This credit card bill paying system seems almost too easy to scam. What am I missing?

I’m casually rooting through the bills this evening, and I see there is a credit card bill I mis-placed under some other paid bills, and that it is due tomorrow 10/13/2003. Beyond the “Oh crap” moment and a 30 or 40 penalty looming, I call the service number to see about a phone payment or extension and among the automatic operations the voice menu offers to me is electronic check payment. Hmm… OK.

I call and walk though the automatic options. All it wants is my credit card #, my credit card security code # on the back, and the routing # and account # of my checking account on the bottom of the check. I enter all these, and bang I’m done! The amount has been deducted from my checking account and I’m good to go.

Now this is all nice and convenient and saved me the hassle of begging for a short extension, but it occured to me that using this method I could deduct money from practically any valid checking account if I have the account and routing #'s which are on of the bottom of almost all checks, and unless someone was checking their account statement carefully I could reach into almost any one’s checking account by doing this until they caught on. The card company didn’t have my checking account on file. They only wanted a checking account # and a routing #.

This seems almost too easy and I am obviously missing some security element. What prevents thieves from doing this on a regular basis using other peoples personal checks they have been paid with?

They probably use Equifax or a similar checking account verification system to be sure that the name on the checking account matches the name on your credit card account.

Good guess, Q.E.D., but that would probably fail if one item had “John Williams” as the name and the other had “John D. Williams.” An awful lot of people use similar name spellings or worse with no intent to defraud.

And I have one bank account that has three names on it. How would that qualify for a match with only one of them? Logical OR?

If the software used fuzzy logic to catch those near-matches, it might catch too many false positives.

One possibility – if you have ever paid the same a/c with a check before, the numbers on that check could have been saved and linked to your name. Then a request to use the same bank a/c again would be reasonable.

I’d like to hear from someone in the biz.

Equifax can also verify addresses, I believe.

I’ll post a guess…

Since it is YOUR credit card that you are paying, if you use someone else’s checking account, it will be quite easy to determine who committed this crime.

I suppose you could use a friend/relative’s account if you knew that person doesn’t pay much attention to his/her account.

It’s still risky, though. Big paper (electron) trail.

No doubt. But often two addresses for the same person are not spelled the same, either (St or St. or Street). I know from writing matching software with and without fuzziness that nothing computerized is that perfect. Loosen the match % and you let too many wrong ones through; tighten it and too many are rejected. Neither sounds like a tolerable result when people’s bank accounts are in jeopardy.

I’ll take “steal my money” for $1000, Alex.

Well, you’re assuming that the person won’t notice the payment. What if they do? It’s pretty easy for them to have you arrested. You used their account illegally to pay your credit card, and the credit card company can give the police your name and address. So, it’s risky.

I imagine a lot of fraud does get committed this way. You probably don’t realize it, but most of the home shopping channels now offer a “pay with your check like a credit card” option. This means you call them up, give them your check info, and they take the money out of your account.

I think the reason we don’t hear about this kind of check fraud as much as we hear about credit card fraud, is because most people who get hold of a valid checking account number in order to commit fraud just use their computer to print up fake checks. Then they can write the checks for whatever they want, and have much less risk of being caught. Anyone using someone else’s check number online or for something like your example leaves a trail.

I don’t quite get how you could get away with it, when it is so easily traceable back to you.

Well for a thief seeking to extend the useful life of a fraudulently obtained credit card, it would allow them to keep the card current and paid so they could keep using it to purchase salable mechandise that could be converted to cash. Depending on how diligently a targeted person checked their checking account statement, they might be able to pull hundreds to thousands of dollars out of someone’s account like this before the fraud was exposed and they had to drop the card entirely.

It was just too easy. There just has to be some other level of safeguard. Possibly what QED suggested.

Bad Guy opens bank account with fraudulent ID. Bad Guy gets money transferred to account somehow, or possibly overdraws it. Bad Guy cashes out and disappears.

B.G. don’t care what the MFers trace, he be gone.

You don’t think this happens?

I have an MBNA Bank Mastercard, and they have a nice online billing system. That’s how I pay my bills now - just online, using the same info that the OP’s company asked for.

In the past, when a friend owed me money, I went in a changed the account info to his banking account and set up the auto charge. I’ve done it several times and not once has a red flag been raised.

Kinda spooky that it works that way, really, considering all the info you need is written right on your checks.

I guess this is a good argument for keeping an eye on your statements and keeping your checkbook balanced to the penny.

Scary. Did you have his permission, or at least tell him? Or did he not notice it on the statement? It would seem like theft without his OK in advance.

Robert X. Cringely in last week’s column and 2 of the previous 3 has been ranting about how easy draining people’s bank accounts is. (He’s a recent identity theft victim.) It really is quite easy.

Unless we all start complaining loudly, nothing’s going to change.

You rang?

Banks do monitor payments for fraud. If a fraud person made a payment on an account (and they do, in some cases), it takes a second to match up previous payment information (routing and account number) to the new payment. A hold can be placed on the account to verify the payment. Some banks have this built into the security system - a payment from a new bank and/or an out of pattern payment will be held pending verification. Other banks will queue the account for a security representative to review.

Thanks for checking in, hardygrrl, just the voice we need. But what is a “fraud person”? Would I know one if I met one?

I can see how verification can be done if need be, but it looks like, at least in ZipperJJ’s case, nothing flagged the account as worth looking into. Do you just wait for a complaint?

If every transaction like this has to manually pass by a security officer for review, that’s gotta be one busy guy. Does the system just flag the ones that don’t have perfect matches and look suspicious?

Fraud perps can be your neighbors, co-workers, family members…like we tell the customers, the bad people don’t always have horns.


Speaking for one bank, most auto payments will go right through - unless it is out of pattern for the account. For example, customer has a $5000 credit line and always pays $100 from Otter Bank. The payments from Otter Bank will be automatically applied. If a payment comes through for $7500 from Manatee Bank, that will most likely get held - out of pattern for the account as well as creating a credit balance/attempting to increase the credit line without going through a credit check. The mismatch of ABA numbers and the dollar amount will queue the account for review.

Also, the system does register the number you are calling from. Since Astro was calling from the home phone AFAIK, the system required less verification. If he had called from an alternate phone, he would have been asked for more information, such as last four digits of his social security number.

People make payments for other people all the time - spouses, relatives, friends, etc. It’s a balance between not inconveneincing those customers who are trying to help someone out and not letting fraud people - in cases of identity theft, the perp may make a payment to make the account look legitimate - abuse the system.

Oh, totally :slight_smile: He was in the room with me when I did it.

Obviously - how else could you have held the gun to his head? :smiley:

I asked a question similar to this a while ago. The concensus of that thread was that the banks absorb the risk and spread it over their customers by way of fees/insurance. As **hardygrrl[b/] said the large and obvious transactions are monitored.

On a slightly different tack, what is to stop someone giving their credit card to someone else to use and then taking a few days to report it missing/stolen?