When I use an e-check to pay for something online (say my local taxes), all I need is my routing number, account number, and my name. All of that is available on the physical check, too.
What stops someone who I’ve paid with a physical check from using the information on the check from draining my account using an e-check?
I ask because someone who I do business with is going to wire money into my account and will be calling for that information this morning.
Absolutely nothing. But that’s no different than a regular check. If I have access to your routing and account number, I can drain your account with a paper check as well. My business got hit by that. We had some checks stolen out of the mail which they harvested the information from. To be clear, they did NOT wash the checks, they made their own checks, probably just from a home printer, made them out thousands of dollars and then used a mobile app to deposit them and withdraw the money.
But this isn’t all that different than if I get ahold of your credit card information. The two big differences, and why I use a credit card instead of a debit card are 1)if someone else uses it, it’s a lot easier to recover your money from credit card than a debit card. The money spent on a credit card will be returned to you as soon as you report it and with practically no questions asked. With the debit card, it’s going to be lots of questions asked, paper work to be filled out, they may require a police report and it’s make take weeks or possibly months to recover your money. And, 2) I’d much rather someone maxed out one of my credit cards than drained my bank account. At least with a maxed out credit card, I still have my actual money. I can still pay my other bills.
If you’re uncomfortable and they’re willing, see if you can get them to use Paypal or Zelle.
Also, and I’m not saying that’s the case here, in fact I’m assuming it isn’t, but you’re right to keep it in mind. Think about how many scams are based around the premise of ‘I have some money to give you, give me your banking info so I can transfer it to you’.
All that’s true.
But as a practical matter, the amount of fraud from legit businesses or government agencies draining checking accounts is negligible.
You’ve been at risk of this since you got your first checking account 50 years ago. The fact you’re just now noticing this risk 50 years later says how much you should worry: none.
Are any consumer groups in the US campaigning for something like PayID like we have had in Australia since 2018?
It allows you to link your bank accounts to phone numbers and email addresses for incoming payments. So you only have to tell someone one or the other and they can instantly deposit to your account without knowing any of your account details. I probably use it over 100 times a year. It is pretty standard when we go out in a group that one person goes to the counter and pays and the rest of the group just PayID their share to the payer.
If I were to set up a new betting account nowadays they would generate a PayID email address linked to that account so that I could deposit directly into it. That way they get none of my banking information. Not even a credit card number.
AIUI (and I have some experience with this, having been dubbed “Fraud Czar” in my last (e-commerce) role), while the data certainly facilitates attempted fraud/theft, since it’s a really well known issue, banks are highly likely to factor it in when they devise their fraud protection departments, policies, procedures, and algorithms.
Meaning: it is a vulnerability. It is not simply a Wide Open Front Door to your house, and there are generally protective/preventive measures in place designed to reduce the likelihood of success and impose a risk of consequences to those making the attempt.
Go back 50 years and steal my checking account and routing number…what are you going to do with them? You can’t print your own fake checks*, you can’t use them ‘online’. About the only way I can think of is to have actual checks made with that info. If we go back to the 70s/80s, was there anything you could do with just the numbers? I’m not saying this didn’t happen, but I can’t imagine it was nearly as rampant as it is today. We’re at the point were many people, myself included, no longer put checks into mailboxes, instead walking them into the post office or handing them directly the letter carrier. It’s common enough these days that, as I mentioned, it happened to my business, but it happened again after we changed our account info.
*As I’m thinking about it, I’m guessing the only way to use that stolen info 50 years ago is to print your own fake checks. But I’m guessing that’s not something the random person will know how to do. Without a computer, this would probably mean some back and forth with a scissors, a typewriter and a photocopier, but I really don’t know.
While not automatically part of a bank account, things like Zelle or Paypal and a few others allow you to do just that. But it would also be nice if banks would have two account numbers. One that worked like your current account number and another that can only be used for depositing money. That way you can give that out to anyone and it can’t be used to steal your money.
Or, along those lines, if their systems could generate a ‘token’ that created a complex, unique, one-time use ‘password,’ a la…
Thanks, everyone. I was hoping that banks would have some way of stopping any rando from being able to use e-checks, some kind of verification network or something. They must be able to detect this kind of fraud, though, because otherwise it would be rampant.
None of this makes sense to me. It has never been the case that you only write checks to people you trust – people used to write checks to the grocery store, and hand them over to a random checkout person. Harvesting those numbers would seem like a piece of cake.
I don’t pay many bills (my wife does most of that), so I don’t use many e-checks, so this never occurred to me until she told me I’m getting this call today. Fifty years ago, my Epson dot matrix printer wouldn’t be able to churn out a convincing check.
I love the idea of a deposit-only account number.
ETA: I guess the FQ answer is, nothing stops that, except bank fraud departments.
My bank (and AFAIK other UK banks) use two-step security for withdrawals or sending money out of your account. To pay in, all that’s needed is the bank sort code and a/c number. To move money around or out, you’re sent a one-time code to whatever back-up contact details you’ve separately given the bank. Somebody else would have to have access to those contact details in order to get money out.
What’s really nonsensical is that people worry about electronic banking being insecure, because it can be “hacked”, when electronic banking really can actually be made secure, but the conventional banking system has huge glaring security holes like this in it.
Yeah, we don’t have that here in the States.
These ‚e-checks‘ seem to work the way direct debit has worked for decades in Europe - the system now works within the whole Single Euro Payments Area - Wikipedia .
I just have to enter my International Bank Account Number - Wikipedia and tell the merchant, municipality etc. that they debit the agreed sum.
That works both for one-off payments and for periodical payments (which can vary in amount). I have permanent debit authorisations for at least the Volkshochschule, for the city tax office (property tax), for the state tax office (income tax), my party, the condo administrator, various associations, my gym, various utilities, the railway, the local newspaper, etc. etc. - they help themselves to my money as appropriate.
I can reverse the charge within 8 weeks for debits that I did authorise, and within 13 months for debits that I did not authorise. (If the other party is overdrawn or has fled it’s their bank ‘s risk). So the only way I can lose money would be if I did not review my bank account line items regularly (i.e. be dead or in a coma)
Virtually every business, government or organization letterhead in Germany has bank account information, usually in the footer. Even for letters that are not invoices - people need to easily access information on where to transfer money.
There does not seem a noticeable fraud risk associated with that system, which is similar to the ‘e-check’ in the OP.
What we have is PositivePay. The bank I mentioned upthread, that someone drained with fake checks, wanted me to use that, and for a fee. It was part of the reason I left them. IMO, I shouldn’t have to pay money to stop the bank from giving away my money to people that present fake checks. That’s a protection racket.
In any case, when we moved to a new bank, they also pushed Positive Pay. The idea is that every time you write a check, you give the bank the information. If a check is presented to them that you haven’t told them to expect, it gets bounced.
Related to the topic, here’s a very recent (gift) article from the New York Times warning about mailing paper checks. I agree with the OP; I wish they would have also discussed the problems with E-checks.
We have the same in Canada through Interac, which is owned by a consortium of banks. All I need is someone’s mobile number or email. They can either choose a manual process and deposit it into any account they control or register for auto deposit which automatically directs any receipts to a preferred account.
The person in that article whose check was stolen after she mailed it didn’t bother to check if it cleared for months. One lesson is to follow up, always.
unfortunately, the USPS isn’t reliable now, with carriers themselves stealing mail, selling mailbox keys, and sorting locations also nabbing mail; there’s also issue of PO not delivering mail at all
She did confirm it had cleared. She didn’t, however, look to see who cashed it. (the payee was altered)
Good points. My Dad started writing checks around 1946 or so, and kept doing so until his death in the mid 1990s. Never an issue. Now, for paper checks- if the check is not signed by you- it is invalid, and you can get your money back. I am not sure about e-checks, but here-