However, security experts believe it could open up some especially foreboding issues in the financial services industry. Unisys Corp. has published a white paper entitled, "Is Your Check 21 Implementation a Fraud Hazard?" that discusses possible hazards and ways to mitigate them.
The white paper taps three security experts: Frank W. Abagnale, Ori Eisen and Elazar Katz. Abagnale, the subject of the 2002 Steven Spielberg movie "Catch Me If You Can," is a noted author, lecturer, and consultant on the subjects of forgery, embezzlement and secure documents. He has lectured to and consulted with hundreds of financial institutions, corporations and government agencies around the world for more than 25 years.
Eisen is CEO and president of The 41st Parameter Inc., of Phoenix, which has developed fraud prevention systems for protecting Internet, mail-order and telephone-order merchants against fraud. Eisen served as the Worldwide Fraud Director for American Express, focusing on Internet, MOTO (mail order/telephone order) and counterfeit fraud.
Katz is director of the Active Risk Monitoring Practice at Unisys, specializing in the field of cross-channel risks and the real-time countermeasures required to address large-scale fraud attacks. Katz is currently participating in the Financial Services Technology Consortiums Counter-Phishing task force.
Converting paper checks to digital images has the unintended consequence of significantly reducing the banks recourse to fraud. The image-processing procedure can result in the destruction of the original paper document, eliminating evidence of fraud, which could make it difficult to prosecute check-fraud crimes in the future.
In addition, many banks plan to make digital check images available to their customers online. Since digital items lend themselves to rapid retrieval, transmittal, and storage, converting to digital images opens the door to large-scale fraud, should these images ever be accessed. If the wave of recent phishing attacks is any indication, such fraud is a real possibility.
In the white paper, Eisen describes a check-fraud version of a phishing scam, attributed to gangs from Eastern Europe. The scam begins with a spoof e-mailing campaign intended to trick bank customers to disclose their user name and login passwords.
Using the fraudulently-obtained user names and passwords, the fraudsters retrieve customers monthly statements and check images. Then the fraudsters create high-quality counterfeit checks that are nearly identical in appearance, drawn for an amount that is appropriate for the account, and bearing a scanned signature.
Abagnale brings up the point that fraud detection will be compromised due to the limitations of current check readers. Check 21 legislation requires that the converting financial institution provide warranties that the substitute check includes all the information contained on the original check. Since existing check readers can only scan at resolutions approaching 240 dots per inch while consumer-grade printers and copiers operate at 600 dots per inch or better, existing check readers are unable to distinguish between the appearance of an original item or a copy reproduced on such equipment.
Abagnale believes that banks should encourage customers to use high-security checks with eight or more security features and offer such checks to their customers. He is very concerned about the images available online, given the focus on financial data by scammers.
Katz recommends a multilayer defense approach. One layer would focus on detecting the phishing attack, the next would monitor for suspicious online intelligence-gathering sessions, and the last would focus on detecting the counterfeit check itself. Katz believes this approach would be particularly effective if the various layers could communicate and alert each other of incoming fraud scams.
Eisen concludes that protecting reputation and trust are the most significant reasons for ensuring a safe banking environment. Protecting the e-mail/online channel has hard dollar impact to the cost of doing business.
Unisys is hosting a Web seminar on Check 21 fraud potential on Oct. 28, the day the act goes into effect.