
MyPayrollHR CEO Arrested, Admits to $70M Fraud - headalgorithm
https://krebsonsecurity.com/2019/09/mypayrollhr-ceo-arrested-admits-to-70m-fraud/
======
usaphp
From the article:

“... a person could open checking accounts at bank A and bank B, at first
depositing $500 into bank A and nothing in bank B. Then, they could write a
check for $10,000 with account A and deposit it into account B. Bank B
immediately credits the account, and in the time it might take for bank B to
clear the check (generally about three business days), the scammer writes a
$10,000 check with bank B, which gets deposited into bank A to cover the first
check. This could keep going, with someone writing checks between banks where
there’s no actual funds, yet the bank believes the money is real and continues
to credit the accounts.”

I still don't understand how is it possible for a bank to not see a balance on
another account right at the time they saw a check deposited? I mean it's not
like they have to call someone to get a paper records of an account balance,
it is all digital anyway, so why is there such a big delay?

~~~
braythwayt
As discussed in the OP, this is cheque kiting:"

[https://en.wikipedia.org/wiki/Check_kiting](https://en.wikipedia.org/wiki/Check_kiting)

It is a scheme that goes back literally centuries in commerce. I'm amazed that
I can hit send on an iMessage now and within seconds (or fractions of a
second!) somebody's phone gives out a "ping!," anywhere in the world, yet
cheque kiting hasn't been eliminated in 2019.

\---

(I am speaking rhetorically. Yes, I understand about legacy systems and legacy
processes. I'm not surprised that it works with what we have running today,
I'm surprised that it hasn't been fixed in the 40-odd years that I've been old
enough to have a bank account.)

~~~
zelon88
Because nobody profits off the time/value of money nearly as much as the banks
do.

If transactions were "instant" the bank wouldn't be able to kite your money.

There really is no reason transactions need to take as long as they do other
than that money disappears from one account and re-appears two days later in
another account. In the meantime those funds are still a part of the bank's
bottom line. It's not technically yours, and it's not technically the other
account holders.... but the bank still possesses it. And the amount of money
the bank has "floating" around probably coincidentally lines up pretty closely
with a sum of money the bank has invested in high-risk investments.

Banks are essentially legal "Kiting centers" where they get to kite everyone
elses money because it's federally insured anyway.

~~~
vanderZwan
> _There really is no reason transactions need to take as long as they do
> other than that money disappears from one account and re-appears two days
> later in another account._

Well, that and legacy systems that run batch jobs in COBOL at midnight to do
the bank-to-bank transfers:

> _Roughly 80% of their systems are batch jobs. These are jobs that runs at a
> certain time or interval, doing some processing on their data or sends data
> to other banks /agencies/etc. For example when I buy a can of Coke, the
> money is withdrawn from my account balance, however the money is not
> actually transferred anywhere until one of their batch jobs does so. These
> jobs are usually executed during the night, which is usually why it takes a
> day before transactions between banks are completed. Transactions to the
> same bank are usually instant because it executes immediately._

[https://hackerfall.com/story/interviewing-my-mother-a-
mainfr...](https://hackerfall.com/story/interviewing-my-mother-a-mainframe-
cobol-programme)

Also, that interview convinced me that the busfactor of _the entire Swedish
economy_ is a handful of old Cobol programmers.

~~~
Chyzwar
These batch jobs are not necessary COBOL. It can be anything from modern
Python, Scala, Java to more esoteric choices like Smalltalk, K and bash. I
know because I worked in large investment bank writing Smalltalk for risk
management.

Banks need to follow regulatory regime. Batch jobs are very convenient, they
usually produce flat files that can archived, easy readable by humans and can
be consumed in downstream systems regardless of programming languages. My
biggest beef with CSV format is multiple specification and poor tooling.

Transaction can completed instantly but risk, reporting, regulatory and
reconciliation would be performed later as batch job.

~~~
vanderZwan
Thanks for sharing!

Given its debugging capabilities Smalltalk sounds like it could be a
surprisingly sane option for banks actually, all things considered. Was it
like that in real life too?

~~~
Chyzwar
Smalltalk is amazing to work with, shame it did not get wider adoption.

------
Keverw
I feel bad for those people who Paychecks got stolen, I wonder if they'll end
up getting that back or did already since it mentioned "briefly pull"...
People who work paycheck to paycheck probably struggles the most and then
overdraft fees, stress, couples often fight over money, etc... So pretty
shameful if you are working hard, and stuff like this happens. You feel like
you are doing everything right and things still go wrong.

Even if they did put it back, still overdraft fees during that time if someone
had a check cashed or automatic payment sent due to those funds being removed.

I don't know why anyone would think they could get away with a fraud this
large. I just think this stuff highlights how outdated the banking system is.

I've always hated the idea of checks, I rather the money be gone right away
then keeping track of it... Since checks still show on your balance even if
not cashed yet. Then checks have your entire account number people could
misuse. I have never wrote a check in my life though, but I know my family
does for bills but I know more and more places have online bill pay... They
trust mailing their entire account info than doing it online.

However I feel both banking and the whole social security number thing needs
to be rethought. it's insane you use the same number for everything and you
pass it around to employers, contracting jobs freelancing or affiliate
programs that pay commissions, credit cards, cable company, satellite tv, cell
phone, doctors, dentists, etc. Well I know for doctors and stuff they say you
can refuse to give it, but pretty sure they'll give you a hassle for
exercising your rights. I know a while back there was some dentist storing
patient information in a unsecured FTP account.

~~~
jamesb93
It's pretty mental that the US still uses cheques for paying employees. I'm 26
and have never been given a cheque and all payments have been electronic.

~~~
orky56
We have a small business and print checks manually for employees. With 50+
employees and majority of them working less than 10 hours per pay period, the
per employee cost to use a direct deposit/payroll service is cost prohibitive.
With our employees being typically over 40, it's been rare to even have
someone request direct deposit. Just thought I'd share a different perspective
than the typical HN crowd.

~~~
sidlls
Direct deposit has been a thing for literally decades. Someone over 40 has
likely had direct deposit as an option their entire working life.

~~~
ghaff
Yeah. I've worked for many thousand person employers down to those with less
than 10. I haven't had physical payroll checks to deposit since at least the
mid-eighties. (Probably longer but I just don't remember.) Probably took
longer for all expense etc. checks to go direct though as they're often
through a different system.

------
HenryBemis
1) this guy will spend many years in prison

> That action caused so much uproar from affected companies and their
> employees that Cachet ultimately decided to cancel all of those reversals
> and absorb that $26 million hit, which it is now trying to recover through
> the courts.

2) Cachet is as useless bank ran by useless apes that don't know the basics
about banking, their internal audit must be a bunch of untrained monkeys. I
have investigated financial frauds for quite a while, and removing the funds
from the employees, is the best way to make them walk out and never come back.
This story has so many holes, a $20m+ was diverted from a corporate account to
a personal account and systems didn't go off???

I see on Catcher's website: "The World's Most Convenient ACH Payroll
Processing Services" yups, well played Cachet!! Key word there is "convenient"
which always makes me run to the opposite direction when it comes to financial
services and security. That website needs a "military grade security" to be
complete!

Edit: I know my sarcasm is all the way to 11 but this story has has so many
control points broken (or worse non-existent) for all these to happen, that I
am getting a headache just by thinking of this story.

------
certmd
Matt Levine's take from a few days ago. As usual, humorous and insightful.

[https://www.bloomberg.com/opinion/articles/2019-09-24/don-t-...](https://www.bloomberg.com/opinion/articles/2019-09-24/don-
t-steal-the-payrolls)

~~~
braythwayt
Is there a non-paywall way to read this?

~~~
SpikedCola
[https://pastebin.com/xeUmgmkR](https://pastebin.com/xeUmgmkR)

~~~
braythwayt
Thank you!

------
daenz
>Check-kiting is the illegal act of writing a check from a bank account
without sufficient funds and depositing it into another bank account, explains
MagnifyMoney.com. “Then, you withdraw the money from that second account
before the original check has been cleared.”

Can someone explain why banks don't have systems in place to detect this kind
of fraud? It seems like even the most minimal communication between banks
would help detect it.

~~~
noir_lord
Because in some parts of the world banking is a historical pile of hacks on
hacks on hacks held together with bailing wire and twine.

Also banking is a hugely complex problem involving two of the hardest things
to deal with, money and people.

It's particularly the case where you have a lot of small banks geographically
spread out running a variety of legacy systems all of which talk to each other
in weird and whacky ways.

I'm surprised kiting still works though.

~~~
nunja
It would be amazing if someone could come with a useful technology that solves
this particular set of problems. Something like a public distributed ledger
where all transactions are validated by a majority of actors in a trustless
system ... oh wait.

~~~
xeromal
If the world used that system, we'd run out of electricity

~~~
madrix999
And probably ruin the planet in under 10 years if everyone got on the mining
craze

~~~
xeromal
Yeah, I can't even imagine. haha.

------
braythwayt
Sidebar:

As a long-time Raymond Smullyan fan, I was delighted to read the different
article about Ghosn and Nissan and undisclosed compensation.

Matt raised a Smullyan-esque question:

If the act of prosecuting Ghosn meant that the undisclosed compensation would
no longer be paid, does that mean that prosecuting the crime prevents the
crime from occurring?

I suppose the rational answer is that the crime is in the conspiracy to
attempt to do the thing, not the successful carrying out of the thing, but
still, it is amusing to imagine a crime that is only a crime if it isn't
revealed to be a crime.

------
tempsy
$200k bail seems low for the crime. He tried to disappear - why offer bail?

~~~
throwaway_law
You are generally entitled to bond, unless there you are: a) a danger to the
community; or b) a flight risk.

Obviously, if he tried to "disappear" previously you could argue that, but now
his passport has been confiscated. And usually the higher profile you are the
easier it is to argue you aren't a flight risk.

~~~
pbhjpbhj
Because someone perpetrating massive frauds, or whatever, couldn't buy a fake
passport and hire a private plane to a non-extradition territory?? /s

If there's any indication a perp might fly then you should keep them inside,
passport or no.

~~~
throwaway_law
>If there's any indication a perp might fly then you should keep them inside,
passport or no.

I'll stick with the case law. The Court looked at the risk of flight here with
all the evidence (which is more than you or I can say) and determined he is
not a significant flight risk, I'll side over your gut feeling since he
fraudulently took money, he can get a fake passport (1 has nothing to do with
the other).

It can easily be argued any criminal defendant "might fly", so essentially
under your proposed standard no defendant would be entitled to bond (you
wouldn't be the first to argue such a thing). Innocent until proven guilty and
all that jazz. And yes even with a confession you are still innocent until
adjudicated/convicted, its not like police don't have a history of obtaining
false confessions or making confessions up out of whole cloth (I know, that's
not applicable here).

As I said the higher profile you are/the case is, the more difficult it is to
abscond anyway. If he gets a fake passport (which is unsupported by any facts)
and is caught, his bond is revoked. Also he likely has a GPS tracker as a
condition of bond, so if he violates his travel restrictions/curfew
restrictions, his bond is revoked. Not to mention, the people involved in fake
passports are not generally going to supply a guy in the middle of a high
profile criminal case involving the FBI, who is out on bond with a GPS
tracker. Then even if he gets a fake passport, good luck buying a plane ticket
or going to an airport.

~~~
pbhjpbhj
I was clearly being loose in my post, I'm sure you're more than capable of
reading the jist in a manner consistent with legal orthodoxy.

Do you think passport forgers only supply to law abiding citizens who don't
have lots of money and want to flee a country?

You say people held over on a bond following confession "are innocent" [here's
me thinking it was 'considered innocent before the law', otherwise there would
never be any sound convictions].

If you think a GPS tracker is any limitation to someone who can afford to
leave the country then you've a serious lack of imagination.

OT: I liked the "gut feeling" bit where you attempted to disparage my position
with an appeal to emotions whilst simultaneously presenting your own position
with no more factual backing, and IMO a good deal less believability.

------
senderista
Now that's what I call disrupting the payroll industry!

------
dmix
I'm trying to make sense of the scheme here, I understand he used the money to
fake business income to make loans. But what was the end game?

I'm guessing he thought he'd make enough money off the loans by "buying
businesses" that he could pay back the millions he was borrowing?

Or did he just hope to Ponzi the various loans for as long as possible? The
next bigger one pays off the last one type of thing.

~~~
braythwayt
You used the magic word, "Ponzi:"

[https://en.wikipedia.org/wiki/Charles_Ponzi](https://en.wikipedia.org/wiki/Charles_Ponzi)

Not only did Ponzi bring this scheme (which is far older than him) to the
public's attention, but he also "got in over his head." He wound up running
the scheme far longer than he wanted or needed, for the (correctly divined)
fear of it suddenly collapsing.

A similar thing happened with Bernie Madoff, if his account is given credence:

[https://en.wikipedia.org/wiki/Bernard_Madoff](https://en.wikipedia.org/wiki/Bernard_Madoff)

------
lovehashbrowns
I read this article, the previous one, and this blog post that explains ACH:
[https://engineering.gusto.com/how-ach-works-a-developer-
pers...](https://engineering.gusto.com/how-ach-works-a-developer-perspective-
part-1/)

This is such a fun and interesting rabbit hole. And now I get how the whole
thing worked from a computing perspective. I'm now just confused as to why the
scam broke down the way it did. From my understanding, it seems that Pioneer
was going to freeze his account (and they did). So in order to fix that issue,
he temporarily diverted funds to his Pioneer account, settle debts(?), and
continue trying to get money to cover the money he now owed to Cachet. But
that doesn't make sense, does it? Because this fraud was going to be detected
instantly (most likely) or ~3 days later. But that is nowhere near enough time
to settle debts with Pioneer and get enough money to cover the Cachet debt.

It seems to me like it was an extremely long Hail Mary that was likely never
ever going to be successful.

------
senderista
I just don't get why businesses are so afraid of outsourcing critical business
functions like payroll to a random startup.

------
gregmac
Earlier discussion about the $35M fraud from a couple weeks ago:
[https://news.ycombinator.com/item?id=20941039](https://news.ycombinator.com/item?id=20941039)

------
gravitas
Question after reading comments here on how check-kiting works, does the
promise of Zelle combat this technique? or is it just a fancy digital wrapper
around ACH and is still vulnerable to check-kiting as a concept?

~~~
kevin_thibedeau
Zelle uses ACH, though their faster front end process may combat kiting. Other
banks are moving to RTP which will not use ACH for the actual money transfer.

~~~
altmind
You sure? There is more than one way to clear funds between banks. I remember
banks using Fedwire between each other.

------
pstuart
I'm surprised he got away with it for as long as he did.

------
crb002
+1 for surety bail bond. "Cash Only" bonds are a racket for bail bondsmen.

~~~
rwmurrayVT
I got railed. The postal inspectors stated in court that they wanted me
released the day of my arrest. The judge still gave me $50k bail. Keep in mind
I was 24 years old and made $55k annually with a net worth of about... $25k
and most of that being in my personal vehicle.

What they also don't tell you is how difficult it is to find a federal bail
bondsmen. I called every where in the Hampton Roads area to no avail. I ended
up being rescued by one from several hours away. $9,500.... never to be seen
again.

~~~
Consultant32452
Would you mind helping me understand this better?

My understanding is that bond from a bail bondsman works kind of like a loan.
The bail bondsman puts up the money ($50k in this case) and if you show up to
court he gets his $50k back. This works kind of like a loan between you and
the bondsman, I would expect you to pay some amount on the total, something
akin to extremely high risk loan interest, but $9,500 is almost a quarter. Is
that a standard rate for a bond?

~~~
benjohnson
The fee or 'premium' for most bonds in various jurisdictions in the USA is
typically between 10% to 15% of the bond value. His while his fee of $9,500 is
slightly higher than most, it's not a surprise.

~~~
dbancajas
wow. how can I be one? seems very lucrative.

~~~
vonmoltke
It's lucrative as long as your clients actually show up to court. If they
don't, you (or someone you hire) is running around trying to drag their ass in
so you get your money back from the court.

~~~
dbancajas
time for some data mining then. but that 10% return is probably 5% for 50%
good behavior of criminals?

~~~
Consultant32452
No. Let's use the $50k bail example. If the guy returns, you are up 19%. If he
disappears you're -100%. It will take you 5 more good behaviors just to get
back to zero. So you need less than 1/6 fleeing to make any profit at all.

~~~
vonmoltke
Your numbers are off, though your point still remains. If the client jumps
bond you lose $50k, but you got $9.5k from it for a net of -$40.5k or an 81%
loss. It would thus take ~4 good bonds to cancel that one out.

~~~
Consultant32452
Good catch

------
rags2riches
I remember seeing my mother writing a check once. It must have been in the
late eighties. I'm quite confident that nobody I know of my age has ever
written check. That check floating is still a thing is quite amazing to
consider.

~~~
whyaduck
I saw someone write a check at a supermarket just a couple of weeks ago. I
think it's the first time I've seen a checkbook in the wild in 5 or 10 years.

~~~
lanstin
My landlord four years ago set things up so that the cheapest and lowest-
latency way to pay rent was to walk to his bank and deposit a check into his
account. Kind of weird. Sometimes I have weird professional things I pay for
that need checks (tax attorney, and some real estate stuff). Fortunately, my
credit union will print 3 checks if I walk by and ask nicely. And they have
Saturday hours.

~~~
mruts
I’ve always payed rent in cash. Landlords seem to like it more than checks.

