![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
Demand Drafts
May. 24th, 2005 10:37 amIt's amazing how trivial the security measures are on many of the systems we take for granted. People worry about the security of technical systems, like computer networks, but miss the glaring security flaws in the non-technical systems and business processes we use every day.
Case in point: many people are afraid to make a credit card payment online, for fear that someone will steal their credit card number via some technical voodoo that lets them eavesdrop on Internet traffic. However, these same people keep their money in checking accounts, and write checks. This is actually far more dangerous.
In the credit-card-on-the-Internet case, it's actually pretty hard to harvest credit card numbers on the Internet; they have to compromise either a.) a router between you and the business you're giving the card number to, or b.) the business itself. Not that these things are impossible -- they happen every day -- but they at least require effort. And if your card number is stolen, all you have to do is notify the credit card company within 30 days and you're not liable for any of the charges you didn't make. You're out nothing (legally they can charge you up to $50, but as a matter of policy no bank actually does.)
On the other hand, let's look at checking accounts. For someone to write a check out of your account, all they need is the routing number and account number. The routing number is the same for everyone at your bank, and your account number is written across the bottom of the check. With these two numbers, anyone can order a checkbook online in your name with your account numbers on it and write checks out of your account. Of course, the signatures wouldn't match, but who checks signatures? Not your bank. Anyone who sees one of your checks can order a real checkbook in your name with your account number on it.
And they can do one better -- demand drafts. Demand drafts are what are used whenever you pay something out of your checking account without writing an actual check -- basically, all those automatic bill pay services. They have no signature line. And what is required to issue them? Why, the routing number and account number, of course. You can even go to Qchex, an inexpensive web service, and issue demand drafts out of "your" account online, to anyone you'd like. I put "your" in quotes because of how they authenticate that the account is yours -- specifically, you have to supply the routing number and account number.
That's it.
No ID of any kind is required to write a check or issue a demand draft on anyone's account. No date of birth, no mother's maiden name, no social security number, no password, they don't even have to get your name right. And this isn't like a credit card where you're not liable for the loss -- because this isn't just a charge on a credit card that can be reversed, this is actual money taken out of your account. For your bank to give you the money back means they have to take the money out of their own pocket. Of course, your bank is liable provided you notify them within 24 hours (as opposed to 30 days for credit cards). Do you check your account balance daily? Of course not.
It's things like this that make me want to work in information security. For all the innovative technical security measures out there, we still just have so far to go.
Case in point: many people are afraid to make a credit card payment online, for fear that someone will steal their credit card number via some technical voodoo that lets them eavesdrop on Internet traffic. However, these same people keep their money in checking accounts, and write checks. This is actually far more dangerous.
In the credit-card-on-the-Internet case, it's actually pretty hard to harvest credit card numbers on the Internet; they have to compromise either a.) a router between you and the business you're giving the card number to, or b.) the business itself. Not that these things are impossible -- they happen every day -- but they at least require effort. And if your card number is stolen, all you have to do is notify the credit card company within 30 days and you're not liable for any of the charges you didn't make. You're out nothing (legally they can charge you up to $50, but as a matter of policy no bank actually does.)
On the other hand, let's look at checking accounts. For someone to write a check out of your account, all they need is the routing number and account number. The routing number is the same for everyone at your bank, and your account number is written across the bottom of the check. With these two numbers, anyone can order a checkbook online in your name with your account numbers on it and write checks out of your account. Of course, the signatures wouldn't match, but who checks signatures? Not your bank. Anyone who sees one of your checks can order a real checkbook in your name with your account number on it.
And they can do one better -- demand drafts. Demand drafts are what are used whenever you pay something out of your checking account without writing an actual check -- basically, all those automatic bill pay services. They have no signature line. And what is required to issue them? Why, the routing number and account number, of course. You can even go to Qchex, an inexpensive web service, and issue demand drafts out of "your" account online, to anyone you'd like. I put "your" in quotes because of how they authenticate that the account is yours -- specifically, you have to supply the routing number and account number.
That's it.
No ID of any kind is required to write a check or issue a demand draft on anyone's account. No date of birth, no mother's maiden name, no social security number, no password, they don't even have to get your name right. And this isn't like a credit card where you're not liable for the loss -- because this isn't just a charge on a credit card that can be reversed, this is actual money taken out of your account. For your bank to give you the money back means they have to take the money out of their own pocket. Of course, your bank is liable provided you notify them within 24 hours (as opposed to 30 days for credit cards). Do you check your account balance daily? Of course not.
It's things like this that make me want to work in information security. For all the innovative technical security measures out there, we still just have so far to go.
