Mobile Caution

Remote deposit fraud confirms the value of vigilance and information sharing

By Katie Kuehner-Hebert

It was bound to happen sooner than later, payments experts say: someone stealing thousands of dollars by duplicate deposits using remote deposit capture on a mobile smartphone.

The good news is that financial institutions and check cashers can minimize such payment thefts by sharing more information and by following their familiar “Know Your Customer” rules for their mobile banking practices.

In Louisville, Ky., a 34-year-old man was arrested in June for using mobile banking to steal thousands of dollars from multiple Kroger grocery stores and Bank of America, according to police reports and news accounts. Those reports say the man first purchased at least 32 Western Union money orders in several different Kroger stores, each for individual amounts ranging from $195 to $500. He then deposited each money order into his Bank of America demand deposit account via a mobile remote deposit service, and then went back into several Kroger stores and cashed each money order.

Later the man went to a Bank of America branch and withdrew the amount of each money order from his account. In this way, by making multiple duplicate deposits and withdrawals, he stole $12,620 over a short period of time.

A Bank of America spokeswoman offered only this broad statement about those events: “The security controls established for mobile deposit services, as well as all Bank of America, products incorporates numerous measures which help deter, prevent and avoid the fraudulent use of our products. Further, Bank of America continuously updates and improves on existing controls when new fraud tactics and methods are identified.”

However, Brian Krebs, author of the Krebs on Security blog, points out that the Kentucky mobile deposit thief exploited a timing attack on the banking system—and that similar schemes are still surely being perpetuated. “Any time you see one incident, it’s usually an indicator of a larger trend going on,” says Krebs, who has written about more than 100 similar cases of account fraud involving mobile remote deposit capture.

“But I’ve only written about those victim companies that were OK with me covering their plight,” he points out.

During an ICBA Community Bank Payments Survey this year, 43 percent now offer or plan to soon offer consumer remote deposit capture, while 21 percent had planned to do so in 2011 by now. Nevertheless, community bankers understand that mobile banking is still a relatively young customer service channel and have acted accordingly, says Cary Whaley, ICBA vice president of payments and technology policy. So banks rolling out mobile services have been thinking through and adjusting their fraud prevention policies to account for the real-world use of mobile services and other new technologies.

“As we’re moving toward remote deposit capture, kiting doesn’t go away just because float goes away,” Whaley says. “Now duplicate checks can be sent in multiple payment channels.”

To minimize duplicate deposits using a mobile device, many community banks are applying their current “Know Your Customer” procedures for that channel, Krebs says. For example, many banks have set in place approval processes for mobile deposit that consider a customer’s account history, including how long he or she has been a customer of the bank. Additionally, some banks limit as standard procedure the number or amount of daily mobile deposit transactions—as they would for ATM withdrawals—that a customer is allowed to generate.

Community banks should limit the content of SMS, or text messaging alerts, as they are not yet secure enough for transmitting account information, Krebs says.

Other fraud prevention steps for mobile channels could incorporate transactional analysis now used in check processing—looking at high-risk factors or red flags such as checks with large-denominated payments, a high number of checks being deposited or cashed, or a series of several transactions over a short period of time, says Al Pascual, a senior security and fraud analyst for Javelin Strategy & Research in Pleasanton, Calif.

“Many institutions already perform this analysis, but remote deposit capture allows criminals to create new problems,” Pascual says.

Moreover, ICBA and other industry players take the position that payment clearing times should be faster across the board, Whaley says. To accomplish this safely in today’s accelerated payments environment, however, community banks should consider processing multiple clearing windows throughout the day, rather than processing just one batch of transactions at the end of the day.

Meanwhile, while knowing your customer is important, knowing the capabilities of your IT vendors is also paramount. Like they do for other IT services, community banks providing mobile banking should perform careful due diligence on all their mobile vendors, particularly the vendor writing the bank’s mobile banking gateway app, Whaley says. How is the app being coded? How trustworthy is that software developer? How should the bank communicate to the public that its app is trustworthy?

Whaley points out that mobile payment services also heighten the need to monitor customer activity across channels to guard against electronic forms of traditional check kiting. To help minimize potential duplicate deposit problems, some mobile deposit vendors are also working with banks and check cashers to track and share when items have been processed, Krebs says. Such collaboration would shorten the potential damage and time frame that a fraudster could use to “beat the clock” and manipulate a transaction posting process.

“If a bank is going to offer mobile deposit capture, I would recommend a partnership, as knowledge sharing is really going to be the key for preventing this kind of behavior,” Pascual adds.

For the Bank of America fraud case in Kentucky, the first money order cashed and cleared through Western Union was the one to be paid, Whaley says. If the money order that was deposited through Bank of America cleared at Western Union before the money order was cashed at Kroger, then Kroger would have taken the loss, he points out. “It’s really a race to get the money.”

Katie Kuehner-Hebert is a financial writer in California.