[Cryptography] Paper check security

Jerry Leichter leichter at lrw.com
Thu Oct 1 23:00:55 EDT 2015 

> ...The issue with published images of checks has already caused individual
> bank account owners problems.  These are uncommon but real. Massive breaches
> that disclose many images would prove difficult at best to contain.
Just what novel issues are involved here?  What's written on a check has never been secret:  You obviously hand it over to anyone you give a check to.  So the security of the system could never rely on the secrecy of any of that stuff.

The physical validators of valid checks - which have grown much more sophisticated recently, just as paper checks are in the process of dying - are funny things.  Consider:  If I hand try to deposit a check made out to me, in general, my bank *has no way of knowing what physical validators should actually be present*.  Only the party that creates the checks knows what it's put there, and they vary greatly.  Oh, it says on the check what validators are supposed to be there ... but if I produce a fake check, I'll obviously produce put in whatever validators I want and write on the check that those are exactly the ones that should be there.

A check is an order from Alice to her bank to deliver money to Bob.  The security of the system has always been based on the bank not delivering the money until it has some assurance from Alice that, indeed, this is a valid order.  In theory, in the old days, the bank could check Alice's signature on the check against the signature card on file.  In practice ... that was almost never done.  Today, the vast majority of checks are computer-generated and have no useful signature anyway.  They are "truncated" - photographed and destroyed - without anyone being in a position to check all the fancy watermarks, microprinting, and other neat paper security features.

What the system *really* works on is trust - and closed loops.  The bank won't deliver money to Bob unless it feels it knows who Bob is, and how to find him and get the money back should Alice later complain that the check the bank accepted was not one she wrote.  In the old days, you or I only got informed about checks the bank acted on at the end of the month - but now I signed up for, and get alerts for any check over some small limit.  Large organizations undoubtedly get the same services, presumably delivered in some standard machine-readable form so that they can match notifications to checks they know they sent out and stop bogus checks immediately.  (Note that putting the money into Bob's account - but not letting him take it out of the system as cash - doesn't put anyone at much risk:  The bank can always take it back.)

The system is hardly without risks, but it's not clear they are worse today than they've been historically.  But the protection isn't on the paper checks, which are barely needed any more - and never has been.
                                                        -- Jerry

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20151001/fba3ef7b/attachment.html>

More information about the cryptography mailing list