You have to have a bank account these days. Without a bank account of some form it’s almost impossible to participate fully in our economy. You can’t buy anything which costs more than what you have in cash, be it a house, a car or even a mattress. You can’t borrow money from an institution. You find yourself constantly paying through the nose for things like check-cashing fees, a predatory practice which most Americans are privileged never to encounter. And you certainly can’t write checks of your own.
It turns out, however, that you probably shouldn’t write checks of your own – even if you have a checking account. The organization in charge of processing check payments says so explicitly: “stop using paper checks,” they wrote, in a statement to Fusion.
Why would they say such a thing? Well, having a bank account does comes with its own set of problems. As Sarah Jeong painfully discovered a few weeks ago, bank accounts simply aren’t set up for how we live today – which is to say, online—and can easily be compromised so that our hard-earned dollars wind up going to pay someone else’s expenses. One morning, Jeong woke up to discover that her bank account had been emptied by someone named Michael who had used it to pay off various credit cards online. Jeong’s bank told her that Michael had been able to do this because he had her bank account number and routing number. Writes Jeong in Motherboard:
I cannot count the number of times I’ve freely given out my routing and account numbers—in emails, in webforms, in paperwork. This is because it’s necessary for other people to know my routing number and account number in order for them to send me money. But apparently, with that same information, they can also snatch money straight from my account. What kind of insane system is this?
There’s two factor authentication, there’s one factor authentication, and then there’s this, which I think I can call zero factor authentication.
Is Jeong really right? Can anybody, anywhere, just spirit money out of your bank account, armed with nothing more than the information on the front of every check you write?
I was skeptical. But it turns out that she’s right. They can.
A few weeks ago, in a fit of severely misplaced confidence in the security of the American banking system, I dropped my bank account number and routing number into the Fusion Slack. That’s not exactly top-secret information–it’s on every check I’ve ever written, not to mention countless invoices and other forms. How dangerous could it be? And then my colleague Kashmir decided to see for herself. She logged on to her American Express account, clicked on “pay my bill”, and told Amex to just withdraw the funds from my account.
Which they did.
At no point did Amex or anybody else ask or seek my permission for Kash to raid my account to pay her credit card bill; instead, the money just disappeared one day. All that was left behind was an unhelpful note saying “Amex Epayment”.
This is, to put it mildly, suboptimal. Bank accounts are the bedrock of our financial system, after all; they’re where we keep our money. They should be ultra-secure, and indeed if you look at the big banks’ apps, they often come encrusted with all manner of security theater. My Citibank app, for instance, annoyingly requires me to key in my 16-digit ATM card number every time I want to deposit a check into my account. And if you look at the paper checks you get from your bank, you’ll see all manner of high-tech security features built into them, like microprinting, heat-sensitive ink, and watermarks.
But the fact is that even though it moves much more money than all of the credit card companies combined, the system the US uses to move money in and out of bank accounts – the Automated Clearing House, or ACH – is in many ways less secure than the credit card system. That’s why, if you want to use the money in your bank account to pay for something online, you need to enter your debit-card number, not your bank account number. By using a debit card, you’re moving money over the relatively secure Visa or Mastercard rails, rather than over the ACH rails.
The system which took my money from my account is truly enormous. In the first quarter of 2016, ACH saw some 5 billion transactions, totaling $10.6 trillion. To put it another way: more than 50 million times a day, an average amount of $2,120 gets moved from one bank account to another. Compare that to the $510 billion in transaction volume at the top 11 credit card issuers in the first quarter of this year: that’s a lot of money being spent on credit cards, but it’s less than 5% of the money being moved in and out of bank accounts.
The problem is that ACH is so big, and so old, that it’s having enormous difficulty updating itself for the internet era. It was mostly built in the mid-1970s; today it acts much as it did in 1978, when the system of sending and receiving bank transfers became fully national, and when no one could have foreseen a day when bank account numbers were typed into web forms. What’s more, for all that it is the network behind all paper checks, ACH was always designed more as a bank-to-bank system than as a person-to-person system.
Think about the classic route that a check takes. You write a check to your landlord. Your landlord takes the check to his bank. His bank then sends the check to your bank. Your bank then takes the money out of your account and sends it to your landlord’s bank, using ACH. And then, finally, your landlord’s bank deposits the money into his account.
There are two layers of authentication in this process. The physical check itself – the piece of paper – has to be genuine, and so does your signature. But the former has been weakened now that banks use images of checks rather than checks themselves, and the latter has been weakened with the broader decline of the autograph. Who can say, any more, whether that random squiggle on the bottom of a check is authentic.
Still, the idea behind checks is clear: they’re essentially a very formal type of letter from you to your bank, saying “I authorize you to remove this much money from my account”. It just makes sense that your bank would require your authorization before taking money out of your account.
That’s what the rules say, too. ACH is run by the National Automated Clearing House Association, or NACHA, which sent Fusion a statement saying that “the requirements for authorization of online ACH transactions exceed the requirements for authorization of online card-not-present credit card and debit card transactions”:
Under the NACHA Rules, every ACH debit to withdraw money from a consumer’s account must be authorized in a writing signed or similarly authenticated by the consumer. In the online environment, this requirement means that the originator of the transaction (the billing company) must use a method of authorization that evidences both (i) the consumer’s identity and (ii) the consumer’s assent to the transaction.
The problem, here, is that the definition of “the consumer” can end up shifting from the first sentence to the second. In the first sentence, any ACH debit from my account must be authorized by me. But in the second sentence, it’s not the owner of the bank account, any more, which needs to authorize the transaction. Instead, it’s “the originator of the transaction”. In the case of me paying my own credit-card bill online, that’s not much of a difference: it’s me doing the authenticating either way. But when Kashmir pays her Amex bill using my account, it’s she who gets authenticated, not me.
As a result, it’s usually relatively easy for me to reverse the transaction. If I call up my bank and tell them that I never authorized the transfer, then they will reverse it, and the trail will lead back to Kashmir very quickly. If she didn’t have my permission to use my account to pay her Amex bill, the consequences for her could be very nasty indeed. (When she signed up for her Amex account, that involved signing a promise, effectively, not to do that kind of thing.) So, kids, don’t try this at home: just because you know someone’s account number, it’s a bad idea to take money out of their account to pay off your credit card. At least without asking them first, and ideally getting their permission in writing.
Still, this is a problem which is designed to be fixed ex post. In a statement to Fusion, American Express said that “we follow NACHA procedures to resolve unauthorized ACH debit activity inquires or errors reported by our customers or their bank… If we do find an error has been made, we work with our customers and their bank to fix it.”
As Jeong discovered, fraud does happen. And when it happens, it can be extremely annoying and time-consuming for the customer, who often ends up having to set up a whole new bank account, with a new account number. That’s a real pain, which involves notifying all manner of institutions with legitimate access to your account. Alternatively, for those of us who have a tendency to throw our bank statements into a box without even opening them, it’s possible for a sneaky fraudster to quietly siphon relatively small sums out of our accounts for years without us noticing.
The good news is that online ACH fraud is relatively uncommon, just because it’s rare to find an online vendor who will allow you to pay using ACH rails instead of your debit card. The case of paying off a credit-card bill is a unique one, because you can’t use a credit card to pay off a credit card.
There are also a few steps you can take to protect yourself from this kind of fraud. Instead of giving out your account number, ask people to Venmo you instead, or use some other service which hides your account number from them.
Most importantly, follow the official advice of NACHA, the company which is in charge of processing paper checks:
The most effective way for consumers to safeguard bank account numbers is to stop using paper checks. Since money transferred electronically passes through fewer hands than a paper check, electronic payments can be a safer option for consumers.
Paper checks are an obsolete technology, which have your account number and routing number written down in plain sight, and which don’t play well in an internet world. Most other countries have pretty much stopped using them, at this point, but the USA still writes billions of them every year.
If you stop using paper checks, that’s no guarantee you’ll be immune from this kind of fraud. But the only obvious real solution lies in the hands of the credit card companies. Even one credit-card company executive told me that “if it makes you feel any better, I’m uneasy” about the weaknesses in ACH. All they would need to do is require permission from the bank account holder if the names on the accounts don’t match. Is that really too much to ask?