know, as Bernstein pointed out, is that there's an inherent vulnerability in today's MRDC technology.

Vertifi's systems do send a warning if it detects a duplicate image, allowing an administrator to review items to check if they're really the same.

If the images are the same, the administrator just deletes the duplicate.

However, there's lag time between flagging duplicates, giving criminals a window of time to exploit the system.

The risk vanishes, McGarvey writes, if and when:

  • Vendors manage to offer real-time duplicate detection databases - something they're rushing to do;
  • Good security hygiene is practiced, such as if banks were to offer MRDC only to customers after they've had access to their accounts for, say, six months; and
  • MRDC privileges are revoked if an account holder has more than one duplicate deposit in a year.

From a crook's perspective, the scheme has an upside - it seems, somehow, easier and safer because it's done remotely - and the downside of having to pony up the money to buy, for example, a Western Union money order.

As Krebs and others, such as McGarvey, note, a particularly worrisome prospect is that organized criminal gangs will latch onto the exploitation of MRDC.

ATM. Image courtesy of ShutterstockExamples of such gangs include the Chicago woman sentenced in August 2012 for managing an ATM-sucking gang of money mules who used bogus accounts, PINs and ATM cards to drain more than $9 million from WorldPay US in what was called the "most sophisticated and organised computer fraud attack ever".

The MRDC vendors are said to already be hard at work to get the technology more scam-proof.

Hopefully, this Kentucky bust will fan the fire and get them to the desired goal before organized crime does latch onto this exploit, and banks will further lock down requirements for using MRDC.

Image of Western Union, mobile banking, and ATM courtesy of Shutterstock.

, , , , , , , ,

You might like

5 Responses to Kentucky man charged with using scans of checks to double-dip funds

  1. EJHonda · 803 days ago

    I've just recently started using my bank's app to perform a scanned deposit, and the thought occurred to me that this might be relatively easy to abuse. One aspect I'm concerned about is what happens to paper checks once an individual has deposited it. You can probably trust the bank to securely store or dispose of the paper check, but it's anybody's guess as to what happens to a check once you hand it over to an individual who is going to scan it. There's no guarantee they'll shred it or otherwise dispose of it properly.

  2. robertwitham · 803 days ago

    I'm not surprised to read someone tried this scam, but I am surprised that banks don't already have a better system in place to prevent duplicates. I use mobile deposits with one account - for the one check I receive each month for some freelance work. I also write precisely one check each month for a bill I cannot pay electronically.

  3. Anonymous · 802 days ago

    I'm surprised no one has made the connection of 34-year-old Boma Robert Spero-Jack to Captain Jack Sparrow.

  4. matt · 801 days ago

    Charged with "theft by unlawful taking"? Really? There's such a law?

    Is there also a "murder by unlawful killing"?

  5. Ericka · 168 days ago

    I accidently double deposited the same check in two different banks. It was an innocent mistake because I forgot to mark it as deposited. The money was taken back out of the first bank I deposited it to. I was so scared at first, but It was an accident.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

I've been writing about technology, careers, science and health since 1995. I rose to the lofty heights of Executive Editor for eWEEK, popped out with the 2008 crash, joined the freelancer economy, and am still writing for my beloved peeps at places like Sophos's Naked Security, CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software Quality Connection, Time, and the US and British editions of HP's Input/Output. I respond to cash and spicy sites, so don't be shy.