7

I'm not sure if this is standard practice in all banking institutions but almost all banks where I've received checks the account number of the issuer is exposed (some even the account name). Isn't this information considered confidential? If not then disregard this question.

If yes, then it makes me wonder why banks blatantly expose the account number/name of the issuer in checks? Would it be a good practice if they at least hash the account name and number before they print it in the checks you will issue?

IMB
  • 2,888
  • 6
  • 28
  • 42
  • 4
    No, account numbers are public information, they are like an address. – ewanm89 Apr 24 '12 at 10:59
  • @ewanm89 - some of the comments here raise valid points specially phishing http://www.linkedin.com/answers/finance-accounting/financial-regulation/FIN_FRG/976463-112900435 – IMB Apr 24 '12 at 12:20
  • I never said banks weren't stupid and didn't fail big time at authentication. But an account number is not any form of authentication just as an email address, username, house address telephone number isn't. It's an address, a pointer to an end point, it should be considered public information, after all if I'm your employer and just want to send you some money (pay packet) I would need it. I've seen businesses have their account numbers in their letterheads... – ewanm89 Apr 24 '12 at 12:30
  • 1
    @ewanm89 You are right but those who are willing to share their account numbers on letterheads probably know the risks involve. However the average person doesn't. The check is a piece of paper that can be lost in the street with your name and account number on it. And you have no other way to protect it when a phisher picks it up and decides to get creative on the information he gained. Clearly this a banking authentication failure. – IMB Apr 24 '12 at 12:44
  • 1
    The bank ABA, Account Number and Check number are printed in MICR magnetic ink across the bottom of the check. They are not for authentication purposes, but are intended to be read by an automated check reader for speed of processing. The authentication USED to be the Payer signature on the front and Payee endorsement signature and directive for deposit on the back of the check, but I don't really see anyone really checking these anymore. As to the name, you're supposed to sign the check, eh? – Fiasco Labs Apr 24 '12 at 14:53
  • @FiascoLabs As mentioned there are some checks that has printed name of the holder by default. I think that's unnecessary. Actually even the account holder's signature is a security risk if it's the same signature you use with another savings account (one that's not meant for issuing checks, usually with a lot more money on it). IMO you should have two different signatures for checking account (public) and savings account (only you and banker knows). – IMB Apr 24 '12 at 15:04
  • Two different signatures. Signing your name two different ways? Hmm... Sounds like you need to start up a new banking system that takes these ideas into account. – Fiasco Labs Apr 24 '12 at 19:27
  • @FiascoLabs Yes that would best practices, just like using different passwords in your Email and your Facebook/Stackexchange/Etc. It will prevent a signature copier from stealing all your bank accounts since they're all different signatures. – IMB Apr 24 '12 at 20:13
  • Bah, don't know about you, but my signature is different every time I write it anyway. – ewanm89 Apr 25 '12 at 01:45
  • @IMB - Stop trying to find a flaw in a system that has work without issues ( only minor ones ) for decades. – Ramhound Apr 25 '12 at 11:56
  • @Ramhound Sometime ago, my Paypal account was hacked because my name and my bank account was known by someone else pretending to be me. He made a call/emailed Paypal pretending to be me, that's how he got in. I was able to reverse everything but still it caused me time and money. That's why I think bank accounts are very sensitive information. – IMB Apr 27 '12 at 06:09

4 Answers4

9

Going to have another go at this one, to try and address the many excellent comments...

A cheque is an instruction to a bank to take money from Alice's account and give it to Bob. In order to act on it, the bank need to know Alice's account details; they must be written on the cheque in some form when it arrives for clearing.

A pre-printed cheque in Alice's cheque book happens to have her account number already written on it, purely for convenience sake, in both human and machine readable forms.

@IMB first asks if this is a vulnerability, since if Eve gets hold of a cheque, she can read the account details off it and use them in an attack. The answer is yes, it is a vulnerability.

Then @IMB asks if hashing the account details would be a good control. I suspect they actually mean encrypting, rather than hashing, as cryptographic hashing is a rather specific technical term that doesn't quite apply here, but you get the picture. The answer is also yes, if done carefully, encrypting the account number (with a suitable nonce added) would largely prevent Eve using the account information.

Lastly @IMB asks why don't the banks do it then? Well, as with every security control, you have to measure the cost of using it against the impact of a failure in order to decide if you should implement it or not.

I think the main cost is that humans could no longer read the whole cheque. That doesn't sound like a problem in these days of ubiquitous computing, but banks are conservative and old fashioned and they are particularly fond of having human audit processes. They like a manager being able to pull a cheque at random every day and double-check how it was processed. They like being able to pull a physical piece of paper out and wave it at a customer and say "No, we didn't make a mistake."

Additional costs are that it adds overhead to the cheque clearing process (and customers already hate how long that takes), that you no longer have a backup if the machine readable part of a cheque is damaged, and I suppose you might run into regulatory difficulties about the legal definition of a cheque.

The risks, on the other hand, are not huge, because the banks have other controls in place. They authenticate people before allowing them to remove money, and require more than just account numbers to easily withdraw money. They use various technical methods to prevent Eve printing cheques with Alice's details on. They have insurance to cover any losses. They monitor account activity for suspicious transactions.

One last thing to consider: Alice has to tell her account details to quite a lot of people anyway: her employer (so she gets paid), the tax man, the water company (for direct debits) and so on. And she has to embed it in her debit card. And the bank have to print it on her statements... So Eve has many other ways to get this information.

In the end, the banks have weighed the costs and the risks and concluded it's just not worth it - especially considering the decline in use of cheques. Last time I tried to pay for something in a store by cheque they had to get the manager because none of the sales assistants had seen one before except in movies.

Graham Hill
  • 15,394
  • 37
  • 62
  • 1
    Why not by hashing? Because hashing is a way for Alice to prove to Bob that she has a piece of information that *Bob already has*, without passing the information over an insecure channel. It's no use when Alice has a piece of information that Bob doesn't have, and she needs to get it to him, which is the case here. – Graham Hill Apr 24 '12 at 11:09
  • I do not see any need for 100% manual processing since it involves computers no matter what. I also do not think hashing (or encryption) will add any significant load since it will only compare hashes between your check and what's already stored on the bank's server. I think it is a good way to hide the original account number and account holder from plain sight. I believe this convenience of printing the information blatantly can lead to identify theft/phishing. – IMB Apr 24 '12 at 12:33
  • @IMB - It use to not involve computers, a bank employee used to process the check by hand, and debuct it from your account by hand ( alright so they used software to do this ) but it was all done by humans. Checks have worked the same way for years, it was only until the digital age, did identify theft become a problem. – Ramhound Apr 24 '12 at 13:08
  • @Ramhound You are right. So I guess it's safe to say the whole banking system is up for a revamp. – IMB Apr 24 '12 at 13:11
  • 1
    @GrahamHill Your bank already knows your account number. – David Schwartz Apr 24 '12 at 15:06
  • It used to be that they were all around a circular counter with 1 clerk from each bank on each side, they one would go around while the other would be waiting for the clerks from the other banks. This was called a clearing house. Stupidly the computers still use this very centralized model on a very distributed network. – ewanm89 Apr 24 '12 at 17:36
  • @GrahamHill, that's not the fundamental problem with hashing the account number (as David Schwartz explains). The problem with printing a hashed account number on checks is that doing so would just make the hashed account number the new "effective account number": someone who knows the hashed account number would still be able to print forged checks. So hashing the account number might be feasible, given sufficient changes to the banking infrastructure, but it wouldn't really help. – D.W. Apr 24 '12 at 22:56
  • @IMB - I would say this is the exact reason it means a "revamp" is NOT required. The current system works, it has problems that can be solved, your mailing address and full name are NOT PUBLIC information. Just having your account number and rounting number does not give you the ability to use said account. Bank fraud is a federal offense for a reason, there are federal protections for a reason, crimes surrounding banking is one of the main reasons the FBI was even formed. – Ramhound Apr 25 '12 at 11:58
  • 1
    @D.W.: If the hashed account number were different for each check number ... – David Schwartz Apr 26 '12 at 10:45
  • @DavidSchwartz That would really be nice to have. – IMB Apr 27 '12 at 06:04
  • I agree that this system somewhat works but sometime ago my Paypal was hacked simply because the attacker knew my bank account and a bunch of other personal details. He never knew my password but he pretended to be me and called/emailed Paypal. Even though Paypal never revealed how the hacker got in, I suspect Paypal verified his calls and the attacker presented valid information and that includes my bank account. Lesson learned here is keep your bank account secret or at least use a different bank account for Paypal. – IMB Apr 27 '12 at 06:16
  • Wasting resources on securing a method of payment that will be disappearing soon. That pretty much sums it up. We have about 20 check transactions per thousand sales. – Fiasco Labs May 06 '12 at 18:05
3

Yes. Printing the routing and account number on checks does incur some risk, though it's probably an acceptable risk:

  • Generally speaking, the routing and account number is not enough to steal money from your account, in practice, due to the likelihood that any attempt at theft will be caught and reversed.

    That said, the system relies upon deterrence, not prevention. Someone who knows the routing and account number for your bank account might be able to withdraw money from your account without your authorization. They might get caught, and the unauthorized transaction might get reversed, but it is a security risk.

    As proof of this, consider the fact that there are some merchants who will let you pay by phone using an "electronic check". If you've never used that, here's how it works: you call them up, tell them the routing code and account number for your checking account, tell them the amount of the payment you want to make, and then they basically create a "forged" check with this information and get paid. (Understand that it is not actually forged, since it is done with your authorization.) It shows up on your bank account statement as an electronic withdrawal or check payment. How is this legal, you might be wondering? It is legal, because it is done with your consent. But that's not the point. The point is that the only information needed to make this happen is the routing code and account number. If an honest merchant can do this, then so can a dishonest merchant. There are likely to be limits on who has access to do that in an electronic and automated fashion; someone who does so without your authorization will probably get caught, if they do it to a bunch of people and the victims complain to their bank; in short, deterrence might be reasonably effective in practice; but there is nothing that absolutely prevents it. The check-clearing infrastructure has certain inherent vulnerabilities, sad to say.

A second risk is that someone who knows your account number of your checking account can likely learn the balance in your account. See my explanation for how this can happen (short version: it involves exploiting merchant check verification systems, which are made available by banks and are insecure by design).

These risks are inherent to the current checking system. There's not a lot you can do about it. You can close the confidentiality hole, if you care enough, but you can't fix the other risks.

As a general rule of thumb, it is probably best not to share your bank account number with anyone who doesn't need it (e.g., to receive a payment from you).

All of this is discussed in detail in the following question on the Personal Finance and Money Stack Exchange site: Can't the account information on my checks be easily used for fraud?. See also Can someone steal money from my bank account if they know my IBAN and personal details? on this site for a detailed explanation of how someone can withdraw money from your acount, if they know your routing and account number. See especially the case with Jeremy Clark.

Community
  • 1
D.W.
  • 98,420
  • 30
  • 267
  • 572
  • There are safe guards in place to prevent abuse with Electronic Banking Transaction ( i.e. Electronic Checks ( i.e. EBT ) vs ( Debit Banking Transaction ). I only use it to pay my rent and my truck loan. I am not sure saying they create a "forged" check is correct, it is more an electronic check your bank will accept, based on the fact you said "I want them to have my money". As you point there are still risks, honestly though, I don't believe there is a way to guarantee the identity of somebody using an electronic payment. – Ramhound Apr 25 '12 at 12:07
1

A different way to answer:

Checking account numbers and Credit Card numbers are an old way of doing things, both invented before the internet, computers, and auto-draft services were widespread. Both methods using a re-useable password that you send everywhere. (ok, its an account number, but it works)

The correct solution would be to replace checks, credit cards and debit cards with (preferably hand-held) computers that generate one-time passwords/certificates that only work for the agreed amount, using asymmetrical encryption.

This is why turning an Android into a payment device could be promising, it would effectively eliminate the problem of card swipe recorders. The question is, if/when will they use one-time certificates in the implementation?

Printed checks could have a QR code or similar on them with the one-time certificate I refer to.

Think of card readers and banks as gas stations, and checks and credit cards as cars. It is very expensive to support the next generation if nobody is using it yet.

P.S. I'm not a banking, financial, or security expert, just a programmer. :)

700 Software
  • 13,807
  • 3
  • 52
  • 82
  • Google Wallet has been tried ( NFC ), and security flaws have proven, its a flaw technology. I don't trust a device that communicates with my "wallet" wirelessly. While Google Wallet has fixed the last security flaw in their implementation, it has proven to me, not to trust NFC in general. – Ramhound Apr 24 '12 at 13:11
  • 1
    Sure, the technology needs work, but I see this as a solution for the future, not necessarily Google Wallet on Android, but definitely a computer of some kind. **If** that you actually have to tap something on your device before generating this encrypted approval, **then** the problem is on the road for elimination, **otherwise** the problem remains. (in my opinion) – 700 Software Apr 24 '12 at 13:54
  • 1
    Credit card companies don't want control level, they want the ability to blame to user for everything to get out of paying anything back while still taking their commission for the processing of the fraudulent transaction. – ewanm89 Apr 24 '12 at 17:40
  • @ewan, What I meant was they wanted the users to have the control level so the user doesn't lose their card number. I'm sure they want other stuff too, but specifically I was referring to who would receive monetary gain from replacing credit cards with computers. The amount of money lost by those companies related to CC fraud is staggering. – 700 Software Apr 24 '12 at 21:00
1

True, banks should implement some sort of hashing but:

  • fraudsters would figure out how to decrypt it anyways
  • would break every online check scanning biz
  • would break every bank procedure worldwide unless standards were introduced
  • banks don't like to change

If a fraudster can find out your account number, they can easily make a fake cheque and have a good chance of passing it off as the real thing if they can social engineer a signature out of you. Half the time banks don't even check a signature they just take the cheque and give you money if it was drawn on that bank.

Chequing should be obsolete, but I guess banks like to eat fraud.

Hendrik Brummermann
  • 27,118
  • 6
  • 79
  • 121
user18082
  • 21
  • 1
  • Credit Card fraud is a great more popular then checking fraud ( beside the obvious crimes like writting bad checks ) I would say the real problem is electronic payments. The old system of having to write a check for everything seems like it worked better. – Ramhound Apr 25 '12 at 12:01