On Resisting Check Fraud

 When I first began to bank in the 50s, we did not have pre-printed personal checks or account numbers.  The only identification on a personal check was the signature.  The operators who processed the checks, identified the account from the signature.  While this was an error prone process, they were very good at it.

At the time, most checks were written by businesses.  We printed the checks on special paper, in multiple steps and fonts.  The amounts and signature facsimiles were often mechanically pressed into the paper rather than simply printed.  All of this was intended to make checks, particularly business checks for relatively large amounts, difficult to forge.  

Much has changed since then.  The introduction of MICR was the impetus for account numbers and pre-printed personal checks.  This not only reduced errors but also fraud. In the modern world, we use direct deposit for routine payments to those parties whose banks and account numbers are known to us.  While we still think of these as "checks," i.e., payments from demand deposit accounts, most are electronic and are never reduced to paper.  Even individuals may use "online banking," rather than writing checks, to make payments.  While some of these payments may result in the preparation of a paper check, it will not contain a signature for authentication.

Today, paper checks, when used, are often printed on plain paper in one step including the facsimile of the signature.  The bank does not rely on the paper to know that the transaction is authorized but on an out of band confirmation known as "positive pay."  In this system the check is sent to the payee and a message noting the amount and check number is sent to the bank on which it is drawn.  When the check is presented to the bank for collection it must reconcile to the message.  Actually, the paper is never presented to paying bank but is converted to an electronic facsimile by the bank of first deposit.  

 In the seventy years since I wrote my first check, I have only had one transaction turn on the authenticity of the signature.  This was last year on the pre-printed check to pay my real estate tax.  Admittedly, it really was a bad example of my signature.  I was impressed that someone was watching and checking.  

Reconciling signatures must be a very scarce skill these days.  That said, in addition to knowing their customers, banks are responsible for ensuring that transactions, e.g., checks, are properly authorized.  For business accounts, we now use "positive pay;" we do not rely on anything on the paper.  However, for individuals we take the risk, rely on the signature, return any questionable items, i.e., reversibility, or confirm out of band.  All of these involve cost.  Therefore, we use them in combination to minimize cost and risk.

On Over Classification

In the US government, we have a pervasive problem of over classification. https://www.cnn.com/videos/tv/2023/01/27/exp-gps-0129-fareeds-take-us-classification-system.cnn This results from a number of factors.  First, almost any author or officer can Classify data, that is specify, among other things, how much is to be spent to protect the data.  Said another way, he specifies how much others must spend to protect the data but may not incur the cost of protection himself.  

Second, the authority to classify, does not include the authority to change the classification.  Once the data has been labeled, often with a rubber stamp, it is too late to change it.  The implicit assumption is that the decision, once made, is irrevocable.  The decision is reviewable, even by a higher authority, but following a procedure specified for the class.  

 

Third, and as already noted, the classification includes a specification about the procedure that must be followed to lower the classification.  The higher the classification, the more rigorous and expensive the process.  Since the cost of declassifying may be equal to or even greater than the cost of declassifying, declassifying is rare.  

In enterprise things are a little different.  The authority to classify includes the authority to re-classify or declassify.  The classifier's authority comes from his role, it is not arbitrary.  Classification is normally limited in time.  Because sensitivity decreases with age, because we are normally protecting plans and rarely sources, by default classification ends automatically, usually in no more than three years, unless renewed.  

On "Sensitive but unclassified."

 In government "Classified," with a capital C, is a term of art.  It refers to data which the classifier believes requires some level of protection, rather than to the decision about the data.  This results in this strange expression.  To say that something is "sensitive but unclassified" is to classify it the sense of the literal English meaning of the word but not in the meaning of the term of art.  It is an attempt to get around the fact that the government has coopted the word Classified for its own use.