Want to hack someone's bank account? You might think it takes a sophisticated knowledge of computer security or maybe a tie with the Russian computer mafia. It doesn't.
All you need is a perfectly legal check writing application that costs $14.95, a laser printer and a fake I.D. How do I know? I was hacked recently, and it isn't fun. I've learned how shockingly easy, and surprisingly low-tech, forgery has become. And I've also learned that an alert bank employee paying attention to her job could be the best defense money can buy.
My brush with white-collar crime began with a phone call a few weeks ago. An employee at a local branch of the Bank of America here in San Francisco wanted to know if I'd written a check for $438 to someone named Ana Gonzalez. Who? No, I hadn't. I'd never heard of Ana Gonzalez.
So Kelly, an assistant manager, said she'd become suspicious because "Ana" had offered a so-called VersaCheck, and those are a red flag for forgery. It turns out that VersaCheck isn't quite the right description. What she meant was a check produced by check writing software. Because VersaCheck is a well-known name, some people use it the way Kleenex is used to describe a tissue. There are many check writing applications available; simply do a quick Web search and you'll find lots of them.
Kelly -- I'm not using her last name because my interactions with her had nothing to do with my being a journalist, and it's not kosher to put her name out without getting permission from her and the bank -- questioned Ana and even made her put a thumb print on the check. And when Ana's answers and nervous manner confirmed her suspicions, Kelly refused to cash it and kept it.
The next day, I got a similar call from a bank employee at a different Bank of America branch. Same story, different name on the check. Also not accepted. Now, I'm getting alarmed. I obtained photo copies of the checks and noticed that they were numbered in sequence with the last couple of checks I had written, and even worse, both had signatures that looked a lot like mine.
The checks had my correct address and in the upper left-hand corner, and the correct series of numbers and symbols representing my BofA account across the bottom. But these weren't stolen checks. They lacked the rather elaborate design the bank puts on its checks, which is why they were obviously produced using check-writing software.
Forgery Made Easy
JustChecking costs $14.95 and is a quick download. With it, and a related package of printer fonts you can get for free, it's simple to print a check including the account information you'll see across the bottom of a check. Those symbols are standard, and they include a bank's routing number, your account number and the number of the check. And many office supply stores sell blank check paper to use in a laser printer.
What about a signature? No problem. Here are the instructions that came with my download of JustChecking: "To add your signature, you need to scan a signature and get it the right size. Save it as a JPG or BMP. Then in Just Checking click Print, Design Checks, click Edit. Tab to the empty rectangle in the lower right. Once it has the focus, double-click it to pick your signature file."
Whoever forged my checks probably did just that.
I have no idea if JustChecking was the software used by those creeps, and I have not been able to reach the company that developed and sells it for a comment. There are lots of programs just like it, and few of the companies who produce them do anything to stop the use of their products by criminals. However, it's important to note that many businesses use this type of software to save money by printing their own, perfectly legitimate checks.
I contacted a number of other companies that sell check writing software. Only one told me they were aware of the potential for abuse of their product and took steps to reduce the risk. Others either ignored my questions, or said the issue wasn't their problem.
Diann Bertsch, is a senior product manager for Greatland, the company that developed and sells CheckLaunch, an add-on to Quick Books, the popular small business accounting package. Like other products, CheckLaunch allows users to produce their own checks. But unlike other companies, Greatland has taken steps to stop counterfeiting by users of the program.
"When we get an order we put it on hold until we are able to ascertain that it is from a legitimate business," Bertsch told me. Greatland staffers will look for the customer's Web site, e-mail or even call until they're satisfied. Faced with that screening process, some potential buyers simply cancel their orders and disappear, she said.
More typical though was my discussion with Ryan Smith, who manages CheckSoft software for Avanquestusa. He says counterfeiting is a problem he hears about from time to time, but not very often. CheckSoft has check creating capability built in, and he acknowledged that it could be abused. Smith's advice: Sign up for a credit monitoring service.
Stay Safe, Go Paperless
Law enforcement officials are well aware of the potential to abuse these programs. "It's not at all an uncommon crime," said Inspector Marty Dito, a detective with the San Francisco Police Department.
I met Dito during Act II of my white collar drama. While I was still coping with the Bank of America issue, another bank called me inquiring about suspicious checks, this time a pair of convenience checks from a credit card company for $3,000. The person who attempted to pass them was arrested on the spot. The bank was suspicious because he had opened an account the previous day with one of the checks, and came back the next day and attempted to cash a second check that was significantly larger.
Was there a link between the two events? Dito thinks there was. It appears that someone probably stole documents from my mailbox, a common occurrence in San Francisco. Rather than breaking in, which obviously alerts the resident, thieves manage to obtain copies of keys, and open the box when no one is home. The police told me a copy of the key that the post office carrier uses was likely stolen. As for the convenience checks, I never knew they had been stolen, because I never knew they had been sent. The crooks may have also stolen a bank statement from me, which is why they would have known the sequence of the checks and seen my signature.
The man arrested for passing the bad checks may or may not have been the person who stole the convenience checks and my bank statement, Dito said. The thief may well have sold that information to another criminal. In any case, the suspect is awaiting trial on misdemeanor charges.
What have I learned and what I have I done to avoid a repetition?
No more convenience checks. I told each of my credit card companies to stop sending them.
No more paper bank statements and cancelled checks in the mail. I also closed and then reopened my checking account with a new number.
I don't think there was any computer hacking involved, but just in case, I've changed and strengthened the passwords on all of my online accounts.
I've learned that bank employees, many of whom are underpaid and often the target of angry complaints directed at policies they have no control over, are nevertheless a safeguard against low-level financial fraud and they deserve recognition. Because of responsible bank tellers, my check scam was cut short and I was reimbursed for any losses.
On the other hand, it's disappointing to see the lack of responsibility on the part of some software developers and distributors. It's not their fault that their products are abused, but it is their fault that they ignore the counterfeiting problem and take no steps to stop it.
San Francisco journalist Bill Snyder writes frequently about business and technology. He welcomes your comments and suggestions. Reach him at firstname.lastname@example.org. Follow Bill Snyder on Twitter @BSnyderSF. Follow everything from CIO.com on Twitter @CIOonline