Fraud Threat Halts Knuth's Hexadecimal-Dollar Checks

Barence writes "You may be aware of Donald Knuth, the creator of TeX and author of The Art of Computer Programming, who used to post checks to anyone who spotted an error in one of his books — one hexadecimal dollar, or $2.56. No one cashed them though. This blogger has two of them proudly on his wall, but the sad news is that modern day bank fraud has put a stop to Knuth's much-loved way of keeping his books free of errors." (Here's Knuth's own post about the sad change.)

Re:Forgive me

[Enki X]

Not if you define a dollar as a hundred pennies...

Re:Forgive me

[Flying Scotsman]

Think of a dollar as "100" cents. 0x100 cents = 256 (decimal) cents.

Re:Forgive me

[Anonymous Coward]

So is Minwee. He meant 1500.

Re:This is getting old.

[Itninja]

Regarding checks, with their watermarks, UV-readable text,and what not, I don't think they would fall under the category of 'absurdly easy to fake'. However, people are absurdly easy to fool. So the result is the same. And with credit cards, are you talking about making physical fake cards? Because that's not exactly something one can whip up with supplies from the local hardware store. Generating valid numbers however, along with a little social engineering, the same results can be had with little effort.

Pfft. This is not new.

[Anonymous Coward]

Anyone can print a check. Everyone knows this or at least should. Companies print their own checks. Government offices print checks. Hell, if you run out of checks you can just write your information on a piece of paper and sign. (Ask your banker if you want confirmation.)

Anyone can print a check with any account and routing numbers they want. While checks are low-tech, and easy to copy, they're also very easy to trace. The fraudster's bank has identifying information for whomever cashed the fakes, which makes prosecution trivial.

This is not 'the end of an era' unless you've been living under a rock. Have none of you heard of Frank Abignale? (Watch 'Catch me if you can.') Check fraud is as old as checks.

LOL, captcha: decency, which the fraudsters didn't have.

Shift left by 1

[FourthAge]

Actually, don't the cheques start at $2.56, and then shift left by 1 as each error is found, up to a maximum of $327.68? (It's wise of Knuth to put a cap on it.. you might be tempted to cash a cheque worth (164)*$0.01..)

Re: Fraud Threat Halts Knuth's Hexidecimal-Dollar

[Anonymous Coward]

hexAdecimal

Re:This is getting old.

[Applekid]

Which is enough evidence that these sorts of things aren't costing the banking industry a whole lot.

This suggests one or more of the following three things are true:
1) There ISN'T ACTUALLY an epidemic of checking/credit fraud aside from a few high profile high press cases (see also: terrorism, pedophilia, and other "woo, the world is SCARY!" kinds of stories
2) When fraud happens, banks are reasonably well equipped to recover the losses (some other bank has to exist on the other end of the wire, naturally)
3) The government doesn't have sufficient laws to protect the victims of these sorts of things where banks are held responsible, so banks have no motivation to fix what amounts to broken financial operations

Re:paranoia much

[scrod98]

In the article, he isn't just paranoid, but has had several problems, which have extended to make unhappy bankers. You plan would work, but then it would be like $30 worth of effort, so loses its appeal. Another casualty of technically savvy criminals, staying one step ahead of industry.

Slashdotted

[Russianspi]

While it seems to be fine at the moment, it took a few tries for me to load it. So, to try and help the server, here is TFA: "Financial Fiasco Leading banks and investment funds have been foundering, because of bad debts and lack of trust; and other, less well-known kinds of fiscal chaos are also on the horizon. For example, due to an unfixable security flaw in the way funds are now transferred electronically, worldwide, it is no longer safe to write personal checks. A criminal who sees the numbers that are printed at the bottom of any check that you write can use that information to withdraw all the money from your account. He or she can do this in various ways, without even knowing your name --- for example by creating an ATM card, or by impersonating a bank in some country of the world where safeguards are minimal, or by printing a document that looks like a check. The account number and routing information are all that international financial institutions look at before deciding to transfer funds from one account to another. (See, for example, Grant Bugher's comments.) More and more criminals are learning about this easy way to acquire money, and devising new schemes to conceal their identities as they steal the assets of more victims. Nowadays almost everybody knows that it's dangerous to reveal your credit card number, or to have that full number on a printed document that somebody might find in the trash. Soon people will learn that it is equally dangerous to reveal the numbers that are printed in plain sight on every check. Forget signatures; banks have no time to verify them. The once venerable system of checking accounts is irretrievably broken. Before long, companies will find it impossible to give out paychecks without exposing themselves to unacceptable risk. One consequence of this debacle is, alas, that I can no longer write checks to reward the people who discover errors in my books. The system that I've been using has worked well for almost forty years; but recently I have had to close three checking accounts, and the criminal attacks on those accounts have caused significant grief to my bankers. (Certainly I do not believe that anybody who received one of my checks has been in any way a culprit. But all such recipients are entitled to bragging rights; therefore the numbers printed on those checks inevitably become known to random members of the public.) I cannot in good conscience continue to traumatize the people at my bank, who obviously have plenty of other things to worry about. After painful deliberation I've come up with a new plan, which I hope will be acceptable to all concerned, and perhaps even welcomed as an improvement. Instead of rewarding heroic bug-finders with dollars, I shall henceforth award brownie points, otherwise known as hexadecimal dollars (0x$). From now on it will be kudos, not escudos. Instead of writing personal checks, I'll write personal certificates of deposit to each awardee's account at the Bank of San Serriffe, which is an offshore institution that has branches in Blefuscu and Elbonia on the planet Pincus. It turns out that only 9 of the first 275 checks that I've sent out since the beginning of 2006 have actually been cashed. The others have apparently been cached. So this change in policy will probably not affect too many people. On the other hand, I don't like to renege on promises, so I shall do my best to find a suitable way to send money to anyone who really prefers legal tender. Everybody who has received a reward check or a hexadecimal certificate from me since 1 January 2006 automatically has an account at the Bank of San Serriffe, and these accounts are listed on the bank's website. All of these people have my undying gratitude for the invaluable help they've generously provided in order to improve the books and the software that I've written. I ask friendly readers to keep sending those precious bug reports, and to let me know if my new policy displeases you in any way"

Re:New Bill

[MasterOfMagic]

The right way is a money order. The USPS actually issues money orders for this very purpose, and they charge only a very nominal fee on top of it.

Re:This is getting old.

[Thundersnatch]

any piece of stationary with mag ink at the bottom with bank a.b.a., account number, check number, will be accepted as check

No, it most likely won't. What you say may have been true 10 or even 5 years ago, but is generally not true with modern check imaging systems. The "Check 21" legislation basically enabled all banks to move to electronic check image storage. Of course, they had to upgrade all of their imaging systems to recognize that cost savings, and these new systems are quite discerning, especially for higher-value checks. Manual inspection is required for most high-value checks, and even things like a changed paper stock or layout can be flagged for manual review.

Also, nearly every company of reasonable size is required to implement positive pay, meaning they send a list of check numbers, dollar amounts, and payees to the bank before the checks are actually cut. So when you go to cash a fake check, the bank knows it is fake immediately. There are of course ways to get around this, especially with personal accounts (which usually do not offer positive pay), but check fraud is no longer as simple as portrayed in Catch me if you Can.

That said, check still fraud remains a major cost for banks, and believe it or not they are working hard to make it less possible. But there is as yet no "magic bullet" technology to replace paper checks. Chip-and-PIN, smartcards, etc. all suffer from different security and operational issues. They also cost a lot to implement worldwide, even after including the costs of paper check fraud. A paper check is fairly easily validated, can be sent through the mail, and requires no "secure" hardware terminals at every merchant.

Re:New Bill

[Anonymous Coward]

If you're sending $2.56, it's not particularly nominal (to extend your pleonasm), at $1.05 [usps.com] ...

Re:Actually

[Chirs]

My bank at least will charge me an additional fee if the check isn't MICR-encoded.

Re:This is rather disquieting

[Zenaku]

I had a friend get one of his post-dated cheques cashed months before the date (with extra-salty fees attached of course). The depositor did not even falsify the date!

Your friend was completely misinformed if he thought that post-dating a check meant it wouldn't be valid until that date. The date written on a check has no affect on its validity. It's mostly just their for your own record-keeping.

If a human teller happens to look at the check, he or she might refuse to process it, just because they can, and may not know whether it is valid or not, but there is no law obliging them to treat is as invalid.

And how often these days is a human teller the one processing a check?

Lesson: Don't write checks your account can't cover.

Re:This is getting old.

[Ma8thew]

That's rubbish. Although in Britain we use debit cards and direct debits more, checks are commonly used for transferring money between individuals, when cash is inconvenient.

Re:This is getting old.

[mosch]

LOL. No.

I deposit checks electronically to both my personal and business bank accounts. The advanced equipment to do this? A $50 scanner.

Scan the front, scan the back, and the money is credited to my account the next day. No requirement to keep the check, no possible way to examine for UV, or paper stock, or anything else at all.

For my business, I actually have the option to just do an ACH withdrawal instead of presenting the check at all. It's completely legal for me to just look up the numbers on the the bottom of your check, and then ACH your account for the amount of your paper check.

There's essentially no security in checks, at all. please don't fool yourself.

Re:This is getting old.

[scribblej]

I work for a living desinging systems that process checks and credit cards. I couldn't agree with you more; the aging bank standards are absoluely ridiculous in terms of security.

What I don't see anyone pointing out (and what poor Knuth apparently doesn't know) is that these shortcomings have been somewhat mitigated in the rules for processors and merchants and banks. It's not a great solution, it's not even a good solution, but it's hardly the END OF THE WORLD that people seem to be claiming.

You are probably all familiar with the fact that you have a maximum fraud liability on your credit card of $50, and in practice, you'll never be charged anything, not a penny, if someone uses your credit card for fraud. Simply call your bank, explain the situation, and they will issue chargebacks for any charged you did not authorize. You will in the chargebacks, and your money will be returned and you will not be one penny the poorer. (The merchant who accepted the credit card, on the other hand, gets royally screwed, but that's another story.)

Well, the same is not true of written checks; you probably know you need to issue a 'stop payment' and your bank will likely charge you for that. But written checks aren't what people are freaking out about here, and do take quite a bit of effort to forge successfully (a lot less than cash, but still)... we're talking about ACH payment made through the NACHA system. i.e. "Electronic Checks." And there are very strict rules in place from the NACHA, you can order the book online if you feel like wasting a weekend reading the boringest stuff ever.

The important part is this: You can dispute an ACH transaction just like you can a credit card transaction. Anyone who processes "electronic checks" is /required/ to allow up to 60 days for the customer to dispute a fradulent ACH charge. And if you /do/ call in to dispute it, beleive me, it's going to work out the exact same way as the online credit card purchase; you will get your money back and be no poorer (and the merchant will get fucked again!).

So... everybody don't panic. yes, the systems are horrible. No, they aren't changing around here anytime soon; all efforts are stupid or doomed to fail (e.g. VERIFIED BY VISA which is both). But the bottom line is, your money is safe. A simple call to your bank /will/ solve any problems with people making fraudulent electronic charges to your credit card or checking account. I guarantee it. If your bank gives you ANY hint of a problem with a chargeback drop them like a hot potato and go to a better bank. But they won't; I've never run into a situation where you as a consumer is going to have the slightest bit of trouble.

If you're the merchant, on the other hand, you are well and truly fucked. Heh.

Re:This is getting old.

[johnlcallaway]

Close .. but not quite. I worked in the banking industry many years ago (ok .. almost 30), so my memory may be a bit hazy. As I remember, the requirements were very basic:

• Date -- checks older than 6 months are 'dead' and do not have to be honored. In theory, any check older than 6 months has to be either reissued or turned over to the state as abandoned property. That's how many of those names get in the paper under the 'state has money for you' category. It's amazing how many people don't cash payroll checks in a timely fashion. And states do audit companies to make sure they are either making attempts to reissue the check or turning them over to the state
• The account number on which it is drawn. I don't believe the routing number is required if you take it to the originating bank
• The amount in two places. By tradition, one is numbers and the other is words, but this is not required
• The name of the bank. The address used to be required, but with the large national banks, I don't think it is any longer
• The signature of the person issuing the check
• The name of the person (or other entity such as a business) to whom the check is issued. Or 'cash'

No bank is required to honor a check not drawn upon their accounts. They do so for business reasons, checks usage would be almost impossible if banks wouldn't honor other bank's checks. They are under no obligation to cash a questionable check.

And, of course, no business is required to accept a check written on Kleenex.

On the other hand, a bank is required to honor a check drawn on their accounts *without fees*, providing the identify of the person cashing it can be verified, it's not a dead check, the funds are available, and the signature is validated. Of course, all of these checks are at the bank's discretion, they don't have to verify anything if they are willing to take that risk. (Insert sarcastic comment about risky loans here...)

In theory, you can issue a check on just about anything, providing the above information is on it. However, the only bank that has to accept it is the bank it is drawn on.

So, checks have always been a bit dicey to begin with. Sure, your payroll check is printed on nice shiny paper. It only helps to make sure the check isn't altered, which also used to be a big way to make money on checks.

But the reason most banks will only cash checks for account holders is because they have made an attempt to identify them, so if bad checks happen they can attempt to locate the person who cashed it. Check-21 was an attempt to decrease the ability to defraud, paper no longer has to float around the system so checks clear and bounce faster and kiting is becoming very difficult.

People still use cheques in this day and age?

[jonwil]

I havent written a cheque in my life and I get along fine. Why do we still need a system based around sending bits of paper around when I can log onto my internet bank and transfer money to any other Australian bank account in a couple of minutes (although the money doesn't actually end up in the other account right away unfortunatly)