Anyone who ever received a check from me has access to my bank account number and my bank’s routing number. What prevents them from transferring money from my account without my knowledge? For example, there are many instances where I make a payment via ACH - tax payments, utility bill autopay, etc. All I do is enter my bank’s routing number and account number, no other verification. What prevents someone from paying their bills with my account information?
I ask because over the weekend someone made an unauthorized ACH withdrawal from my son’s checking ccount of just under $1k. This caused his account to become overdrawn. He is disputing the charge with the bank, who waived overdraft fees but said it could take ten business days to get it sorted out and the money back into his account.
No. Just like the OP said, I have paid the utility company online by entering in my routing number and account number. That is the ONLY information they needed to take money out of my account.
And that information is on every check you hand to someone.
Can confirm that all the information needed to authorize an ACH is contained on a check. Because I don’t know the answer to this question, I don’t write checks any more.
Basically nothing. It’s not a secure system and wasn’t ever really intended to be. It was designed to batch-process checks for clearing between banks, but opening the system up to merchants (both legitimate and unsavory) was a recipe for disaster.
If someone gets your routing and account numbers they can clean out your account and your only recourse is to open a fraud investigation which can take days or weeks to clear up.
That said, it’s amazing to me how infrequently ACH fraud occurs, compared to the system’s usage as a whole.
ACH is a formal network, in order to collect payments you must be a financial institution or business that is part of that network, and there are network rules about what authorization is required in order to collect a payment. It would be possible for someone to set up a company to join the ACH network with intent to fraudulently try to collect unauthorized payments. But it’s not something that someone could do casually or easily with just your account details - they would have to join the network.
And, incidentally, the information included on a check is all that you need to forge another paper check, of course. I think if you accept the idea that all someone needs is a piece of paper with your account details and a forged signature in order to extract money from your account, the ACH is certainly more secure than that.
It’s insecure from your end, but it’s similar to getting a credit card merchant number on the other end, I assume. To be authorized as a recipient for such transfers, you probably need some sort of accreditation - the gas company, the cable company, the finance branch of some major company, etc. I could imagine some gang taking over or hacking a smaller finance company or some such in order to suddenly one day transfer money like crazy into their account and then forward it to an account in the Bank of Nigeria or such.
however, we hope the banks’ fraud pattern detection systems trigger an unusual activity alert when this starts.
I spent time on a grand jury in New Jersey. One of the cases that we heard was of a business man who had someone withdrawing money from his bank account. His business used a courier to deliver payments to his vendors, and business checks were used to do that. One of the couriers ordered personal checks using the account number and routing number lifted from the business man’s checks. Then he used the checks to get money for himself. Usually it was paying a bill of his with a large overpayment. For instance pay a cable bill of $150 with a check for $1500. Then he would contact the cable company for a refund of the overpayment, which would be a check made out to him.
The business man contacted the police who did pretty much nothing about it. The business man had to do all of the investigating about what had happened.
Not surprised. Mrs Cad got an unsolicited check that she was to deposit then “mystery shop” at certain stores. I contacted
The city police for where the check was drawn from.
The city police where the return address was from (completely different state from above)
The FBI since it crossed state lines.
The USPS investigation service since it used the US mail.
And if you’re just doing mobile deposits (as I do), of course it doesn’t matter. I suppose I can take an old check from a client, photoshop it, and deposit it with whatever new amount I want on it.
Why? Generally, literally any object with the proper information can legally be a check, provided the object itself is not illegal, like say, a kilo of heroin (getting someone to accept it, however, is another matter).
Besides, there are any number of online check printing companies that will print you as many MICR ink checks as you want with any numbers you provide them.
I guess my “knowledge” is a bit out of date, then.
Though to DCinDC’s point, most check-printing places require a voided check when you order from them, so I figured that those used MICR to confirm authenticity as well. But maybe these days such things are no longer done.
Does anyone here actually have a banking account they could do what the OP is talking about? I have a bank account I can initiate ACH transfers from (Bank A). For any external bank account (Bank B) I want to transfer money to and from that account must be verified. Bank A will send two unknown small test deposits to Bank B (.23 and .38 for example). I need to sign onto my Bank B account and find out what those test deposits are, and then enter those numbers into my Bank A verification step.
I think banks are quite picky about who they will allow to do general ACH transfers (the type the OP is talking about)–insurance companies, utilities, governments…
A week ago, I’d never heard of “ACH”. For the last week I’ve been reading, chatting and e-mailing about it — all unrelated to this thread.
My monthly U.S. Social Security payment is deposited to my baht bank account in Thaiand. I guess this transfer uses ACH. Beginning July, these payments will cease; I’m supposed to open a new special bank account so SocSec can send me payments a new way. (Though it will probably take months for SocSec to get the new payments started, they didn’t inform me! :mad: . I read about it on the 'Net and they confirmed it after my e-mail query.)
In a separate matter, just last week I decided to transfer money to myself regularly using “ACH” to the New York branch of a Thailand bank (I think this is what SocSec was doing). While I wasted considerable time on the phone learning how to set this up, neither bank bothered to mention that this option would cease next month. (The simple alternative of wire via International Swift code would cost me several hundreds of dollars in annual fees.)
What gives? Is Bangkok Bank’s abandonment of “ACH” their response to the security problems mentioned in this thread? Or are they being kicked off because they are the security threat? Something else?
Generally, ACH fraud should be covered by your financial institution, assuming that you identified and alerted them of it within 90 days of occurring. Which is why it is important that individuals review their bank accounts regularly.
I am not talking about directly transferring money from one account to another. I am talking about a case where another person, intentionally or unintentionally, enters my account number and my bank’s routing number to perform an ACH transfer to a third party - like paying their credit card bill from my checking account. Yes, the transactions can be tracked down and reversed but I will have no access to my money until the resolution, possibly deal with a bunch of bounced checks, etc. - a real mess that I am stuck cleaning up.
I know you can’t always use a credit card for paying things, but this is the reason that, whenever possible, I pay with a credit card. If someone is going to steal/use my payment info, I’d much rather they maxed out my credit card than overdraw my bank account. At least with maxed out credit cards, I still have access to my money while things are getting sorted out.