It would be music to any non-profit organization?s ears: an unexpected $1,000 donation. But the offer came with dirty strings attached, and the surprise donation to California-based Urban Age Institute was hardly a gift at all. Instead, it placed the organization right in the middle of an extensive ? but elegantly simple ? worldwide scam.
Within days, $10,000 worth of checks were written against the non-profit's accounts and cashed by a woman in Georgia. She in turn wired money to Nigeria. The incident left the organization's leaders wondering: Is it that easy to raid anyone's checking account? The answer, according to banking experts interviewed for this story, is yes.
Armed with just a checking account number and bank routing number, criminals can create checks at whim, experts and law enforcement authorities say. In fact, as the Urban Age Institute found out, at least one Internet site makes the process even easier. All the fraudulent checks drawn on the organization's checking account were printed and mailed by Qchex.com, a Web site whose stated aims are to make sending and e-mailing check payments easy for anyone connected to the Internet.
"The scope of the problem is potentially breathtaking," said Mary McNamara, who helps run the Urban Age Institute with her husband Gordon Feller.
At Qchex.com, users who sign up to print checks must provide only a working e-mail address. No other attempt is made to verify their identity. In fact, the site urges people to register their checking accounts at Qchex before someone else does.
James Danforth, chief operating officer of Neovi Data Corp., which owns Qchex.com, said that while some fraud has occurred at the site, it is no more common than fraud at other Internet payment services such as eBay's PayPal. Qchex is largely used by legitimate businesses looking for a low-cost way to send money and make payments, he said.
The demand-draft dilemma
At the center of the controversy is a little-known system for cashing checks called demand drafts. Most consumers presume that checks must be signed by an authorized account holder. That's ordinarily true, but not in the case of so-called "demand drafts." These look just like checks, but indicate "signature not required" or a similar message in the authorized signature area. And generally, banks cash them just like valid, signed checks.
Demand drafts were designed to accommodate legitimate telemarketers who receive authorization from consumers to take money out of their checking accounts. But the potential for abuse is high. Not only do they not require a signature, but they require no action by the checking account holder.
What's needed to create a demand draft? Simply the account number and bank routing number ? information found on every single check. Write a check to your 12-year-old babysitter, and she has all the information she would need to clean out your account.
Demand drafts, also known as "remotely created checks," have become such an attractive target for criminals of late that the Federal Reserve in February proposed a new set of rules to govern them. And the National Association of Attorneys General last month called on the Fed to place an outright ban on demand drafts, citing increased fraud.
"The fact that a stranger can pull money out of a person's bank account using only the numbers at the bottom of his or her check is not commonly understood," the group wrote to the Fed, commenting on the proposed rules change. "Complaints about unauthorized bank debits are believed to be grossly underreported, perhaps because of the lack of public awareness of this type of bank account vulnerability."
The comment period on the new Fed rule ended May 3. If adopted by the board of governors, the new rules would make demand drafts similar to electronic transfers, giving consumers uniform rights to demand refunds and putting additional burdens on the bank that cashes the check to verify its authenticity
. . .
Discussion Zen 5 Speculation (EPYC Turin and Strix Point/Granite Ridge - Ryzen 9000)
Discussion Intel current and future Lakes & Rapids thread
Facebook
Twitter