[edawerd]

I can't speak for NACHA (the governing body that came up with ACH), but I believe the goal was to make it an electronic equivalent of a paper check.

If you think about it, it's pretty easy for someone to create a fake check based on someone's account/routing number (which, as you correctly say, it's not private information because is on the bottom of every check you write), put it in an ATM machine and debit someone's account without their permission. ACH is really no less secure than the current security protocol for checks.

Not that I think this is a good idea, but this might be a possible explanation of why ACH was designed this way.

[mtdewcmu]

I can't use my debit card without a PIN, so I would hope that other people cant debit my account without it. Otherwise I'd like to have the same privilege.

[IbJacked]

That's just it, people can debit your account with nothing more than the routing number and account number. They can present a fake check with your info to a seller, and it will wind its way through the entire ACH pipeline, ending with a credit in the fraudster's account, and a debit in yours.

Hopefully, you will notice it in a timely manner and get your debit reversed. Without action on your part, the fraudulent transaction will most likely never be questioned.

[adanto6840]

It's honestly surprising to me that there haven't been more large-scale "attacks" / frauds committed along these lines.

If anyone knows I'm genuinely curious: why hasn't it been exploited on a large scale or what, if anything, prevents it from being exploited?

Edit: jeffasinger & edawerd largely answered my question in their posts above.

[gav]

The banks have built fraud detection to handle this, I had to handle the case of somebody attempting to cash several hundred thousand dollars worth of faked cheques in a past job. The bank stopped them before they cleared.

What's more interesting to me is the police and FBI's complete disinterest in going after the perpetrators even though they knew who they were.