Comments on: Checking in on the Security of Chequing http://emergentchaos.com/archives/2008/11/checking-in-on-the-security-of-chequing.html The Emergent Chaos Jazz Combo Mon, 15 Mar 2010 15:02:09 +0000 http://wordpress.org/?v=2.9.2 hourly 1 By: J. Oquendo http://emergentchaos.com/archives/2008/11/checking-in-on-the-security-of-chequing.html/comment-page-1#comment-5248 J. Oquendo Fri, 07 Nov 2008 07:33:53 +0000 http://emergentchaos.com/?p=2947#comment-5248 Back in 1991 - 1993 I worked for then Chemical Bank (now JP Morgan Chase+Whoever_Else_We_Bought) in the forgery department of Accounts Reconciliation (55 Water Street NYC ;)) Anyway... I'd moved over from another department and was so excited as I thought I'd be doing something extremely fulfilling... It was only until I learned that investigations meant filling out and faxing paperwork to Dept. of Treasury. No investigations were done, colleagues looked quickly at a signature "matches... doesn't match" fill out the paperwork, let's go play celo now (not kidding). We'd like to believe that there is some uber-secure mechanism for banks and there isn't. I'm almost sure they forgot to mention along with src, dst there is also either the ISO 9362 or 13616 codes... But those are just as simple to snag: <a><a href="http://www.iban-bic.com/blz.0.html?L=2" rel="nofollow"><a href="http://www.iban-bic.com/blz.0.html?L=2" rel="nofollow">http://www.iban-bic.com/blz.0.html?L=2</a></a></a> Back in 1991 – 1993 I worked for then Chemical Bank (now JP Morgan Chase+Whoever_Else_We_Bought) in the forgery department of Accounts Reconciliation (55 Water Street NYC ;)) Anyway… I’d moved over from another department and was so excited as I thought I’d be doing something extremely fulfilling…
It was only until I learned that investigations meant filling out and faxing paperwork to Dept. of Treasury. No investigations were done, colleagues looked quickly at a signature “matches… doesn’t match” fill out the paperwork, let’s go play celo now (not kidding).
We’d like to believe that there is some uber-secure mechanism for banks and there isn’t. I’m almost sure they forgot to mention along with src, dst there is also either the ISO 9362 or 13616 codes… But those are just as simple to snag: http://www.iban-bic.com/blz.0.html?L=2

]]> By: Gunnar http://emergentchaos.com/archives/2008/11/checking-in-on-the-security-of-chequing.html/comment-page-1#comment-5247 Gunnar Thu, 06 Nov 2008 10:43:41 +0000 http://emergentchaos.com/?p=2947#comment-5247 maybe the name "automated clearing" as opposed to say "automated verification" should have been a tip off that the circa late 19th century system is none too resilient. maybe the name “automated clearing” as opposed to say “automated verification” should have been a tip off that the circa late 19th century system is none too resilient.

]]> By: Student http://emergentchaos.com/archives/2008/11/checking-in-on-the-security-of-chequing.html/comment-page-1#comment-5246 Student Thu, 06 Nov 2008 10:36:11 +0000 http://emergentchaos.com/?p=2947#comment-5246 I think there is a very simple explanation for this. The security model of the banks have considered traceability more important the integrity. If somebody manages to do an illegal money transfer you know where the money has gone (so you can get it back) and you know which bank is responsible for it. This is more important than using a complex system to authenticate transfers. Actually this works quite well, for the simple reason that a bank abusing this system risks quickly being removed from the market as the other banks stops trading with it. However, I don't think checks ever were a good idea and there are no real reasons to use them today. I think there is a very simple explanation for this. The security model of the banks have considered traceability more important the integrity. If somebody manages to do an illegal money transfer you know where the money has gone (so you can get it back) and you know which bank is responsible for it. This is more important than using a complex system to authenticate transfers.
Actually this works quite well, for the simple reason that a bank abusing this system risks quickly being removed from the market as the other banks stops trading with it.
However, I don’t think checks ever were a good idea and there are no real reasons to use them today.

]]> By: tim http://emergentchaos.com/archives/2008/11/checking-in-on-the-security-of-chequing.html/comment-page-1#comment-5245 tim Thu, 06 Nov 2008 10:15:38 +0000 http://emergentchaos.com/?p=2947#comment-5245 <blockquote>I argued with him that this was inconceivable</blockquote> I'm surprised you are surprised. The majority of banking transactions, in general, are not that all sophisticated ... Its no surprise that attacks have increased... Wait until you learn how ATM transactions work... (haven't written more than two checks a year for the least 10 years - one to the federal government and one to the state government)

I argued with him that this was inconceivable

I’m surprised you are surprised. The majority of banking transactions, in general, are not that all sophisticated … Its no surprise that attacks have increased… Wait until you learn how ATM transactions work…
(haven’t written more than two checks a year for the least 10 years – one to the federal government and one to the state government)

]]>