Shostack + Friends Blog Archive


Checking in on the Security of Chequing

I remember a conversation back in 1995 or 1996 with someone who described to me how the Automated ClearingHouse (ACH) for checking worked. He explained that once you had an ACH merchant account, you sent in a message of roughly the form (src, dest, amount, reason) and money got moved. I argued with him that this was inconceivable (yeah, yeah [link to no longer works] ), and he must be mis-understanding. He assured me that no, he was right, and that the reason they ran this way was because it was cheaper, and because only trustworthy people could get ACH merchant accounts.

Fast forward a few years, to a fellow who sends out cheques for bugs:

Leading banks and investment funds have been foundering, because of bad debts and lack of trust; and other, less well-known kinds of fiscal chaos are also on the horizon. For example, due to an unfixable security flaw in the way funds are now transferred electronically, worldwide, it is no longer safe to write personal checks. A criminal who sees the numbers that are printed at the bottom of any check that you write can use that information to withdraw all the money from your account. He or she can do this in various ways, without even knowing your name — for example by creating an ATM card, or by impersonating a bank in some country of the world where safeguards are minimal, or by printing a document that looks like a check. The account number and routing information are all that international financial institutions look at before deciding to transfer funds from one account to another. (Donald Knuth, “Financial Fiasco.”)

4 comments on "Checking in on the Security of Chequing"

  • tim says:

    I argued with him that this was inconceivable

    I’m surprised you are surprised. The majority of banking transactions, in general, are not that all sophisticated … Its no surprise that attacks have increased… Wait until you learn how ATM transactions work…
    (haven’t written more than two checks a year for the least 10 years – one to the federal government and one to the state government)

  • Student says:

    I think there is a very simple explanation for this. The security model of the banks have considered traceability more important the integrity. If somebody manages to do an illegal money transfer you know where the money has gone (so you can get it back) and you know which bank is responsible for it. This is more important than using a complex system to authenticate transfers.
    Actually this works quite well, for the simple reason that a bank abusing this system risks quickly being removed from the market as the other banks stops trading with it.
    However, I don’t think checks ever were a good idea and there are no real reasons to use them today.

  • Gunnar says:

    maybe the name “automated clearing” as opposed to say “automated verification” should have been a tip off that the circa late 19th century system is none too resilient.

  • J. Oquendo says:

    Back in 1991 – 1993 I worked for then Chemical Bank (now JP Morgan Chase+Whoever_Else_We_Bought) in the forgery department of Accounts Reconciliation (55 Water Street NYC ;)) Anyway… I’d moved over from another department and was so excited as I thought I’d be doing something extremely fulfilling…
    It was only until I learned that investigations meant filling out and faxing paperwork to Dept. of Treasury. No investigations were done, colleagues looked quickly at a signature “matches… doesn’t match” fill out the paperwork, let’s go play celo now (not kidding).
    We’d like to believe that there is some uber-secure mechanism for banks and there isn’t. I’m almost sure they forgot to mention along with src, dst there is also either the ISO 9362 or 13616 codes… But those are just as simple to snag:

Comments are closed.