Fraud Threat Halts Knuth's Hexadecimal-Dollar Checks

Barence writes "You may be aware of Donald Knuth, the creator of TeX and author of The Art of Computer Programming, who used to post checks to anyone who spotted an error in one of his books — one hexadecimal dollar, or $2.56. No one cashed them though. This blogger has two of them proudly on his wall, but the sad news is that modern day bank fraud has put a stop to Knuth's much-loved way of keeping his books free of errors." (Here's Knuth's own post about the sad change.)

Forgive me

[by Anonymous Coward]

But wouldn't one "hexadecimal dollar" be... wait for it... exactly one "regular dollar?"

0x1 == 1

Re:Forgive me

[Enki X (1315689)]

Not if you define a dollar as a hundred pennies...

Re:

[gnick (1211984)]

A hundred pennies is still $1. 0x100 pennies == $2.56. I'm not sure that 'hundred' is really defined in the hex world. It's like the old "There are 10 kinds of people in the world - Those who understand binary and those that don't" gag falling apart outside print because the word 'ten' blows it.

IANA mathemagician - Feel free to correct me if I'm full of shit.

Re:

[adonoman (624929)]

Also not a math pro, but the problem comes in that we have two things that are defined by the word "ten" - the abstract point on the number line that is eqivalent is also represented by the symbols: '0x0A' in hex; '012' in octal; '10' in dec; and '1010' in binary.
But it's also a name for the symbol '10' itself, just as one hundred is a name for the symbol '100', as well as a name for the abstract value represented by the symbol '100'.

Re:

[maxume (22995)]

Has being wrong made things difficult for you?

Re:Forgive me

[Minwee (522556)]

Because there are 900 pennies in a base ten dollar?

Re:Forgive me

[Enki X (1315689)]

I am ashamed

Re:Forgive me

[Flying Scotsman (1255778)]

Think of a dollar as "100" cents. 0x100 cents = 256 (decimal) cents.

Re:Forgive me

[Ed Avis (5917)]

Think of a dollar as "100" cents. 0x100 cents = 256 (decimal) cents.

Yes, finally someone is taking a stand against the crappy metric-system-obsessed definition of a dollar. Everyone knows a dollar is 256 cents, this whole decimal crap is just a conspiracy by big business in cahoots with the Federal Reserve to rip us off, just like they did with hard disk sizes. I'm voting for Ron Paul.

Re:Forgive me

[by Anonymous Coward]

AAAAAAAAAAAAAH!!!!!
It's a joke dollar and Knuth gets to designate what a hexidecimal dollar is since HE's writing the checks!!!

Leave it alone already!!!

Re:Forgive me

[0xABADC0DA (867955)]

It's still wrong though, "cent" is the same "cent" as in "centimeter" or "percent" and means 1/100. The unit is the dollar, so 0x1 dollar = one dollar.

So if you point out this error to Knuth... do you get a check for $0x1 or $2.56?

Re:Forgive me

[Bloke down the pub (861787)]

Would it help if the word "pennies" were used

Bringing base 240 in will just confuse the issue.

This is getting old.

[SatanicPuppy (611928)]

Checks and credit cards are absurdly easy to fake in the modern world. Banks need to get off their asses and roll out a new system...With the billion dollar bonuses that they keep giving themselves, I'm not too sympathetic of the cost.

Re:This is getting old.

[Itninja (937614)]

Regarding checks, with their watermarks, UV-readable text,and what not, I don't think they would fall under the category of 'absurdly easy to fake'. However, people are absurdly easy to fool. So the result is the same. And with credit cards, are you talking about making physical fake cards? Because that's not exactly something one can whip up with supplies from the local hardware store. Generating valid numbers however, along with a little social engineering, the same results can be had with little effort.

Re:This is getting old.

[petermgreen (876956)]

And with credit cards, are you talking about making physical fake cards? Because that's not exactly something one can whip up with supplies from the local hardware store
Afaict plastic card printers and magstripe writers are easy enough to get, Not a job for your local hardware store but plenty of places use ID cards that are very similar to credit cards so the printers are availible. You would probablly have to rig something up to do the embossing but that can't be terriblly difficult.

It's not a hardware store job but it's not out of reach of a reasonablly organised criminal with a few thousand pounds to spend and a location to get stuff delivered to.

Chip and pin cards are probablly much harder to fake but at least here in the UK most places will still put a transaction through with a swipe and sign if chip and pin fails or the card does not have a chip.

Re:This is getting old.

[rcw-home (122017)]

Regarding checks, with their watermarks, UV-readable text,and what not, I don't think they would fall under the category of 'absurdly easy to fake'.

Considering that you don't need to pass off a watermarked check to someone in real life to drain money from someone's account (you only need the account number and routing number off the check), yes, they absolutely are absurdly easy to fake.

Also, there's no guarantee that when someone writes you a check that they have the funds to cover it, because it isn't processed right then and there. These two factors put together have led the vast majority of merchants to simply refuse checks today.

There's absolutely no excuse for banks to not have rolled out a checking system that uses much larger one-time-use account numbers and allows merchants to verify that the check won't bounce. They've been twiddling their thumbs.

Re:This is getting old.

[Tmack (593755)]

There's absolutely no excuse for banks to not have rolled out a checking system that uses much larger one-time-use account numbers and allows merchants to verify that the check won't bounce. They've been twiddling their thumbs.

... and raking in the $$. They wont change their ways because each bounced check is an opportunity for them to collect lots of fees. At least $20 from the person trying to pass off the bad check, and another $20-30 from the account that got overdrawn. To top it off, once that account is overdrawn, they get those fees on Every withdrawal until they stop coming in. For fake checks, they will still charge your account for trying to pass off the bad check. To them, its not broken, its a source of revenue.

tm

Re:

[Belial6 (794905)]

Of course, this is also part of why banks are so hip on 'check cards'. 'Check cards' offer no benifites to the account holder over a standard credit card. They do offer serious down sides given that they allow anyone with access to the card to withdraw funds directly from your account with no pin or identification. Then VISA advertises on TV how easy it is to commit fraud with those cards.

The fact that most banks are replacing their ATM cards that do require pins to access funds with 'check cards' tha

Re:This is getting old.

[by Anonymous Coward]

Also, there's no guarantee that when someone writes you a check that they have the funds to cover it, because it isn't processed right then and there. These two factors put together have led the vast majority of merchants to simply refuse checks today.

Many merchants who receive a lot of checks on a regular basis (and thus cannot afford to turn those customers away) are switching to instant check processing systems. We implemented one of these at an old job of mine. Basically, a scanning device reads the check, gets online, turns the check into a direct withdrawal (EFT) from the account instead, slaps a big VOID on the check, and the voided check is handed back to the customer, usually to their great surprise.

Essentially, the check itself becomes useless, merely a carrier of account information. The scanned check image is stored, for verification purposes if it happens to be needed later. Initially, the system didn't do "instant" account checking, but that was added later, so that a bad check could be instantly spotted as such.

On a side note, a year after we rolled these systems out at all locations, the number of check we processed dropped by almost 75%, with a corresponding increase in credit/debit transactions. Once people figured out that writing the checks was essentially useless and that if they lacked the funds they would get an instant rejection while they were standing there basically holding a voided bad check in their hands, then they stopped trying.

Turns out a surprising lot of our customers were basically relying on the float period, where they could write the check and not have it get into the system for a few days, giving them time to come up with the money. When that no longer worked, they stopped trying it. There was no decrease in sales, but since our bad check problems disappeared almost overnight, we had a major increase in profits.

Re:This is getting old.

[Detritus (11846)]

All of those security features in paper checks are becoming worthless. I was standing in line at the grocery store, and the customer ahead of me wrote a check. The clerk fed the check into a document scanner built into the cash register, and returned the original check to the customer. Besides, banks are so automated that it's a rare occasion that a human ever looks at a check.

Re:

[HTH NE1 (675604)]

All of those security features in paper checks are becoming worthless. I was standing in line at the grocery store, and the customer ahead of me wrote a check. The clerk fed the check into a document scanner built into the cash register, and returned the original check to the customer. Besides, banks are so automated that it's a rare occasion that a human ever looks at a check.

And now, even if the physical check gets back to the bank, I don't even get it back. Instead I get a reduced-size photocopy of only the front of the check. I don't even get a rubber stamp from Krusty the Klown's Cayman Islands holding company anymore (or anything I can dust for fingerprints or swab for DNA).

The only checks I write anymore are for credit card payments, loan payments, electric and gas bills (they still charge a fee for payment by credit card, which went up this month to $3.95 (they use Wester

Re:

[afidel (530433)]

Actually banks no longer transfer physical checks, they ship around images of the checks. The banks did this to reduce costs, but it obviously comes at the cost of security. Since it isn't their money they are protecting they just don't care, if they can reduce their costs and only risk the few small accounts that get hacked then it's definitely a net win for them.

The flipside of this is that Knuth is wrong when he says "Before long, companies will find it impossible to give out paychecks without exposing

Re:

[sjames (1099)]

In spite of all of that, a man once drew a check on the back of his teeshirt with a magic marker and the IRS successfully cashed it.

The whole "check by phone" thing also limits the value of the physical anti-forgery measures. It is possible to cash a check against your account that you have never even seen written to someone you have never heard of.

Further, what's to stop me from ordering a box of checks with your details on them (based on nothing more than I can learn from looking at a legitimate check you

Re:This is getting old.

[Thundersnatch (671481)]

any piece of stationary with mag ink at the bottom with bank a.b.a., account number, check number, will be accepted as check

No, it most likely won't. What you say may have been true 10 or even 5 years ago, but is generally not true with modern check imaging systems. The "Check 21" legislation basically enabled all banks to move to electronic check image storage. Of course, they had to upgrade all of their imaging systems to recognize that cost savings, and these new systems are quite discerning, especially for higher-value checks. Manual inspection is required for most high-value checks, and even things like a changed paper stock or layout can be flagged for manual review.

Also, nearly every company of reasonable size is required to implement positive pay, meaning they send a list of check numbers, dollar amounts, and payees to the bank before the checks are actually cut. So when you go to cash a fake check, the bank knows it is fake immediately. There are of course ways to get around this, especially with personal accounts (which usually do not offer positive pay), but check fraud is no longer as simple as portrayed in Catch me if you Can.

That said, check still fraud remains a major cost for banks, and believe it or not they are working hard to make it less possible. But there is as yet no "magic bullet" technology to replace paper checks. Chip-and-PIN, smartcards, etc. all suffer from different security and operational issues. They also cost a lot to implement worldwide, even after including the costs of paper check fraud. A paper check is fairly easily validated, can be sent through the mail, and requires no "secure" hardware terminals at every merchant.

Re:This is getting old.

[by Anonymous Coward]

You know... I can't even recall seeing checks outside America since the 80ths. The rest of the world uses cash, bank transfers and credit/debit cards. And we survive, without the costs and problems associated with a ridiculously broken check system.

The question is not the cost of implementing chip-and-pin or smartcards worldwide, the question is the cost of getting America to upgrade from a payment system that was modern around 1800.

Re:

[Ma8thew (861741)]

That's rubbish. Although in Britain we use debit cards and direct debits more, checks are commonly used for transferring money between individuals, when cash is inconvenient.

Re:

[mosch (204)]

LOL. No.

I deposit checks electronically to both my personal and business bank accounts. The advanced equipment to do this? A $50 scanner.

Scan the front, scan the back, and the money is credited to my account the next day. No requirement to keep the check, no possible way to examine for UV, or paper stock, or anything else at all.

For my business, I actually have the option to just do an ACH withdrawal instead of presenting the check at all. It's completely legal for me to just look up the numbers on the

Re:This is getting old.

[Applekid (993327)]

Which is enough evidence that these sorts of things aren't costing the banking industry a whole lot.

This suggests one or more of the following three things are true:
1) There ISN'T ACTUALLY an epidemic of checking/credit fraud aside from a few high profile high press cases (see also: terrorism, pedophilia, and other "woo, the world is SCARY!" kinds of stories
2) When fraud happens, banks are reasonably well equipped to recover the losses (some other bank has to exist on the other end of the wire, naturally)
3) The government doesn't have sufficient laws to protect the victims of these sorts of things where banks are held responsible, so banks have no motivation to fix what amounts to broken financial operations

Re:This is getting old.

[scribblej (195445)]

I work for a living desinging systems that process checks and credit cards. I couldn't agree with you more; the aging bank standards are absoluely ridiculous in terms of security.

What I don't see anyone pointing out (and what poor Knuth apparently doesn't know) is that these shortcomings have been somewhat mitigated in the rules for processors and merchants and banks. It's not a great solution, it's not even a good solution, but it's hardly the END OF THE WORLD that people seem to be claiming.

You are probably all familiar with the fact that you have a maximum fraud liability on your credit card of $50, and in practice, you'll never be charged anything, not a penny, if someone uses your credit card for fraud. Simply call your bank, explain the situation, and they will issue chargebacks for any charged you did not authorize. You will in the chargebacks, and your money will be returned and you will not be one penny the poorer. (The merchant who accepted the credit card, on the other hand, gets royally screwed, but that's another story.)

Well, the same is not true of written checks; you probably know you need to issue a 'stop payment' and your bank will likely charge you for that. But written checks aren't what people are freaking out about here, and do take quite a bit of effort to forge successfully (a lot less than cash, but still)... we're talking about ACH payment made through the NACHA system. i.e. "Electronic Checks." And there are very strict rules in place from the NACHA, you can order the book online if you feel like wasting a weekend reading the boringest stuff ever.

The important part is this: You can dispute an ACH transaction just like you can a credit card transaction. Anyone who processes "electronic checks" is /required/ to allow up to 60 days for the customer to dispute a fradulent ACH charge. And if you /do/ call in to dispute it, beleive me, it's going to work out the exact same way as the online credit card purchase; you will get your money back and be no poorer (and the merchant will get fucked again!).

So... everybody don't panic. yes, the systems are horrible. No, they aren't changing around here anytime soon; all efforts are stupid or doomed to fail (e.g. VERIFIED BY VISA which is both). But the bottom line is, your money is safe. A simple call to your bank /will/ solve any problems with people making fraudulent electronic charges to your credit card or checking account. I guarantee it. If your bank gives you ANY hint of a problem with a chargeback drop them like a hot potato and go to a better bank. But they won't; I've never run into a situation where you as a consumer is going to have the slightest bit of trouble.

If you're the merchant, on the other hand, you are well and truly fucked. Heh.

This is rather disquieting

[jeffasselin (566598)]

That the financial system is not any more secure than this. I always thought there were some serious security measures taken by banks before transferring funds, like doing small payments whose value has to be confirmed, and stuff like this.

Just like any security issue, though, it appears convenience wins over security for now. It would probably be too detrimental to the big banks and financiers of the world to have to authenticate transfers properly. They're already reduced to quasi-poverty (WHAT? I ONLY GET 100MILLIONS TO SPEND THIS MONTH?).

Re:This is rather disquieting

[NixieBunny (859050)]

Yeah, I though that as well until one day I sent a $14,000 check to my mortgage company and they deposited it for the default payment amount of $1400. The scary part is that the bank didn't read the check at all, using the mortgage company's data tape instead of the actual document to learn the deposit amount. Seems they are not willing to take the time to read the numbers written on their checks! Momentum is the only thing sustaining the banking industry.

Re:

[lgw (121541)]

That's actually a feature of the system, not a bug (from the banking industry's point of view). When your check is processed the merchant simply declares a value. That might be the value written on the check, or it might not. If the merchant declares a value higher tan you intended (or you never wrote that merchant a check at all) that's fraud, but the check clearing system doesn't even try to catch that. It's handled out of band, and its completely up to you to report the fraud. Pay attention to your

Re:

[Zenaku (821866)]

I had a friend get one of his post-dated cheques cashed months before the date (with extra-salty fees attached of course). The depositor did not even falsify the date!

Your friend was completely misinformed if he thought that post-dating a check meant it wouldn't be valid until that date. The date written on a check has no affect on its validity. It's mostly just their for your own record-keeping.

If a human teller happens to look at the check, he or she might refuse to process it, just because they can, an

New Bill

[Ukab the Great (87152)]

Obviously we must petition the United States Treasury to release a $2.56 bill with Don Knuth's face on it, which he can then autograph and send to the smarty pants who find errors in his book.

Re:New Bill

[Mr. Slippery (47854)]

didn't you know the USPS recomends you not send cash through the mail

If Knuth is right, it's safer to send cash than a check. Intercept cash, you only get that amount; intercept a check, and you can drain my whole checking account.

Re:New Bill

[MasterOfMagic (151058)]

The right way is a money order. The USPS actually issues money orders for this very purpose, and they charge only a very nominal fee on top of it.

Re:

[gstoddart (321705)]

If Knuth is right

*laugh* To a lot of us, there can be no "if" in that statement.

Knuth is just right. Anything else is sacrilege. ;-)

Cheers

Shift left by 1

[FourthAge (1377519)]

Actually, don't the cheques start at $2.56, and then shift left by 1 as each error is found, up to a maximum of $327.68? (It's wise of Knuth to put a cap on it.. you might be tempted to cash a cheque worth (164)*$0.01..)

Re:Shift left by 1

[Sloppy (14984)]

Actually, don't the cheques start at $2.56, and then shift left by 1 as each error is found, up to a maximum of $327.68?

Unfortunately there was a bug in Knuth's check writing program, and the last person received a check for the amount of "one carry bit, set."

paranoia much

[Speare (84249)]

First, the blurb is very misleading. I took from it that the bank yelled at the use of the phrase "one hexadecimal dollar" which no banker would understand how to equate to the digits, $2.56. Since it's the text that wins in most audited disputes about amounts, that's a problem.

He's just paranoid about the MICR routing numbers, and how banks are not secure. This has not changed, and is not at all particular to him. It is odd that he's had multiple attacks while I've had zero, since he claims the attack is entirely despite any knowledge of the account holder's name or wealth.

Pseudocode: // I was going to write this in WEB but fuck that

• Set up an independent "Knuth's Mistake Fund" checking account.
• If a mistake is found, deposit $2.56 and send paper check, valid within 30 days
• If a month goes by and the guy didn't cash it, withdraw $2.56 and void the check.
  (Mistake-finder framed the check for his wall.)

Re:

[scrod98 (609124)]

In the article, he isn't just paranoid, but has had several problems, which have extended to make unhappy bankers. You plan would work, but then it would be like $30 worth of effort, so loses its appeal. Another casualty of technically savvy criminals, staying one step ahead of industry.

Re:paranoia much

[marcosdumay (620877)]

"It is odd that he's had multiple attacks while I've had zero..."

No, it's not odd at all. I guess that if people did go around showing your checks to everybody they meet or maybe even posting them to the web, you'd have plenty of atacks too. Instead, people probably choose to cash your checks, so you don't have this problem.

The retardation of the financial sector

[0xdeadbeef (28836)]

We should make every suit at every financial institution in this country write a thousand times on a blackboard:

An identifier is not a shared secret key.

This applies to account numbers, credit card numbers, social security numbers, drivers license numbers, everything.

The symbol that represents you is not the thing that proves who you are. Otherwise, your name itself would be all you need to verify your identity, and we all know how absurd that is.

Of course, the real problem is that they aren't held adequately liable for the fraud that occurs. They blame it on the customer and wash their hands of it. If we made them always eat that cost, I guarantee we'd see real progress against identity theft.

Re:

[cdrguru (88047)]

The difficulty with making banks liable for fraud is most of the attempted fraud is the other way around - people trying to get stuff from banks. Think about it. Wouldn't you claim that your account was incorrectly debited $500 from an ATM transaction that you didn't make if you could get away with it? Sure you would. So would everyone else in your city.

There is no way to prove the difference between "identity theft" on the scale where a bank is defrauded and outright dishonesty by the customer.

Now in r

Re:

[steelfood (895457)]

Currently, the technology required to make secure authentication ubiquitous is prohibitively expensive. Banks continue to employ a lot of legacy systems the for reliability purposes, because any downtime is simply unacceptable.

Unless you want everyone to go around doing authentication with shared secret-codes like they do in spy movies, or calculating in their heads their own public key for every transaction that requires authentication, some form of picture ID is the most practical method. Remember that wh

Actually

[hey! (33014)]

a check doesn't legally have to have your account or bank routing number on it. It certainly doesn't have to be printed by your bank.

The numbers are there to make it convenient for banks to move money around. A bank can refuse to honor such a check, but a bank can refuse to honor any check. There's no legal obligation to honor any check.

The numbers don't turn an ordinary piece of paper into a check. What does that is your signature.

I once knew a guy who wrote out a check to another guy on a napkin. He then went over to his bank branch with the other guy and made sure they honored the "check", which after some discussion they did. He could have just withdrawn money, but he wanted to prove it could be done, and he did.

Re:Actually

[Chirs (87576)]

My bank at least will charge me an additional fee if the check isn't MICR-encoded.

Re:

[u38cg (607297)]

During the Poll Tax palaver in the UK in the late eighties, people delighted in finding more and more ridiculous things to write checks on. IIRC, the government was presented with cheques painted on scrap vans, carved into gravestones, engraved onto a tombstone, and on one occasion written on the side of a cow. HMRC being humourous types, they cashed them all.

Re:

[gnud (934243)]

You name variables after them in illustrations of poorly thought out algorithms?

Re:

[whoever57 (658626)]

You're referring to the "Bank of San Serriffe"? The one with branches in in Elbonia and Blefuscu?

I think it is this San Seriffe. [wikipedia.org] Perhaps Donald Knuth is a Grauniad reader?