Fraud Threat Halts Knuth's Hexadecimal-Dollar Checks

Barence writes "You may be aware of Donald Knuth, the creator of TeX and author of The Art of Computer Programming, who used to post checks to anyone who spotted an error in one of his books — one hexadecimal dollar, or $2.56. No one cashed them though. This blogger has two of them proudly on his wall, but the sad news is that modern day bank fraud has put a stop to Knuth's much-loved way of keeping his books free of errors." (Here's Knuth's own post about the sad change.)

This is getting old.

[SatanicPuppy]

Checks and credit cards are absurdly easy to fake in the modern world. Banks need to get off their asses and roll out a new system...With the billion dollar bonuses that they keep giving themselves, I'm not too sympathetic of the cost.

Re:This is getting old.

[Itninja]

Regarding checks, with their watermarks, UV-readable text,and what not, I don't think they would fall under the category of 'absurdly easy to fake'. However, people are absurdly easy to fool. So the result is the same. And with credit cards, are you talking about making physical fake cards? Because that's not exactly something one can whip up with supplies from the local hardware store. Generating valid numbers however, along with a little social engineering, the same results can be had with little effort.

Re:This is getting old.

[petermgreen]

And with credit cards, are you talking about making physical fake cards? Because that's not exactly something one can whip up with supplies from the local hardware store
Afaict plastic card printers and magstripe writers are easy enough to get, Not a job for your local hardware store but plenty of places use ID cards that are very similar to credit cards so the printers are availible. You would probablly have to rig something up to do the embossing but that can't be terriblly difficult.

It's not a hardware store job but it's not out of reach of a reasonablly organised criminal with a few thousand pounds to spend and a location to get stuff delivered to.

Chip and pin cards are probablly much harder to fake but at least here in the UK most places will still put a transaction through with a swipe and sign if chip and pin fails or the card does not have a chip.

Re:This is getting old.

[rcw-home]

Regarding checks, with their watermarks, UV-readable text,and what not, I don't think they would fall under the category of 'absurdly easy to fake'.

Considering that you don't need to pass off a watermarked check to someone in real life to drain money from someone's account (you only need the account number and routing number off the check), yes, they absolutely are absurdly easy to fake.

Also, there's no guarantee that when someone writes you a check that they have the funds to cover it, because it isn't processed right then and there. These two factors put together have led the vast majority of merchants to simply refuse checks today.

There's absolutely no excuse for banks to not have rolled out a checking system that uses much larger one-time-use account numbers and allows merchants to verify that the check won't bounce. They've been twiddling their thumbs.

Re:This is getting old.

[Detritus]

All of those security features in paper checks are becoming worthless. I was standing in line at the grocery store, and the customer ahead of me wrote a check. The clerk fed the check into a document scanner built into the cash register, and returned the original check to the customer. Besides, banks are so automated that it's a rare occasion that a human ever looks at a check.

Re:This is getting old.

[Thundersnatch]

any piece of stationary with mag ink at the bottom with bank a.b.a., account number, check number, will be accepted as check

No, it most likely won't. What you say may have been true 10 or even 5 years ago, but is generally not true with modern check imaging systems. The "Check 21" legislation basically enabled all banks to move to electronic check image storage. Of course, they had to upgrade all of their imaging systems to recognize that cost savings, and these new systems are quite discerning, especially for higher-value checks. Manual inspection is required for most high-value checks, and even things like a changed paper stock or layout can be flagged for manual review.

Also, nearly every company of reasonable size is required to implement positive pay, meaning they send a list of check numbers, dollar amounts, and payees to the bank before the checks are actually cut. So when you go to cash a fake check, the bank knows it is fake immediately. There are of course ways to get around this, especially with personal accounts (which usually do not offer positive pay), but check fraud is no longer as simple as portrayed in Catch me if you Can.

That said, check still fraud remains a major cost for banks, and believe it or not they are working hard to make it less possible. But there is as yet no "magic bullet" technology to replace paper checks. Chip-and-PIN, smartcards, etc. all suffer from different security and operational issues. They also cost a lot to implement worldwide, even after including the costs of paper check fraud. A paper check is fairly easily validated, can be sent through the mail, and requires no "secure" hardware terminals at every merchant.

Re:This is getting old.

[Tmack]

There's absolutely no excuse for banks to not have rolled out a checking system that uses much larger one-time-use account numbers and allows merchants to verify that the check won't bounce. They've been twiddling their thumbs.

... and raking in the $$. They wont change their ways because each bounced check is an opportunity for them to collect lots of fees. At least $20 from the person trying to pass off the bad check, and another $20-30 from the account that got overdrawn. To top it off, once that account is overdrawn, they get those fees on Every withdrawal until they stop coming in. For fake checks, they will still charge your account for trying to pass off the bad check. To them, its not broken, its a source of revenue.

tm

Re:This is getting old.

Also, there's no guarantee that when someone writes you a check that they have the funds to cover it, because it isn't processed right then and there. These two factors put together have led the vast majority of merchants to simply refuse checks today.

Many merchants who receive a lot of checks on a regular basis (and thus cannot afford to turn those customers away) are switching to instant check processing systems. We implemented one of these at an old job of mine. Basically, a scanning device reads the check, gets online, turns the check into a direct withdrawal (EFT) from the account instead, slaps a big VOID on the check, and the voided check is handed back to the customer, usually to their great surprise.

Essentially, the check itself becomes useless, merely a carrier of account information. The scanned check image is stored, for verification purposes if it happens to be needed later. Initially, the system didn't do "instant" account checking, but that was added later, so that a bad check could be instantly spotted as such.

On a side note, a year after we rolled these systems out at all locations, the number of check we processed dropped by almost 75%, with a corresponding increase in credit/debit transactions. Once people figured out that writing the checks was essentially useless and that if they lacked the funds they would get an instant rejection while they were standing there basically holding a voided bad check in their hands, then they stopped trying.

Turns out a surprising lot of our customers were basically relying on the float period, where they could write the check and not have it get into the system for a few days, giving them time to come up with the money. When that no longer worked, they stopped trying it. There was no decrease in sales, but since our bad check problems disappeared almost overnight, we had a major increase in profits.

Re:This is getting old.

You know... I can't even recall seeing checks outside America since the 80ths. The rest of the world uses cash, bank transfers and credit/debit cards. And we survive, without the costs and problems associated with a ridiculously broken check system.

The question is not the cost of implementing chip-and-pin or smartcards worldwide, the question is the cost of getting America to upgrade from a payment system that was modern around 1800.

Re:This is getting old.

[scribblej]

I work for a living desinging systems that process checks and credit cards. I couldn't agree with you more; the aging bank standards are absoluely ridiculous in terms of security.

What I don't see anyone pointing out (and what poor Knuth apparently doesn't know) is that these shortcomings have been somewhat mitigated in the rules for processors and merchants and banks. It's not a great solution, it's not even a good solution, but it's hardly the END OF THE WORLD that people seem to be claiming.

You are probably all familiar with the fact that you have a maximum fraud liability on your credit card of $50, and in practice, you'll never be charged anything, not a penny, if someone uses your credit card for fraud. Simply call your bank, explain the situation, and they will issue chargebacks for any charged you did not authorize. You will in the chargebacks, and your money will be returned and you will not be one penny the poorer. (The merchant who accepted the credit card, on the other hand, gets royally screwed, but that's another story.)

Well, the same is not true of written checks; you probably know you need to issue a 'stop payment' and your bank will likely charge you for that. But written checks aren't what people are freaking out about here, and do take quite a bit of effort to forge successfully (a lot less than cash, but still)... we're talking about ACH payment made through the NACHA system. i.e. "Electronic Checks." And there are very strict rules in place from the NACHA, you can order the book online if you feel like wasting a weekend reading the boringest stuff ever.

The important part is this: You can dispute an ACH transaction just like you can a credit card transaction. Anyone who processes "electronic checks" is /required/ to allow up to 60 days for the customer to dispute a fradulent ACH charge. And if you /do/ call in to dispute it, beleive me, it's going to work out the exact same way as the online credit card purchase; you will get your money back and be no poorer (and the merchant will get fucked again!).

So... everybody don't panic. yes, the systems are horrible. No, they aren't changing around here anytime soon; all efforts are stupid or doomed to fail (e.g. VERIFIED BY VISA which is both). But the bottom line is, your money is safe. A simple call to your bank /will/ solve any problems with people making fraudulent electronic charges to your credit card or checking account. I guarantee it. If your bank gives you ANY hint of a problem with a chargeback drop them like a hot potato and go to a better bank. But they won't; I've never run into a situation where you as a consumer is going to have the slightest bit of trouble.

If you're the merchant, on the other hand, you are well and truly fucked. Heh.

Re:Forgive me

[Enki+X]

Not if you define a dollar as a hundred pennies...

Re:Forgive me

[Flying+Scotsman]

Think of a dollar as "100" cents. 0x100 cents = 256 (decimal) cents.

New Bill

[Ukab+the+Great]

Obviously we must petition the United States Treasury to release a $2.56 bill with Don Knuth's face on it, which he can then autograph and send to the smarty pants who find errors in his book.

Re:New Bill

[Mr.+Slippery]

didn't you know the USPS recomends you not send cash through the mail

If Knuth is right, it's safer to send cash than a check. Intercept cash, you only get that amount; intercept a check, and you can drain my whole checking account.

Re:New Bill

[MasterOfMagic]

The right way is a money order. The USPS actually issues money orders for this very purpose, and they charge only a very nominal fee on top of it.

Re:Forgive me

[Enki+X]

I am ashamed

Shift left by 1

[FourthAge]

Actually, don't the cheques start at $2.56, and then shift left by 1 as each error is found, up to a maximum of $327.68? (It's wise of Knuth to put a cap on it.. you might be tempted to cash a cheque worth (164)*$0.01..)

Re:Shift left by 1

[Sloppy]

Actually, don't the cheques start at $2.56, and then shift left by 1 as each error is found, up to a maximum of $327.68?

Unfortunately there was a bug in Knuth's check writing program, and the last person received a check for the amount of "one carry bit, set."

paranoia much

[Speare]

First, the blurb is very misleading. I took from it that the bank yelled at the use of the phrase "one hexadecimal dollar" which no banker would understand how to equate to the digits, $2.56. Since it's the text that wins in most audited disputes about amounts, that's a problem.

He's just paranoid about the MICR routing numbers, and how banks are not secure. This has not changed, and is not at all particular to him. It is odd that he's had multiple attacks while I've had zero, since he claims the attack is entirely despite any knowledge of the account holder's name or wealth.

Pseudocode: // I was going to write this in WEB but fuck that

• Set up an independent "Knuth's Mistake Fund" checking account.
• If a mistake is found, deposit $2.56 and send paper check, valid within 30 days
• If a month goes by and the guy didn't cash it, withdraw $2.56 and void the check.
  (Mistake-finder framed the check for his wall.)

Re:paranoia much

[marcosdumay]

"It is odd that he's had multiple attacks while I've had zero..."

No, it's not odd at all. I guess that if people did go around showing your checks to everybody they meet or maybe even posting them to the web, you'd have plenty of atacks too. Instead, people probably choose to cash your checks, so you don't have this problem.

Re:Forgive me

AAAAAAAAAAAAAH!!!!!
It's a joke dollar and Knuth gets to designate what a hexidecimal dollar is since HE's writing the checks!!!

Leave it alone already!!!

The retardation of the financial sector

[0xdeadbeef]

We should make every suit at every financial institution in this country write a thousand times on a blackboard:

An identifier is not a shared secret key.

This applies to account numbers, credit card numbers, social security numbers, drivers license numbers, everything.

The symbol that represents you is not the thing that proves who you are. Otherwise, your name itself would be all you need to verify your identity, and we all know how absurd that is.

Of course, the real problem is that they aren't held adequately liable for the fraud that occurs. They blame it on the customer and wash their hands of it. If we made them always eat that cost, I guarantee we'd see real progress against identity theft.

Re:Forgive me

[Ed+Avis]

Think of a dollar as "100" cents. 0x100 cents = 256 (decimal) cents.

Yes, finally someone is taking a stand against the crappy metric-system-obsessed definition of a dollar. Everyone knows a dollar is 256 cents, this whole decimal crap is just a conspiracy by big business in cahoots with the Federal Reserve to rip us off, just like they did with hard disk sizes. I'm voting for Ron Paul.

Actually

[hey!]

a check doesn't legally have to have your account or bank routing number on it. It certainly doesn't have to be printed by your bank.

The numbers are there to make it convenient for banks to move money around. A bank can refuse to honor such a check, but a bank can refuse to honor any check. There's no legal obligation to honor any check.

The numbers don't turn an ordinary piece of paper into a check. What does that is your signature.

I once knew a guy who wrote out a check to another guy on a napkin. He then went over to his bank branch with the other guy and made sure they honored the "check", which after some discussion they did. He could have just withdrawn money, but he wanted to prove it could be done, and he did.

Re:Forgive me

[0xABADC0DA]

It's still wrong though, "cent" is the same "cent" as in "centimeter" or "percent" and means 1/100. The unit is the dollar, so 0x1 dollar = one dollar.

So if you point out this error to Knuth... do you get a check for $0x1 or $2.56?