Slashdot Mirror

← Back to Stories (view on slashdot.org)

FTC Kills Dirty Online Check Processing Outfit

Posted by kdawson on from the dirty-pretty-checks dept.

coondoggie writes "The Federal Trade Commission today got a US District Court to stop permanently what it called the illegal operations of an Internet-based check creation and delivery service, and to require the group to give up over half a million dollars in ill-gotten gains. According to the FTC, Qchex.com created and sent checks drawn on any bank account that a Qchex user identified, but did not verify whether the user had authority to draw checks on that account. As a result, fraudsters worldwide used the Qchex service to draw thousands of checks on bank accounts that belonged to unwitting third parties. 'The evidence shows that the launch of Qchex.com was a "dinner bell" for fraudsters and resulted in a high number of accounts frozen for fraud...' said District Court Judge Janis Sammartino."

47 of 82 comments (clear)

  1. Check Security by Adrian+Lopez · · Score: 4, Insightful

    Checks are insecure. The lesson: withdrawing money from people's account should require more than an account and bank routing number.

    --
    "In prison you just have to shut your eyes and take it. Here you have to shut your eyes and give it."
    1. Re:Check Security by fm6 · · Score: 4, Interesting

      This is one of many things wrong with our current banking transaction system. It's not even the worst (though it is pretty bad). But the established financial institutions find the status quo extremely profitable, and aren't anxious to see it changed. So they write off the losses from the occasional fraud that they can't stick on somebody else.

      I've often wondered if this institutional inertia is why online micropayments have never gained traction. The usual argument is that people prefer the alternatives (advertising supported media, flat rate subscriptions, etc.) But I don't see where these arguments have ever been tested by giving users a real choice.

    2. Re:Check Security by Anonymous Coward · · Score: 3, Interesting

      Checks are also obsolete except that they make convenient gifts, but it's still not that difficult to deposit into another's account given the number. And note that when you buy something with a check the amount is now instantaneously debited from your account but when you deposit a check, it takes at least a few days to a week to clear. Why the inconsistency?

      I've also noticed that some particularly thieving rat-bastard banks, the ones that Obama is trying to bail out, treat in-person bank teller withdrawals as "cashed checks" and perform other anachronological voodoo to maximize fees should something go wrong. For example, say you make 3 charges and the charges are posted in chronological order when you check your balance. Then you charge again a day or two later, but the latest one overdraws you $1.25 . The bank's database will then rearrange the charges so that the expensive one is posted before the others, resulting in 4 overdraft fees when you should have been charged only one. That's a little too "tough" for an account which may as well be labelled "broke student", paying over 100 bucks for 1 or 2 dollars overdrawn. Extreme example, but it happens.

      And to think those fuckers want a bailout. Credit unions FTW.

    3. Re:Check Security by narcberry · · Score: 2, Insightful

      When I was taught about checks in high school, I was taught that all that matters is that a document is signed signifying the amount of money, the recipient, and the banking account number. I'm glad to see we can forgo the contractual aspect of checks, and reduce it to a set of numbers, both of which are found on every check. Glad my bank honors that. It's comforting to know that my entire savings is up for grabs every time they mail me a checkbook.

      --
      Modding me -1 troll doesn't make me wrong.
    4. Re:Check Security by c6gunner · · Score: 4, Funny

      4 digits isn't very secure, since 4^4 yields only 256 possible combinations

      Oh noes! Well, luckily 10^4 gives 10,000 combinations. Maybe you should get your bank to invest in better ATM keypads?

    5. Re:Check Security by Nerull · · Score: 3, Funny

      You're going to wonder how you said that, I suspect, but think for a bit.

      You just said a 4 digit number has only 256 possible values. Now count from 0 to 9999...

    6. Re:Check Security by sndtech · · Score: 2, Informative

      The instant debit you are speaking about comes from merchants use of automated clearing houses. essentially turning your check into a direct deposit into their account from yours. when you or I deposit a check into our account, we don't have a fancy ACH machine to run the check through, so the check needs to clear in the usual way.

    7. Re:Check Security by Majik+Sheff · · Score: 1

      Sounds like you bank with Wells Fargo. There's a reason the corporate office can afford heated sidewalks.

      --
      Women are like electronics: you don't know how damaged they are until you try to turn them on.
    8. Re:Check Security by interstellar_donkey · · Score: 1

      Just keep your checking accounting/routing numbers safe. I hear there are some financial institutions in Nigeria that are pretty good at doing just that.

      --
      The Internet is generally stupid
    9. Re:Check Security by interstellar_donkey · · Score: 2, Funny

      It's the new magic ATMs that only have 4 numbers on it: 1,2,purple square and 8.

      --
      The Internet is generally stupid
    10. Re:Check Security by ciscoguy01 · · Score: 3, Informative

      For some time I have wanted my bank to just return any documents, checks, credit card charges, *anything* that does not include my original signature personally signed by me in ink.
      They don't have the ability to set my account to do that.
      Walmart, Sears, Kragen, all have signature capture hardware on their cash registers. But why would I want my signature stored in any computer? I wouldn't. I could easily put any signature on any document with a computer. *Lots* of people can today. A printed, pasted, captured signature on a document proves *nothing*.
      I just make an "X" on those systems.
      If we ever get to court about one of those transactions I will be expecting them to produce an originally signed ink signature, personally signed by me, proving I was here today and signed that document.
      Without that, well, clearly I wasn't here.
      Which is the only purpose of signing *anything*. To prove I was there that day and that *is* my signature.

      --
      .
    11. Re:Check Security by Vegeta99 · · Score: 1

      Add M&T to that list of people who finagle the order of transactions to maximize your loss!

      Example: Friday, I had $50 in my account, made 4 $10 purchases. On Saturday, I made a $50 purchase, overdrafting by $40. What is my balance, kids? -$10? WRONG!!

      Friday night: $10.
      Saturday night: -$40
      Monday Morning: -$180. All your purchases on Friday went through, but when we went to "take out the money" that we were "just holding" it "wasn't there" because "you spent it on saturday". Therefore, 4 transactions overdrafted at $35 a pop,

    12. Re:Check Security by wvmarle · · Score: 2, Interesting

      The problem of micropayments (payments of less than US$ 0.05 or even fractions of a cent) is that you ask a user all the time when they want to see certain content, whether they want to pay for it.

      So the user not only gets an extra step in between (accepting a payment) to see an article or blog post or youtube video, also they have to think and decide whether or not to make this payment.

      This is probably the main reason why micropayments never took off. Setting up an account at some provider and charging it up with say US$10 now and then and then have this provider take care of the payments is the trivial part, technically at least. Charging a credit card with anything less than a cent is of course impossible: and a cent is already too much for a real micropayment.

    13. Re:Check Security by francium+de+neobie · · Score: 1

      It's pretty ironic that we techies use a myriad of algorithms to protect data that nobody really cares (raise your hands if you use TrueCrypt - I do). Yet our banks, supposedly protecting one of the most important things in our lives, don't give a shit.

    14. Re:Check Security by fm6 · · Score: 1

      The problem of micropayments (payments of less than US$ 0.05 or even fractions of a cent) is that you ask a user all the time when they want to see certain content, whether they want to pay for it.

      "Viewing this page will cost you $0.001. To avoid this charge, navigate away in 5 seconds"

    15. Re:Check Security by Kaenneth · · Score: 1

      Is writing a bad check still a felony in California?, and does that only apply if it's a physical check, actually signed?

    16. Re:Check Security by encoderer · · Score: 1

      Well, if you want to get technical, nobody changes the order of anything. They just deduct PENDING SUM from CURRENT BALANCE to reach AVAILABLE BALANCE.

      To use your example:

      Thursday:
      Current Balance: $50
      Pending Sum: $0
      Available Balance: $50

      Friday:
      Current: $50
      Pending: -$40
      Available: $10

      Saturday:
      Current: $50
      Pending: -$90
      Available: -$40

      Monday Start of Biz:

      Post 1st $10 transaction: Move $10 from Pending to Posted, Subtract $10 from Current Balance. Is Available balance negative? Post Overdraft Fee.

      Post 2nd $10 transaction: Move $10 from Pending to Posted, Subtract $10 from Current Balance. Is Available balance negative? Post Overdraft Fee.

      Etc.

      The RealWTF is simply that overdraft fees are charged if your Available balance is negative, not your Current balance.

    17. Re:Check Security by bhiestand · · Score: 1

      That's why I use ING Direct... my account came with an automatic no-fee overdraft line of credit of $1,000 charged at (as of December 08) 7.25%. So when I screw up or a payment goes through earlier or later than I expected, I only pay interest on it for a day or two until my balance gets fixed. The way it should be for anyone who is financially responsible and has a good credit score.

      I know other banks offer features such as this. You should definitely check them out. Or let me know if you want a referral link for ING... I think they still give us $10 for new customers or something ;)

      -- As a side note, I remember one day going in to Washington Mutual to cash a check for $200. I only had $80 in my account, and I deposited $100 and took the other $100 in cash. What they actually did was set $200 as pending deposit in my account, withdrew $100, and left me with a nice $35 overdraft fee. Apparently the check would take several business days to actually deposit in my account. When I complained, corporate refunded the overdraft fee but would not apologize for their broken system. I closed that account.

      --
      SWM seeks new sig for a brief fling
    18. Re:Check Security by Vegeta99 · · Score: 1

      Actually, to try and get you on a double whammy, they do both. Pending balance counts as your "real balance" and check card holds (like when I get gas and they check to see if there's $50 in there) count against that. On top of that, they re-order transactions when they post to go from higest to lowest. It's a feature, not a bug, but they say its so that higher-priority transactions go through first so they don't bounce (they don't ever bounce)

  2. Also... by Adrian+Lopez · · Score: 4, Informative

    I just found this 2005 MSNBC article that talks about Qchex.com (the company mentioned in the above), and check security.

    --
    "In prison you just have to shut your eyes and take it. Here you have to shut your eyes and give it."
    1. Re:Also... by Vlad_the_Inhaler · · Score: 1

      So this scam was known to be a scam almost four years ago.

      Why did the FTC not get involved several years ago? Are the people running this business facing prosecution? Does the fact that the FTC ignored these activities for years mean the people running Qchex.com are safe from prosecution?
      I suppose the wider implications are that the FTC's inaction had a lot to do with the president of the day.

      --
      Mielipiteet omiani - Opinions personal, facts suspect.
  3. Mark this under "brilliant ideas" by spartacus_prime · · Score: 1, Insightful

    I want whatever those guys were smoking when they thought this was fraud-proof.

    --
    If you can read this, it means that I bothered to log in.
    1. Re:Mark this under "brilliant ideas" by zonky · · Score: 2, Insightful

      What makes you think they were concerned with being "Fraud Proof' More likely they were out to get their cut of the people who never look at their bank statements.

  4. checks are only the beginning by Son+of+Byrne · · Score: 3, Interesting

    The real problem is the ACH system? It relies almost exclusively on blind trust. Trusting that whomever I'm debiting authorized me to debit them, etc. It always amazes me when I build an ACH file to send to the bank as part of my business and send it through without a hint of a question from the bank or the processor. They just merrily send the file on through. I guess the bank and processor are counting on me being a good citizen. Hmmm...

    --
    I'd happily pay you Tuesday for a biopsy today!
    1. Re:checks are only the beginning by alen · · Score: 1

      in case of fraud you are probably very easy to find and arrest

  5. These guys were (are?) spammers by whoever57 · · Score: 1

    At my previous company, we got frequent emails from qchex/neovi.com sent to an email address that must have been scraped from a website -- no-one used it as their personal address, so there was no legitimate reason for the to be sending to that address.

    --
    The real "Libtards" are the Libertarians!
  6. Day late... by Fished · · Score: 4, Funny

    Man, and I just NOW hear about this!

    --
    "He who would learn astronomy, and other recondite arts, let him go elsewhere. " -- John Calvin, commenting on Genesis 1
  7. entirely predictable by Trailer+Trash · · Score: 1

    I just read Frank Abagnale's autobiography and another book that he wrote. He was one of the greatest con men who ever lived, cashing two or three million in bad checks in the 1960's, before he even turned 21. Anyway, the last book of his I read was written around 2002 or so, and he was pretty spooked by the idea of people being able to pull money from accounts simply by knowing the routing and account numbers. He designs checks nowadays and does security consulting, among other things.

    --
    Do you have ESP?
  8. People still use cheques... WTF? by jonwil · · Score: 1

    Who in this day and age takes cheques but wont take other forms of payment? (be it credit cards, cash, paypal or whatever else)

  9. Re:Check Security + nigerian scammer by Dare+nMc · · Score: 2, Interesting

    It's comforting to know that my entire savings is up for grabs every time they mail me a checkbook.

    and every time you give anyone a check, or cash any check (both transfer the same information.) after all this is not the last way to use a ABA# + account # to clear a bank account. I have in my canceled checks the account number, and bank ABA number for everyone who has cached one of my checks. I think we had a social agreement not to turn over the other guys bank info to a Nigerian scammer and wipe them out. But who knows...

  10. Re:You are kidding arent you? by rubycodez · · Score: 3, Funny

    of course there's a logical explanation. Linus took another much older OS called Minix written by a cranky old C.S. prof and changed the M to an L and an i to a u, and then distracted the professor with a meaningless and pointless argument about kernel architecture. Even after the Dr. found out about his former student's shameless plagiarism, he was just mostly relieved to find out that long haired dope smoking hippie Berkeley types would now target Linus' work with their "improvements" instead of "always trying to make my Minix into some kind of faggot BSD".

    Linux unsuccessfully tried to compete with Microsoft on the desktop, until the KDE 4.x window manager managed to trump Vista in complexity, distracting eye candy, user confusion, bugginess and bloat.

  11. No checks in Finland by Anonymous Coward · · Score: 4, Interesting

    Personal checks haven't been in use in Finland for 30 years. What we have is a system of personal direct deposits. So instead of authorizing the payee's bank to withdraw funds from your account, you transfer funds from your account to the payee's bank.

    Yes, everybody is virtually forced to own a bank account.

  12. Cheque Security by geoff_smith82 · · Score: 1

    I live in Australia and have always wondered about the security of cheques because of the place your bank account number on the cheque as well as a incrementing cheque number. The first thing I would do is make the cheque number pseudo random, so that someone who was able to get an image of a cheque wouldn't be able to create another valid cheque, just by increasing the cheque number. Even the account number could be a random number... which points to a record at the bank which determines which account the money has to come from. I think these changes could probably be implemented individually by a bank as well...ie. it wouldn't need other banks to know what is going on.

    1. Re:Cheque Security by cdrguru · · Score: 1

      One problem in the US is that checks (or cheques) aren't submitted back to the originating bank any longer - they are scanned and just the image is sent to the bank electronically. As far as what account and so on, this is handled completely separately from the image of the check.

      Really, the piece of paper is meaningless today in the US. Everything is done electronically.

    2. Re:Cheque Security by bcwright · · Score: 1

      And in what way is the electronic transaction processing any less secure than the piece of paper? It's pretty easy to generate the printed check if you have the appropriate numbers, and in either case by the time anyone notices something is amiss you can be long gone.

      The problem isn't that the printed checks are any more secure, but rather that in both cases all of the necessary numbers are right there in plain sight and unencrypted.

  13. Qchex.com - guilty of fraud? by Dynamoo · · Score: 3, Interesting
    The implication here is that Qchex.com (and its parent (Neovi Data Corporation) are somehow the fraudsters.. they're not. If they are guilty of anything, it is that than ran an ill-advised business model which they naively assumed would not be used by organised criminals.

    Heck, you can actually buy a check printer yourself which can even use the same magnetic ink that bank-issued checks use. Nothing illegal in that.

    --
    Never email donotemail@WeAreSpammers.com
    1. Re:Qchex.com - guilty of fraud? by Raenex · · Score: 1

      You are correct, they weren't charged with fraud, but with "unfair" business practices. They knew there was substantial fraud going on and did not take adequate steps to address it. The court document linked to in the summary explains all this in detail. Here are some excerpts:

      "A practice is unfair under the FTC Act if: (1) it causes or is likely to cause substantial injury to consumers, (2) the injury is not reasonably avoidable by consumers themselves, and (3) the injury is not outweighed by countervailing benefits to consumers or to competition."

      [From a cited case]
      "The FTC's cause of action is based on unfairness, not deception, and the absence of proof that Defendants directly engaged in deception is completely irrelevant."

      "Here, the circumstances are similar in that Defendants' business practice significantly facilitated fraudulent activity. [...] Defendants knew of the high level of fraud from their own files and the complaints, and, like Defendant Wholesale, who knew of unauthorized deposits, they chose to continue to operate without sufficient verification measures. Therefore, after reviewing the evidence and the case law, and giving "some deference" the FTC's theory of liability under the Act, the Court finds that the FTC has satisfied the element of causation."

  14. Just like the Feds by moxley · · Score: 2, Insightful

    This is just like the federal government - get rid of one of the symptoms instead of the actual problem.

  15. Re:lets say i want to transfer 500,000 dollars by dcollins117 · · Score: 1

    if you have a better way worked out, let me know. thanks.

    You just go to your bank and make a bank-to-bank wire transfer.

  16. Re:a lot of society relies on trust and a paper tr by tchuladdiass · · Score: 2, Interesting

    Actually, all you need is to have the check number, account & routing number hashed with a secret key known only by your bank & check printing company. Have this unique hash (unique to each check number) appear on the bottom of each check, and the bank can refuse to clear it if it doesn't match up, or if a check number is duplicated. You end up with the same paper check everyone is used to, but with a bit more security. The only way fraud can happen is if someone steels your blank checks, or duplicates an uncashed check and changes the amount.

    You can go a step further and include a maximum dollar amount with the hash, and have separate checkbooks for small vs. large amounts

  17. Re:Slashdot was down. by PalmKiller · · Score: 1

    Yet you come back again and again.

  18. Re:Slashdot was down. by Anonymous Coward · · Score: 1, Funny

    protip: no all Anonymous Cowards are the same person

  19. Re:lets say i want to transfer 500,000 dollars by bcwright · · Score: 1

    Arrgh. Somehow Slashdot logged me out before I posted this, so it got put up under "Anonymous Coward" - but I did have a couple things to add to it.

    3% of $500,000 is $15,000, not $150. $500k would pay for a lot of concrete though - a whole lot more than a few metric tons. :-) But the point is well taken - for large transactions that kind of processing charge can be prohibitive.

    ACH/wire transfers can sometimes also be expensive to set up, though not nearly as much so as credit cards - perhaps $25 (unless you're a big company and able to negotiate a good deal with the bank), as opposed to checks which are nearly free; plus they have their own security issues (once again you need the bank routing code and the account number, which allows all sorts of mischief).

    Business to Business (B2B) transactions are largely based on trust and ignorance: if you don't trust your client/customer, you don't do business with them, or you put them on some kind of "cash-only" basis, including for example things like certified checks (free at many banks if you have a commercial account, but a pain to deal with because of the extra processing); and ignorance because the general public "should" never know either the bank routing codes or bank account numbers for either company.

    In the long run some kind of pseudo-encrypted or even certificate-based transaction scheme will probably become necessary if the fraudsters continue to become more sophisticated, but at the moment just about all of the methods for transferring money are vulnerable to relatively unsophisticated attacks.

  20. Re:Terrible News! Please read! by gujo-odori · · Score: 1

    You mean his belly hangs over his belt as much as Ron Jeremy's does?

  21. Typical FTC non-penalty by richmaine · · Score: 1

    The article doesn't say how much the perpetrators netted from this scheme, but it is a pretty safe bet that it is a lot more than the $500k penalty, probably by about an order of magnitude. I did see a comment about "thousands" of checks.

    Typical FTC "penalty". Make the crook pay back 10% or so of his take and promise not to do it again.

  22. Re:a lot of society relies on trust and a paper tr by tchuladdiass · · Score: 1

    One additional thing. This can be implemented using the existing system, by an individual bank if they desire. Since the account number begins with a bunch of zeros, the hash (or a fingerprint of it at least) can be stored where those zeros are. So the first 10 digits become the hash fingerprint, and the remaining digits are the actual account number.

  23. Re:Slashdot was down. by PalmKiller · · Score: 1

    LOL, that explains it then