News

04:29 PM
Connect Directly
Facebook
Twitter
Google+
RSS
E-Mail
50%
50%

Mobile RDC: Avoiding the Security Pitfalls

A session at NACHA Payments 2014 dealt with mitigating the security risks of remote deposit capture.

As mobile remote deposit capture becomes more popular among bank customers, the attendant risk involved with these transactions is also coming to the forefront.

A session at NACHA PAyments 2014 in Orlando focused on common issues around risk and security arising from increasing mobile RDC use by consumers.

Kevin Olsen, IT manager for EastPay Inc., discussed how remote deposit capture initially found popularity among bank's corporate customers, but is now rising among everyday consumers as well. However, he noted that many financial institutions do not have the same requirements around RDC for consumers as they do corporate customers, which can lead to fraud. For example, Olsen said many banks don't set deposit limits as a policy for consumers using mobile RDC. This also ties into Know Your Customer policies. Olsen said if a customer who has never deposited more than $200 in one transaction suddenly deposits thousands of dollars worth of checks via RDC, that should raise a red flag.

The most common form of RDC fraud is "duplicate presentment," Olsen noted, wherein someone deposits a check via a mobile device, then takes the paper check to a different financial institution to cash it as well. One effective way to combat this is to require some kind of "restricted endorsement." In such a case, a customer would be required to include a note in their endorsement indicating the check is intended to be deposited via RDC or it won't be accepted for mobile deposit.

David Brock, president and CEO of Florida-based Community Credit Union, said his institution does this, requiring customers who deposit a check using a mobile device to write in the endorsement "for mobile RDC only." However fraud can never be 100 percent eliminated, so in an attempt to mitigate possible misuse, Brock said the credit union imposed deposit limits for mobile RDC. Retail customers can deposit up to $1,000 in one session, and $2,000 per day. However, for "Platinum Customers" -- those who have an established, longstanding relationship with Community Credit Union -- those limits are upped to $2,500 per session and $5,000 per day.

Another significant source of mobile RDC fraud is customers not properly disposing of checks afterwards. While some banks have guidelines they give customers as to how long the checks should be held before they are destroyed, ultimately a bank cannot ensure a customer does properly destroy the check. Olsen related the story of sitting in a coffee shop and noticing another customer their using their phone to deposit a check; then leaving the check in a trash can where anyone could have picked it up. Banks need to be aggressive about educating their customers on best practices for using mobile remote deposit capture, he said.

In the end, Olsen noted that while there are many protections for consumers who are the victims of fraudsters, banks have no such luxury, and must be as proactive as possible in keeping RDC fraud to a minimum.

[See Also: Celent: Banks Looking to Replace RDC Solutions]

Bryan Yurcan is associate editor for Bank Systems and Technology. He has worked in various editorial capacities for newspapers and magazines for the past 8 years. After beginning his career as a municipal and courts reporter for daily newspapers in upstate New York, Bryan has ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Byurcan
50%
50%
Byurcan,
User Rank: Author
4/9/2014 | 12:38:09 AM
re: Mobile RDC: Avoiding the Security Pitfalls
Thanks! The session was very informative, and obviously covered a lot more than what was just in the article.
Hemphill
50%
50%
Hemphill,
User Rank: Apprentice
4/8/2014 | 10:49:08 PM
re: Mobile RDC: Avoiding the Security Pitfalls
Great arcitle, Bryan and some excellent advise on how to mitigate the risks.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Janice, I think I've got a message from the code father!
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.