[Cryptography] Paper check security

Arnold Reinhold agr at me.com
Thu Oct 1 20:05:51 EDT 2015 

> On Oct 1, 2015, at 5:08 PM, John Levine <johnl at iecc.com> wrote:
> 
>> But I haven't heard anything at all about the security of paper
>> checks. Banks now allow such checks to be deposited by scanning them
>> or even photographing them with a smart phone. This defeats more than
>> a century of inventions designed to make paper checks unforgeable. ...
> 
> A lot of those inventions date from the era when printing presses were
> large and heavy and only found in print shops.  The US is unusual in
> that you can get your checks printed anywhere, rather than getting
> them from your bank, which rules out most of the techniques unless
> you're planning to licence check printers.
> 

I think most consumers in the U.S. get their checks from check printing firms and I believe they generally include standard security features as described here  https://www.4checks.com/service/service.aspx?pageCode=8 <https://www.4checks.com/service/service.aspx?pageCode=8> The most recent batch of checks I got a couple of weeks ago has the lock and MP logo and security features listed on the back as that page mentions, including a signature line that is microprinted. (I never noticed that before.) 

> Back in 2004, the Check 21 act allowed banks to scan paper checks and
> process the images, rather than returning the physical paper, known in
> the biz as check truncation.  For recipient banks that couldn't handle
> image files they printed them out in a form called a substitute check,
> but I haven't seen one of those for years.  As you note, a lot of
> checks are now truncated before they get to the bank, by phone apps,
> bank websites (one of mine lets me upload scanned images), and point
> of sale terminals which as often as not scan your check and the clerk
> gives it back to you.
> 
> If the check's going to be scanned, most of the anti-forgery
> techniques are pointless, since a scanner can't tell nice paper with a
> hologram from something you just printed on your deskjet.

The Check 21 Act says (Sec. 4 b) "A substitute check shall be the legal equivalent of the original check for all purposes, including any provision of any Federal or State law, and for all persons if the substitute check—
(1) accurately represents all of the information on the front and back of the original check as of the time the original check was truncated; …”

That arguably includes any exposed security features. In several places (e.g. SE 7aiD) act talks about the banks "production of the original check or a better copy of the original check” to verify a claim.

If the original check is scanned by the bank, more gross features like “brown stains and colored spots” that indicate chemical tampering could show up on a high quality scan. On the other hand if a criminal can simply scan his Photoshopped forgery at relatively low resolution, the check security features indeed become useless.

And even if the banks don’t keep the original, at least if the original check is physically deposited in a bank, it will be safely destroyed instead of staying in someone file cabinet forever after being scanned by the payee.

> 
> The real security in checks is that they can be repudiated, sort of
> like credit card transactions.  If you see a bogus check on your
> statement, you can challenge it, and there's a bunch of stuff in
> the UCC about what happens then.

That assumes consumers review their bank statements regularly. I suspect few do. I’d at least like to see a system where I get an e-mail every time one of my checks clear.

Arnold Reinhold
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20151001/75f5e58e/attachment.html>

More information about the cryptography mailing list