IP: May I see your license (not that that does much good) from

[David Farber <farber () cis upenn edu>]

Date: Fri, 01 Aug 97 19:54:00 P
From: Jim Horning <horning () intertrust com>
Subject: Clean Sweep wasn't quite soon enough


There's another use for those forged driver's licenses.  This seems to be   
not so much a computer-related risk, as a risk that could have been   
ameliorated with a little more intelligent application of computers:


I am in the process of getting my checking world back in order after a
Southern California ring made off with a total of about $7,000 in cash from
my account one day last week.


* The ring is well-organized and efficient.  My branch manager in Palo Alto
says that there are already three other customers of her branch that she's
currently working with -- creating new accounts, getting new checks,
recovering missing funds, etc., etc., etc.  One customer's account was hit
for $12,000.


* All they need is your name and checking account number (everyone who
handles any check you write has this information).  They then forge a "good
quality" California driver's license, with your name and their picture, to
use as ID for over-the-counter bank transactions.


* They know the bank's fraud prevention procedures and thresholds.  They
"deposited" four bad checks, taking most of the amount in cash, but each
check was just under $1,000.00.  They hit multiple branches, all in Southern
California.  They also made two cash withdrawals.


* The amount they can take is not limited by the balance in your account:


  - If you have overdraft protection, they can go to the limit on that
    (e.g., the limit on your Visa account).
  - When they deposit a check with "cash back," they take the amount
    of the phony check, not the amount left in your account.
  - Checks and over-the-counter transactions are processed overnight,
     not online, so by working a number of different branches, they can
     take multiples of your account.


* There doesn't seem to be any reasonable way (at Wells Fargo Bank) to limit
over-the-counter cash withdrawals from an account (unlike ATM withdrawals).


* The best protective measure seems to be to monitor your account frequently
(via the Web, telephone banking, Quicken online, or whatever) and
IMMEDIATELY report anything suspicious.


* Everyone at Wells Fargo has been very nice and helpful, but it's a real
nuisance to deal with this.  To their credit, their Loss Prevention unit
spotted the anomalies and notified me in less than a week -- well before I
would have received my statement.  I'll get all my money back, but no
reimbursement for the time I'm spending.


Jim H.


  [Added note from Jim:]


There is one defense against over-the-counter raids, but it's pretty
drastic.  It's what they did to my old account as soon as they recognized
"unusual activity": Flag the account so that all over-the-counter cash
transactions require approval by a specific person in the Loss Prevention
unit.  This includes third parties, like our cleaning lady, who was unable
to cash our $60 check, because she wanted cash -- a deposit to an account
would have gone through.


* I would have thought that one could restrict an account so that cash
withdrawals were limited for over-the-counter as well as ATM transactions,
but, no, the computer isn't programmed for that.


* I would have thought that, by now, over-the-counter cash withdrawals were
totalled bankwide, not just per branch, in real time, but no, screening for
unusual activity apparently happens overnight.  [The ring apparently knows
this: There has been no further attempted fraudulent activity since the one
day.]


* I would have thought that a $2,100 cash withdrawal (the largest single
transaction) would require more ID than a California driver's license, but
apparently not.


On the bright side, my money (including my July payroll deposit) has
supposedly just been transferred to my new account.  Of course, there's no
easy way to test this, since my online banking access has been shut down to
prevent fraud...


Jim H.