[kenj0418]

Can anyone in the banking industry explain why there is no security on ACH similar to how there is for credit cards?

20 years ago when I first wrote a program to generate ACH files it struck me as crazy that all that was needed to take money from someones account (given an existing ACH relationship with a bank to send the file in the first place) was an individual's bank's public routing number and the individual's personal checking account number - both of which were at the bottom of every check they write.

I get that fraudulent charges can be reversed, but that's also true on credit cards - so why the lower security on ACH?

[edawerd]

I can't speak for NACHA (the governing body that came up with ACH), but I believe the goal was to make it an electronic equivalent of a paper check.

If you think about it, it's pretty easy for someone to create a fake check based on someone's account/routing number (which, as you correctly say, it's not private information because is on the bottom of every check you write), put it in an ATM machine and debit someone's account without their permission. ACH is really no less secure than the current security protocol for checks.

Not that I think this is a good idea, but this might be a possible explanation of why ACH was designed this way.

[mtdewcmu]

I can't use my debit card without a PIN, so I would hope that other people cant debit my account without it. Otherwise I'd like to have the same privilege.

[IbJacked]

That's just it, people can debit your account with nothing more than the routing number and account number. They can present a fake check with your info to a seller, and it will wind its way through the entire ACH pipeline, ending with a credit in the fraudster's account, and a debit in yours.

Hopefully, you will notice it in a timely manner and get your debit reversed. Without action on your part, the fraudulent transaction will most likely never be questioned.

[adanto6840]

It's honestly surprising to me that there haven't been more large-scale "attacks" / frauds committed along these lines.

If anyone knows I'm genuinely curious: why hasn't it been exploited on a large scale or what, if anything, prevents it from being exploited?

Edit: jeffasinger & edawerd largely answered my question in their posts above.

[gav]

The banks have built fraud detection to handle this, I had to handle the case of somebody attempting to cash several hundred thousand dollars worth of faked cheques in a past job. The bank stopped them before they cleared.

What's more interesting to me is the police and FBI's complete disinterest in going after the perpetrators even though they knew who they were.

[wiredfool]

As far as I can tell the security is 2 fold:

  * transactions are reversible for quite a long time. 
  * ODFIs (originating banks) are responsible for files they send.

A bad actor can get away with stuff for a while, but sooner or later, their ODFI will cut them off. Those relationships take time to build, so you don't want to be going through them quickly. And there are often deposits and other security protecting the ODFI.

So, the customer says it'sfraud. It's not their bank's problem, they punt to the ODFI. The ODFI is in the business of not taking too much risk, so they yank money from the originator. The Originator, they might be SOL, depending on if they're the one who was scammed, or if they have a way to reclaim the money.