Wednesday, March 1, 2023

Check Fraud?

 I recently saw a great video https://www.bankinfosecurity.com/how-to-fight-check-fraud-look-beyond-technology-a-21299?rf=2023-02-27_ENEWS_SUB_BIS__Slot1_ART21299&mkt_tok=MDUxLVpYSS0yMzcAAAGKMqJfI2i87GCnqQPTeoRoYMCf1EEHC1AJ4qh708AIYOhT0Q8JFA_5fWC2pELiMEUqWwUPXl7I0l13QQJQKJapHyHw3oF_eWabtx5ta8nuZ8aR4A by Karen Boyer, Sr. VP of M&T Bank on how to fight check fraud, a topic that I recently addressed.   However, the problem that she addressed was not so much "check fraud" as frauds involving checks.  

I see two different problems here, and faster reversibility is not addressing either. First is stolen legitimate checks deposited to fraudulent accounts. This is a classic "know your customer" problem. This problem is aggravated by the banks' desire for new accounts and initial deposits. One can set up an account, deposit a stolen check to it, and transfer or withdraw the funds, all without ever having gotten close to a bank officer or even a human, non-automated, decision.

The second is alteration, amount or payee, of an otherwise legitimate check before deposit to a fraudulent account. "Know your customer," positive pay, and online banking all apply here. (I no longer have to wait for a statement in the mail to recognize fraudulent activity to my account, as I did seventy years ago when I first began to write checks. I can see it daily.)

All that said, these powerful controls no longer appear to be sufficient. The demand deposit system used to have, and relied upon, controls to ensure that banks only did business with people and institutions from whom they knew they could recover. In the name of popular banking and fast availability of funds, many of those controls have been watered down.  


Ms. Boyer cautions banks to "monitor accounts."  I encourage depositors to use online banking to do the same.  While the depositor is not responsible for fraud, someone has to recognize it, the earlier the better.


When I think up a solution, I will get back to you.

Apologia

 As of March 15, 2023 I will no longer be associated with InfraGard.  The FBI has set conditions for continued association that I am not willing to meet.  It behooves me to explain my position.  

The InfraGard web site was recently compromised.  The FBI has been less than forthcoming about the compromise but they have admitted that personal data of their constituents, including e-mail addresses and employment, have been compromised.  They have not offered any compensation or remedies to said constituents.

As a matter of policy I do not do business with management in which I have lost confidence.  Specifically I do not continue to use web sites that have proven unable to protect my personal data.  The FBI has made it a condition of continued InfraGard membership that members must routinely use the compromised web site and that they do so no later than March 15, 2023.  I will not meet that condition.

More over the FBI requires that members provide additional personal data to the web site so that they can reverify one's identity and conduct a criminal background check.  There can be only two reasons for such procedures.  First Colonel Blimp is once more covering his derriere.  Second, he has lost confidence in the database, believes it to be contaminated with fraudulent entries. If they do not trust it, I certainly do not.  

They have announced that they intend to turn personal information over to a third party for authentication.  Not only do they expect me to trust the management that has already demonstrated that they cannot protect my data, they expect me to trust an additional unnamed party, a party that is already in the data collection and exploitation business. I have no interest in improving the quality of their data.  

Most of you are far too young to remember the House UnAmerican Activities Committee and their actions.  Careers were destroyed.  One of the things that we learned from their proceedings was that mere friendship, association, was sufficient to create a presumption of guilt and to place the burden of proof on the accused.  If the InfraGard database disclosed nothing else, it disclosed associations.  (I would not want my e-mail used to query a (just for example, the NSA) database.  None of us is  more than six degrees of separation from a foreigner, terrorist, or criminal.  The three degrees of association that the authorities will admit to might implicate hundreds of thousands.)   

It is clear that we, the FBI and I, no longer enjoy mutual trust.  However they expect me to reestablish my bona fides before they have demonstrated theirs.  It was not I that failed and created this situation.  Given the rather one-sided relationship between the FBI and their InfraGard constituency, it does not surprise me that they want the constituents to bear the cost of remediating their database.

I am late into my ninth decade.  My continued association with InfraGard is limited at best.  Moreover, I enjoy mutual trust with a large number of colleagues, trust that preceded the founding of InfraGard.  I do not expect others to follow my example but I did think it useful for me  to give warning and share my reasoning.