Why are cheques so insecure?

Lets assume that they implement your your idea: there is an algorithm that generates a pseudorandom check numbering algorithm.

Your bank would have to use your account number, the routing number for the bank, and a salt to feed the algorithm. The check numbers would then have to be transmitted by the bank to the company that prints the blank checks.

You write a check and give it to somebody: this could be done in person, or by mail. The other person takes it to their bank. Their bank can't verify the information because they don't have the salt value. So they will put a hold on the value for a few days until the image of the check gets to your bank and they can verify that the check number is valid, and not been processed before.

If you give it to a grocery store they can't validate the check number without being able to exchange information with your bank.

Today with the current system the recipient, or the other persons bank, takes some risk if they assume the check is good. Your suggestion adds complexity but doesn't change the fact that there is always a delay between the handing over of the check and the verification.

Consumers want the delay to be small. Financial institutions want to know the check is good. That clash will still be there under your system, unless you can get all the systems to create a method to instantly verify the numbers on the check. Now if that existed you would be protected against a check that bounces....

Why has no such method been implemented?

Checks aren't always deposited/cashed in a timely fashion. Also, a single account can have multiple checkbooks, and therefore there's no requirement that they be used in strict order. Ordering is used to some extent by banks to catch fraud already, but I don't see how your proposed solution helps significantly.

While banks do try to limit check fraud (ABA reported 91% of check fraud was prevented in 2018), likely the cost of the fraud hasn't been significant enough to justify attempting to re-vamp a very old standard. There has been an up-tick in attempted check fraud as cards have become increasingly secure, so maybe it will become a higher priority.

Changing standards also likely involves regulatory changes, there's a lot of regulation around banking processes.

The easier approach that banks seem to have pursued is attempting to change customer behavior by encouraging card-use, embracing payment apps, offering bill-pay services, etc. Check-writing has declined very significantly in the past 20 years, so it may be a problem that isn't worth fixing. According to the 2019 Federal Reserve Payments Study:

Check payments accounted for 8.3 percent by number and 26.6 percent by value of core noncash payments in 2018, down from 58.8 percent by number and 67.4 percent by value in 2000.

This would allow the bank to check that a particular cheque number was issued to a particular account and had not previously been used

We already do this with sequential check numbers. An attacker with a check from an individual has no way of knowing how many more checks were written and cashed before they try to cash a fake.

Many attackers use real checks

There are plenty of ways to defraud banks of money with perfectly legitimate checks. Bouncing checks, Check Kiting, and Check Washing come to mind quickly.

Even a truly random number wouldn't stop these sorts of attacks because they all use a real, valid check, and either write it for money that isn't in the account or change details.

Many stores will no longer take checks because of the very real problem of people writing bad ones that won't cash at the end of the day because the individual's account is overdrawn. There is also a plethora of nearly free options like debit cards and credit cards.

Finally, banks may release small amounts of money immediately, but if you present them with a large check, they will place a hold until funds are transferred in a week. Check-cashing places will simply refuse to cash large checks. It's likely not that hard to make a fake check, but it's also a very serious felony.

With all the protections in place, you'd be stuck faking a large number of checks for small amounts of money. Each check is another chance to get caught. Cashing several checks in a short period is likely to raise suspicion. There are easier ways to defraud people.

Rather than using a completely random cheque number, it would be preferable for them to only use a few of them. E.g. have the cheques increment by 100, and use the last two digits for the verification code. Then, someone making up a cheque number would have a 1% probability of the right one (assuming nobody leaked the algorithm they used for checksum). This should be completely backwards compatible with the existing systems.

Answering this part of mhoran_psprep post:

Financial institutions want to know the check is good. That clash will still be there under your system, unless you can get all the systems to create a method to instantly verify the numbers on the check. Now if that existed you would be protected against a check that bounces....

it would be possible to use a system that also allowed third parties to verify that the cheque number is legit (by using a public key signature with ECC for example). It would however require its own block of digits (or letters) to include that.

Nonetheless, this would only ensure that there is a valid cheque with that number, not that it hasn't already be cashed, the amount/recipient wasn't altered, there was no deception involved for obtaining it, etc.

The reason is that using checks is a flawed payment system from a security point. Making minor changes in security would not make any real difference. You could compare with cash where as long as bills has been around they have been forged. The reason checks still are around is that they "safe enough", "reasonably convenient" and "well known in USA".

In large parts of the rest of the world, checks are more or less non-existent. In my home country, Sweden the change happened around 1993 if my memory serves me correctly. I worked in a bank office at the time and saw it happen. One of the banks started charging you about a dollar for each check, and very quickly all the other banks started doing the same. In about about a year, checks went from rather usual to basically non-existent. Of course, there were alternative methods for handling payments already in place at the time. Personally most of my recurring payments such as rent, utilities and mortgage, are through direct debit towards the account where I receive my salary. The company sends the bill electronically and unless I stop the payment it will be done on the correct date (it can easily be stopped through my internet bank). I pay daily costs, groceries and such, with a debit card. Other payments I do through my internet bank or directly from my mobile phone: a service just about everyone uses connects my phone number to my bank account and I can both send and receive payments up to about 1000 dollars that way. I have no bills or coins, have not been using it for many years.

The direction the world is going is towards non-paper payments using electronic interchanges and chip-based debit cards, so there is probably very little incentive to improve security for checks. There are of course problems with this direction, some examples:

• You need to exist in the "system" to be able to have an account
• As payments are traceable to a much larger extent privacy is a concern (and it also makes it more difficult to do illegal activities or avoid taxes)
• It sets a lot of requirements on electronic systems, internet and such.
• There is a cost for the seller to setup to receive payments, distinct from using cash. One effect has been that more and more sellers do not accept cash at all. This goes both for shops and when private selling.
• It does increase the marginal costs for doing a transaction. One more cash pay has very small extra costs, but each debit card transaction has a fixed cost for the shop. One effect has been that small shops now bundles their goods to cost at least 2 dollars or so (more or less 20 Swedish Krona). This probably drives both inflation and a change in the types of shops available.

Anyway, my five cents worth of thoughts.

Hold on. If you go to that question and read OP's comment to my answer, you'll see that this was a fraud by a house-sitter gaining physical access to their book of checks. (And that is why I use a PMB). So your proposal wouldn't have helped at all in that case.

Your idea removes "well-understood" and creates "opaque".

You're essentially talking about the check numbers being a one-time pad, which only the bank knows. So only the bank could attest to the validity of a particular paper check. (This also puts third party check printers right out of business, but nevermind that).

Well hold on. The bank already knows your check numbers. They know them because they cashed your last one, and can add +1. So can you. And most people who have any care with their paper checks, reorder checks so the numbers are sequential to the checks they already have - in fact third party check printers need to know which number to start at.

So if you just wrote 4361, the bank won't be surprised by 4362 or 4366 (as long as 4362-5 arrive soon after)... however if a "1003" shows up, it's pretty easy to automate the task of presenting an image of checks 4361 and 1003 to see if their handwriting and signatures reasonably match. If 100 of these instances happen a day, and an auditor can compare signatures in 2 seconds, then you're talking about 5 minutes of an auditor's time to screen the 100 cases and escalate the 3 faulty ones.

What your trick does is close one gap: where a fraudster knows your last check number and issues new cheques reasonably close in number. However, that was never that much of a gap: it's arguably a feature, not a bug.

• If the fraudster issues checks sequential to the known number, they'll collide with real checks the account holder has written. That's a lose-lose for the fraudster: even if the fraud check arrives first, it means the legitimate check bounces, and the payee alerts the account holder! Quick attention is the enemy of fraudsters, they need the transaction to go unnoticed for weeks so it can't be quickly reversed among the banks. That's especially true if they're using a "patsy" to receive the money.
• Any near-number check fraud has another fatal flaw: near checks are supposed to be similar in appearance. But the fraudster's won't be. Remember that Check21 means the banks are handling digital images of checks, so most of the comparison task can be automated.

I myself write few enough checks that I buy them from the bank 3 at a time. My bank knows which numbers they issued, and they certainly know the appearance of their own checks.

Regardless, presuming "always online" is always a mistake

I see many, many proposals to enhance financial security, and they all have the same thing in common: they presume an "always online" internet connection. And I think to myself, "Wow, this person lives in a big city."

Because you get into mountain country, or even just the wrong block in suburbia or exurbia, and forget about it.

I'm sure there'd be an inter-bank clearinghouse to confirm the validity of checks online. However, without solid internet at an acceptance location, it would not be viable for check acceptors to validate the check at time of sale.

Further, checks are extremely well-established in the law

The evidence chain is simple. There you are, holding the bounced check in your hand. Your local bank manager will attest to its being refused, and is ready to explain the complexities of the check clearinghouse system to a jury. Courts like paper. They especially like paper when it has longstanding conventions as to its meaning, to which many readily available neutral parties can attest.

In Check21 this may be paper that has been reprinted from a scan of original documents, but again, any bank manager will swear to the veracity of that system. And the check system has been tuned for centuries to make it easily defended in court.

That quells arguments about the paper's meaning and validity.

The evidence is clear enough that it wasn't hard to criminalize misdeeds with paper checks. The criminal justice system is pretty good at sending fraudsters to jail on check-fraud charges alone. This serves as a potent deterrent to check fraud; at least local check fraud.

Note that in the instant case (the one you link), the miscreant got caught. Easily.