Why hasn't the ACH system been more abused?

The simplest explanation is: ACH is reversible. If the consumer notifies their bank of an unauthorized debit within 60 days, the money gets yanked from the originating bank and put back in your account.

The originating bank will then do the same to the merchant who debited your account, with feeling and 4 part harmony. If they do this too much (>1% unauthed, or >5% overall), then they get cut off. (Exact thresholds depend on the bank and their risk tolerance and what they've underwritten the merchant for. But those are about the highest numbers you'll see, though sometimes NSF returns can be higher. )

ACH never settles. There's no security as such. An ACH transaction happens overnight, on trust, and may come back (by agreement) 60days later, and longer in cases of extreme fraud. So any time you're seeing a 2-3 day hold on ACH, it's the bank doing risk management decisions, not something in the underlying transfer. (note, that may not be strictly true for some correspondent small banks in alaska or other odd time zones, where there really is a day+ delay on things)

The only thing that's keeping fraud under control is the banks doing underwriting on the merchants who can do debits. They're on the hook (ultimately) if there's fraud, so it's in their interests to keep it clean. They're also not likely to cut and run, because banking connections to the ACH network are not cheap/easy to come by.

(source, I've worked in this space for 18 years)

It's the same question as why people keep so many valuables in houses where you can just break a window, walk in, and take stuff: because you go to jail if you do that.

If ACH was different and you could just, say, walk up to an ATM and punch in a routing/account number and withdraw cash, it'd be a very different situation. You can only interact with the ACH system through a regular bank, and regular banks have KYC regulations that mean the recipient of those funds has a name, address, and SSN. Doing theft via ACH means the funds end up in account clearly tied to your identity, and you go to jail.

It's easy to track where the money has gone, which means this type of fraud has high risk of getting caught. You need a rube to hold the receiving account and then a money laundering method to get it away from them cleanly, which is all a lot harder.

What I've never understood is why the US system relies so much on ACH Pulls rather than Pushes? For example, most banks allow you to pull money from an external account (by verifying you own the external account using something like Plaid Identity or microdeposits) but don't always offer the ability to push funds.

It seems pulling is much more open for abuse than pushing funds. Perhaps it has something to do with the originator having liability for a potential returns.

In Europe, I've never seen any bank allow customers to pull funds (something like a SEPA I guess) but its extremely common to push funds very easily to another account just by entering their IBAN (not so in the US though).

The main service provided by banks is that they sell trust.

Only banks and financial institutions can directly send ACH transfers.

Unlike wires, ACH transfers take time to settle.

Banks are tasked with only allowing authorized transfers. Any bank that does not take adequate precautions will be kicked out of the system.

The profit banks can draw from participating in the financial system is much higher than the amount they can steal once before they get banned.

That's why most banks ask for verification (logins via plaid, micro deposits, etc), before allowing ACH withdrawal requests from other accounts.

But the most important reason why people don't do this, is that it's very easy to get caught. To actually submit an ACH request to a random account, you have to appear somewhere in person (unless you do small checks up to your daily bank limit via picture, which will quickly have you caught since your phone and account is linked to a real person).

Some CCTV tapes later, and you'll be put in jail for a very long time.

ACH is a legacy system that can be easily abused for sure - what's saving it is the fact that it's not real-time like it's newer counsin RTP. It also helps that withdrawing money via ACH requires an account and payment processor willing to clear ACH for you and shoulder some of the responsibilty.

Yes, you can copy the numbers and make a fake checks to cash, but security features on the check helps with validation and most Check Cashing places don't cash big checks - mainly because they take on the liabity if the check bounces. It's also the reason why most bank requires you to have an account with them to cash a check depending on the amount.

So in summary, it's relatively "secure" due to validation & delay clearing the check. Scammers know this very well - that's why they resort to overpaying invoices/items with fake checks only to demand refund from the unsuspecting mules - who end up holding-the-bag once they send out the refund, only for the check to bounce.

Another similar legacy system that is easily and more abused is checks via mail - it's easier to cash a REAL check with a fake ID compared to a fake check for reasons I mentioned above. Why some companies still insist on paying or being payued via a check is beyond me!!

Stolen checks is a bigger issue compared to ACH - in fact it's a federal offence to steal mail, post office even have Postal Police to deal with the issue.

There's a lot going on behind the scenes that we don't see.

The bank is not wiring your money instantly. As I understand it, it takes 2-3 days for your bank to do the actual security confirmation. What Apple is probably doing is effectively floating you a line of credit assuming that the ACH goes through. And your bank is probably passing you along the transaction in a "pending" state.

There are a lot of security checks just to be in the ACH system. Ask someone who does payroll what it takes to set up direct deposit. Just having the numbers ain't enough even to put money into an account.

It's a bit analogous of how TLS/SSL work. Yes, you can just issue your own self-signed certificate. But that doesn't mean anyone will trust it.

> Anyone with your routing number and account number, 2 numbers printed on every check, can ask your bank for all of your money

Mostly because this is not true. Anyone can’t do it. It’s relatively easy to get permission to get deposit access. Getting withdrawal access is not especially easy. And it’s capped at an amount relative to your credit rating.

And the people who do have withdrawal access need to have a good business reason to do withdrawal, and don’t want to lose their access.

It does get abused. With counterfeit checks.

You may have come across the sort of scam where someone wants to "buy" something you're selling. But they send you a much larger check. "Please send us the extra/surplus", they say. Or, "the rest is for shipping, send that to X, they'll pick up the item". Then when the check works its way through the system, is found to be fraudulent, the transaction gets reversed.

https://www.fdic.gov/consumers/consumer/news/august2019.html

Wiring money is something outside the norm in the US banking system. I think if it were more common, then ACH fraud would be far more common.

Anecdote: When I wanted to wire money (overseas), the hassle at my bank was plenty. Every piece of paper had in huge letters "this could be fraud! Once this transaction happens, the money is gone! Forever!" (slight exaggeration).

This system you are calling ACH is also just called an "eCheck". If you write a check at say WalMart, they just scan it at the register and do an "ACH". Like others here have said: "KYC" know your customer rules make it hard to do fraud this way without getting caught.

People do abuse this all the time, look for the bad check writer program in your county. It's not switching over to ACH, that's how it has worked all along. I recommend Catch Me if you Can by Frank Abagnale.

"Anyone with your routing number and account number, 2 numbers printed on every check, can ask your bank for all of your money and the bank will not confirm anything with you"

Well, sort of. A very broad set of people can do ACH deposits into your account. A much smaller set of people (though still lots of them) can do ACH withdrawals.

Also, some banks offer a way to have a whitelist for entities allowed to do ACH debits/withdrawals. Chase calls it "ACH Debit Block" for business accounts.

There is significant ACH fraud.

https://www.cfo.com/corporate-finance/2019/04/scammers-targe...

Simple: ACH is the 800-pound gorilla of banking in the United States and the established players basically have zero incentive to change. It is in fact only a losing proposition for them. The banks make great fee-based money from the ACH system and the lag times in ACH create lots of juicy arbitrage opportunities.

It is true that the system is insecure and terrible for consumers, but this is not an issue for the banks. They have insurance.

My edtech startup was contacted by an English-language school in a country where we have never advertised and have zero presence. They had a few questions but within 2 hours, they were ready to make a several-hundred dollar purchase.

I was a bit suspicious because the sale was so easy (selling to schools is normally a slog, even inbound), and because they immediately asked for our ACH information. I contacted my bank to ask if I give them my ACH info, is there a chance they can do anything bad to me?

My bank offered that I could give just the last 4 of my account number, which could be matched to my account based on the business name that would also be provided.

This seemed like a good solution, but after trying several times we gave up. They paid via PayPal instead, and we've never had an issue with them. But the experience made me think about how ACH works, and the risks involved!

To understand this, you have to think past step 1 of the evil plan to steal all your money. First, in order to do ACH withdrawals, one must have a bank account that is strongly tied to your identity. So as a criminal, I steal your bank account number and force a fraudulent withdrawal - now that money is sitting (*not really, that's point 2) in my personal bank account, which is easy to trace.

Second item - these transfers take a few days to settle, so I've "stolen" your money, but I can't withdraw or transfer it to my EvilBank offshore account for a couple of days.

And finally, if you don't notice and tell your bank about this, and I can wait past the settlement period and withdraw the money, now I've got federal law enforcement after me for wire fraud, and they know who I am due to #1, so I'm in a world of hurt.

It is abused, it's called check fraud. However the same as automobile accidents, it's old news, and just apart of every day life.

People have been doing all forms of check fraud. One popular one is where they'll send a check, you cash it, money shows up, and it reverses later because it's fraudulent.

Everyone here is on the right track, but to be more specific – people don't misuse the ACH system because there are specific laws on the books to protect against it.

If you walk into a police station and tell them someone hacked your Facebook account you will be laughed out of the building. Most other online crimes are dealt the same way. If you instead mention check fraud, wire fraud or postal fraud, the FBI will be knocking on your door to help out (not exaggerating, this really happened with someone I know).

Your house isn't secure because there's a big heavy lock on the front door. Anyone can cut through it, or break a window, or demolish a wall if they want to get in bad enough. It's really the threat of consequence that keeps criminals out. The banking system works mostly the same way.

This was the most kind boggling thing I encountered when I first moved to the US (that and the signature/nothing at all nature of using a card to pay for anything).

I asked about why they didn’t at least require any checks to be issued on checks that they issued and I was told it was because people might not want to use bank provided ones??

But yeah the fact that the way you did a direct deposit is give someone your bank account# and then they withdraw however much money they want from it, and they can do so in perpetuity, is absurd.

In NZ - and I presume most of the rest of the world with such systems - the only thing you can do with someone’s account details is deposit money.

Go ahead. Print a personal checkbook with someone else's name, account number, and routing number on it. Write yourself a check and sign it. Then try to cash it or deposit it. See what happens. I double dog dare you.

In the United States, money transmission is a regulated space. I.e. you must meet a minimum set of regulations in order to hold that license. That license requires you be able to do things like handle fraud, chargebacks, dispute resolution, etc...

Everyone implements these processes, and if you get a money transmitter that doesn't, generally, every other money transmitter in the space will mark transactions from that actor as high-risk, either rejecting tx's from them, or sibjecting them to longer holds, or just straight out rejecting them.

If you don't have a license of your own, your on ramp is through someone who does. They can underwrite the risk of your membership in the financial system as a whole, but if they find out (and they will, because their business contracts come with audit, FWA, and due diligence clauses) you will find your access cut off, and if it's brazen enough, lawsuits getting served.

Now, what does this mean?

If you hand someone a blank check, they can absolutely take you the cleaners. However, if someone crafts a malicious ACH payload, the origin of that can be traced from your bank, back to the clearinghouse, from the clearinghouse, back to the originator, who will have their processes scrutinized/investigated.

Generally Accepted Accounting Principles and double-entry accounting is the magic glue that ties everything together. If you follow the rules, you will have a transparent trail to follow.

If you don't, you've entered suspected money laundering land.

As a customer...

If you're deposited somewhere that is FDIC insured... You're golden up to $100,000ish.

If they aren't FDIC insured, if there's a dispute department, you should be good. You should still treat it as higher risk though in that if they get bank run'd, they do not guarantee at all you can get any money back. These are regulatorally speaking, not banks. They can take deposits, do transactions, dispense/administer interst bearing accounts (and do often pay higher interest due to the higher risk involved with depositing funds there), and do bank like things, but they are not banks.

If you can't get in contact with a human being, good luck, and godspeed. You are braver than I.

> Are their mitigations?

My approach to this is to use services like e-trade where my checking/debit account is linked to a brokerage account, and keep most of the funds isolated in the brokerage side. Then transfer small amounts as needed for daily life into the checking/debit side. It's trivial and instantaneous to move money back and forth so it's not terribly inconvenient.

This way the only account people ever get ACH information for generally has too small a balance to matter much. Also my debit card was skimmed at a gas station once and this approach limited what they stole to just a few hundred bucks. After dealing with e-trade's fraud department to report the theft they eventually made me whole and replaced the skimmed card, still took some time and frustration though.

I find it delivers significant peace of mind. But one still needs to pay attention in case something happens, such things have time limits for reporting and expecting the money back. By keeping the balance small it somewhat forces having a current awareness of its status, assuming regular use.

Another bonus for e-trade is they offer air-gapped hardware token based 2FA.

Shhhh, this has been going on for years and is known as wire fraud and carries one of the most severe punishments by law. On top of that most banks will reverse a payment when someone does it without your permission although the time and pain it takes to reverse it may vary.

Not ACH, but the ACATS system (transfer securities between brokerages) has recently seen a number of thefts. It seems like a horribly insecure system.

If a scammer knows you own stocks, and can impersonate you, they can set up an account at another brokerage and pull your stocks away with ACATS. YOUR brokerage is required to send them, and does no verification. You probably won't even get a notification.

https://www.bogleheads.org/forum/viewtopic.php?p=6756853

Fidelity seems to be the only brokerage at the moment that lets you "lock down" your account and prohibit outbound transfers.

I believe the main mitigation is the settlement time and reversibility. You have appx t+2 days to notice the issue and report it.

It's simple, really

You can't do this. Only a bank officer can.

A bank officer gets tracked doing it.

If it's fraudulent, it gets reversed out of the bank's pocket, so they go look at who did it, and act accordingly.

And if it's more than $500, you need a second signature.

Now, as a criminal, all you need to do to fake a wire is to hold a five year career.

It's the common sense answer.

"it wouldn't work."

You have 30 days after you receive your statement from the bank to challenge any transactions.

Always check your bank statements.

It's why Donald Knuth only issues fantasy checks nowadays. I was happy to get mine before he started it.

ACH fraud is hard to do because it’s reversible over long periods and you can’t do ACH without being well identified.

Banks do plenty of identification of you (say you’re opening a credit card or bank account) that you don’t necessarily see in order to cover their risks.

The real reason seems to be that getting onto the ACH system is actually work.

Once you're in it's an open field, but getting there requires a lot of vetting.

There have been exploits that I've read about, but they tend to be hushed up because people don't particularly want people to know how insecure the system actually is. The exploit I read about had someone pulling a couple of dollars from a few million accounts. In aggregate they made a lot, and most people aren't going to necessarily notice a few missing dollars.

Of course, everything is traceable. But I never did hear of a resolution of this particular issue.

As an aside, eChecks have a different issues, mainly because they're sort of a hacked-in solution. For example, you can't stop payment on an eCheck, since there's no check number; banks just can't do it.

What people seem to miss in this conversation is that fraudulent ACH TRANSACTIONS can be reversed for up to 60 days if I recall. This is different from WIRE TRANSFERS that can't be reversed.

So, it is not a fertile ground for fraud.

Money goes from your (Bank) account to verified entity(merchant/business, Org etc)'s bank account and they have legalities/agreements in place.

If there was a headline syndicated internationally every single time there was an ACH fraud, you would think crypto was a godsend. But right now its the opposite, only headlines when a fraud occurs in crypto.

Its all perception. The potential for reversibility improves the customer experience, but often times nobody is being prosecuted, the thieves often get the money for themselves, and the banks/insurance eats the loss.

Regulation E limits liability for fraud. ACH isn't an anonymous system either.

I'd like to know too.