Fixing Security Through Obscurity?

LineNoiz asks: "I work as a junior developer at a small company that sells check printing software. One of my company's favorite things to tell customers is how secure our product is and how it will reduce check fraud (we even sell check fraud insurance). I cringe everytime I hear them say it, because I know that it is 'secure' only because of it's relative obscurity. I personally know very little about security, and really have no idea what it would take to make our product secure. All I really know is that this is a problem waiting to happen. How can I convince my managers that our security is nothing to brag about? How can I convince them to spend the time and money to make it secure? Where can I myself go to learn more about security and what it would take to make/keep it secure?"

Hmmmm....

[zulux]

You're an underpaid jr. developer....

Your company makes check writing software.....

You want to show them that their software is insecure....

Your Poor. They have checks. Things are insecure.....

Hmm....

Re:convincing the managers

[innosent]

What exactly is ever secure about a check? He says it's a check printing company, so what could possibly be secure about it? You can order printable checks from just about anywhere, with all the "security" features on them, get a MICR toner cartridge (if you even care when the bank complains about having to hand-enter your checks because they're not magnetic), and print all the checks you want. This is probably just some kid who's finally figured out how banks operate.

"Security" features on checks usually are only to prevent someone from photocopying the check, and do nothing to stop someone with a box of checks and a laser printer. No matter what you do while printing the check, Checks are not secure. Most businesses print their checks, and print them in the same manner as I just described, and there is nothing that can be done about it, because banks will cash any valid check, which means only that the account number and signature must match their records (you could write the information on a napkin and the bank would take it, it is a valid check), and banks will rarely flag a check for a bad signature.

If someone gets one of your "secure" checks from a client of this guy's company, orders a box of checks from them, and prints checks, then even the client may not realize that they didn't write the check. That's how checks are, deal with it. If you don't trust the person you're writing a check to, don't use a check, it's just that simple. By the way, it is amazing to me how the banks always say "don't give out your account information to anyone" (and no, I'm not talking about PINs) when it's printed on every check. The only thing worth making "secure" (as in unable to be scanned/photocopied) about a check is the signature line, and very few companies do this, since the only effective means I know of to do this requires a color laser printer and an electronic signature image. (red/black printing scheme, etc).