Business accounts are even worse - they're governed by the Uniform Commercial Code rather than consumer law, and you only get 24 hours to report fraud. If someone sucks $200k out of your account and you don't catch it in 24 hours, there's a possibility you'll never see that money again.<p>What a lot of people do is set up an 'incoming payments' account, an 'outgoing payments' account, and a 'storage' account. Have your bank block all external withdrawals from the incoming account, block all external deposits to the outgoing account, and automatically move money once-a-day from the incoming account to storage and from storage to outgoing(keep say $10,000 in there at all times). Never write checks against the storage account, or give the number out in any way.<p>On one hand, ACH is technically insecure. On the other hand, if a scammer can get away with the money a terrorist could get funded with the money, so money laundering and anti-terrorism laws have the side effect of making it hard for people to get away with it. And then you just throw the scammer in jail.<p>The article mentions handing a check to your landlord. Personally, as a landlord I set up an incoming rent checking account, hand out the checking account information to tenants, and let the tenant deposit the money electronically or by driving to the bank. I've asked my bank to reject withdrawals but accept deposits from that account, and use a debit card to pay for maintenance and utilities. I'm considering using SaaS software to collect this, mainly to ease accounting; I'm not worried about security here.
> The physical check itself – the piece of paper – has to be genuine,<p>This is wrong, right? There is no such thing as a genuine check outside of conventions for repudiation(out of order check numbers, not on <i>my</i> check paper). Whether it came from the checkbook my bank sent, or out of my printer, it is just as good. Legally, writing it on a napkin would probably work, but draw lots of scrutiny becuase it looks suspicious and can't be processed automatically.
Anyone coming to the US from most of the world is painfully aware of how antiquated the whole system is. For a business accepting relatively few large payments, a major issue is the cost of payment.<p>For all their absurdity, paper checks are the only universally accepted almost-costless way to transfer money. ACH, wire transfer, card payments all come with an added cost of up to 3%, and every single proposed replacement system we've seen comes with new fees attached. For a payment of $10,000, payment by check costs perhaps $1. Payment by a 1% fee wire transfer system (most of them cost more) would be $100. Flat fee wire transfers range from $30 / transfer up.<p>Given how big and archaic ACH is now, and how expensive replacing it would be, I can't see a way out of this unless banks are required by regulation to provide an aggressively low-cost transfer mechanism.
I believe such a system is Safer to use for the average customer because the law is on his side. A routing number is (as far as I know) not considered a secret and very judge will rule that it's the banks fault for authorizing the transaction, not the user's.
If the user were to use any kind of authentication (such as typing a pin in a card reader), the bank can claim that it's the user's fault because he used his code carelessly and they are often right, people write the code on cards directly or use their birthdates but even if the pins are random, they can still be easily "cracked" (some people are super skilled in reading them from a distance while others have implemented key loggers in those readers). So you can't really use a password/pin for authentication either (because it is not that secure after all).
In my country, debit cards are quite common and debit cards never use a signature – they use a 4 digit pin instead. If your debit card was stolen, and somebody went shopping with it, you have to pay the bills because you did not protect your pin enough and it's not the bank's fault — they had enough proof for authentication. (I know quite a few people who had bills from $300-2000 after their debit cards were stolen and I can tell you for sure that some protected their PIN properly).<p>If you have to authenticate a withdraw in any way, the bank will have a better chance to win a fraud case because they had enough reason to believe the transaction was authentic and it is your fault not for protecting your pin or password enough.
The bank might voluntarily rebook the transaction but why even bother if they had to do that anyways (even without a pin). The consumer is not the victim here, the bank who has to get the money back is. So why would you want to fix a system that works in your favor.
I use paper checks a lot these days. It costs me about $1 to clear a check, and $25 to send a wire transfer.<p>I'd much prefer to do everything electronically, but I'm not going to pay an extra $24 to do it...
At my first startup, checks were the industry standard and we naively thought that we could change behavior by introducing modern payment tools to our customers.<p>It turned out that our customers used checks because it helped with their cash flow. They could tell us they "cut a check" on Friday, mail it on Monday, we'd receive it on Wednesday, and the money would be in our bank account Thursday. They basically were able to hold onto that cash for an extra 5 days, compared to a wire transfer.
Always when it is about payments in the US I understand more and more why fintech startups are so successful in the US. In Germany I don't really see the point. Wire transfers and deposit entries are cheap, reliable and they work with every bank.<p>So fintech startups here have a much harder time to explain, what is different about them.<p>BTW. The case what is describe in the article sounds for me like some kind of deposit entry fraud. Something I feared for a while in Germany, because deposit entries are very common for e.g. phone bills. But they seem to be one difference, in Germany you can simply cancel it and get your money back, usually 6 weeks but courts already ruled that this is just the minimum time.
A computer generated check is absolutely as valid as a paper check from your checkbook. I routinely generate images of checks which I then snap a picture of right off the monitor in order to remote deposit. Of course this is always done with the written and signed consent of the account holder.<p>Since you can't ACH outside of the US (I think) and any bank in the US has pretty strict "Know Your Customer" requirements, you will know for sure at least the first hop of where the money went.<p>I've heard of "work from home" schemes to include people acting as a middle-man for funds like this. They receive the ACH funds, and then they wire them overseas or send them via Western Union. These people, whether they were honestly duped or not, have committed a felony.<p>So when people worry about checks containing all the data you need for someone to empty your account, the first thing to consider is deterrence is very strong in this area because the penalty is massive, and tracking where the money was sent via ACH is easy.<p>That said, it would be nice if they could phase in a new standard which used one-time codes and provided real-time validation for this sort of thing. ACH transfer fees are extremely low compared to credit cards after all.
Donald Knuth was saying this how many years ago? It's got to be something like 10 years now. This is why he stopped sending out checks for people finding bugs in his books.<p><a href="http://www-cs-faculty.stanford.edu/~uno/news08.html" rel="nofollow">http://www-cs-faculty.stanford.edu/~uno/news08.html</a>
The percentage based fees for electronic transactions are absurd. We're talking about moving a number from one database to another. The effort doesn't scale with the size of the number. It's not like we have to move a truckload of gold. There's absolutely no reason it should be based on a percentage of the money being moved.
I remember reading about Patrick Combs [1] depositing a "sample check" from some junk mail and it ended up clearing, despite it saying "not negotiable" on it. I wish his original story was still on the web because it included a <i>ton</i> of detail about what happened, but alas ...<p>Previous mentions of Patrick Combs on Hacker News: <a href="https://news.ycombinator.com/item?id=4344720" rel="nofollow">https://news.ycombinator.com/item?id=4344720</a>
<a href="https://news.ycombinator.com/item?id=2020631" rel="nofollow">https://news.ycombinator.com/item?id=2020631</a><p>[1] The best link I could find today: <a href="https://www.reddit.com/r/todayilearned/comments/37b74g/til_that_a_man_called_patrick_combs_deposited_a/crlgqcn" rel="nofollow">https://www.reddit.com/r/todayilearned/comments/37b74g/til_t...</a><p>EDIT: added additional Ycombinator links.
> By using a debit card, you’re moving money over the relatively secure Visa or Mastercard rails, rather than over the ACH rails.<p>Well... Someone who has your Debit card number and expiration date can remove money directly from your checking account just as someone who has your routing number and account number can. I never use ANYTHING connected directly to my checking account to pay, unless it's the only option. There are a few things I need to pay with a check, but I see literally zero reason to use my debit card. My credit cards are accepted in all the same places and they provide me with more protection (in the sense that there's a buffer between them and my cash - even if I get reimbursed for fraudulent debit usage, the money is gone from my account for some period of time, allowing checks to bounce and other bad things to happen).
I would love to move away from checks, but (ironically) they're the cheapest, quickest, most robust way for me to transfer money digitally between family and friends. Write a check, endorse the back, take a photo with a banking app, and money is moved from one account to another without any additional fees.
No actual news, just ACH as it has been for many years. The author was annoyed that credit card companies allow users to pay by "eCheck" without prenote or deposit confirmations.<p>> The good news is that online ACH fraud is relatively uncommon, just because it’s rare to find an online vendor who will allow you to pay using ACH rails instead of your debit card. The case of paying off a credit-card bill is a unique one, because you can’t use a credit card to pay off a credit card.
I don't understand why people set up automatic payments on the payee's site. If you initiate the payment from the bank, you have more control over when it goes it out, can review the bill before authorizing the withdrawal, can see all of your pending payments and their effect on your balance, etc. I don't like giving anyone access to one of my accounts. Credit cards are a decent buffer against this, as you get time to review the bill before paying.
I'm not sure ACH is so much less secure than debit. You hand your card out to far more people than you ever send a check to and it has the info they need to use it online unless avs restrictions are enforced by the merchant, which is less secure than a merchant enforcing ACH micro-deposits imho. With both of these authentication methods it is up to the merchant to enforce and they are liable in the end for the most part when they don't. American express doesn't feel the need to enforce micro-deposits because they've already lent you the money so if a payment fails they're not at more risk than they were before the payment was made. In the end, it's easy to obtain the information for both and both have systems for reversing.
Checks can be forged, but passwords can be cracked, and data can be stolen. At the end of the day, it's the responsibility of the company to ensure sensitive information is safeguarded and to minimize fraud. Customers still need to understand and practice good habits, but ultimately this ends up in the hands of one or multiple companies that need to be responsible.
I work in a business that provides ACH services. This article over dramatizes the risk of fraud.<p>First, for a business to even use ACH, they need a bank account to receive payments. This involves an underwriting process and a cash reserve for any returns.<p>Second, businesses have daily limits they can process. This is usually well below their cash reserve.<p>Finally, any hint of fraud will cause the bank to drop them like a hot potato and seize their reserves for a period of time to ensure sufficient funds to process any returns. One example of fraud indication is a high return rate
The only time I write paper checks anymore is for larger charitable contributions, where I assume the organization would prefer the handling burden over processing fees.
I like how both the use of ACH by Stripe and Plaid and this story are on the front page at the same time. ACH transactions are interesting but as the article points out reversable as well. All financial organizations agree to reverse them on demand AFAICT. That is why scammers really want you to send them cash via western union or something.<p>That said, its truly annoying to deal with.
For those interested in a more technical dive into the system, see this blog: <a href="http://engineering.gusto.com/how-ach-works-a-developer-perspective-part-1/" rel="nofollow">http://engineering.gusto.com/how-ach-works-a-developer-persp...</a>
We already have good alternatives to these things. My financial life runs entirely in bitcoin, except for the shrinking list of payees who are still allowed to request payment in fiat money. Of course, I had to move out, live elsewhere, and continue trading from there, to make it happen. But then again, everything is so much cheaper here ...