Banking question.

JOhnH

Touchdown! Greaser!
Joined
May 20, 2009
Messages
14,159
Location
Florida
Display Name

Display name:
Right Seater
I wanted to transfer some funds from my brokerage account to my checking account at another institution. I clicked on their "external transfer" option. It said I needed to sign up the external account first by giving them the routing number and account number. I did that.

Then it explained that to verify everything was correct, they would make two small transactions over the next two days. OK, that's fine. I don't want them to send a large sum only to find out I screwed up.

B U T !
Then they say they will WITHDRAW that money in one transaction. At that point I contact them to tell them the transactions were successful

I had no idea that giving them my routing number and account number would allow them to withdraw funds! How can they do that? Doesn't that mean that anyone that sees my paper check can get my R & A numbers and make withdrawals?

I trust the brokerage. I have had an account there over 50 years and I used the same web site I use every day and it had all my information, balances and transactions so I know it wasn't a scam. I was just unaware they could withdraw money from my external account.
 
Usually what happens is they do two small transactions, and you confirm the amount of the transactions.

If someone has your routing number and account number and can guess the sizes of the 2 transactions, yes.

It's an amazingly antiquated and insecure way of doing verification. Most of the time these transactions are under $1 so that's a 1/99^2 = 1/9801 probability of success. Not very high for an individual attempt (although still much less secure than procedures we use for far less important things), but given that routing numbers and bank account numbers fly all around and are often part of data dumps, not secure at all in bulk. Everything we do surrounding security in the personal banking world seems to be stuck in 1985. My personal bugaboo is that I have yet to find a major financial institution that doesn't exclusively use SMS for two factor authentication, if they support 2FA at all. SMS is better than nothing, but by far the least secure form of 2FA. I need a Google Authenticator code/TOTP to log-in to my Facebook account, but neither my bank nor my brokerage account support it. Insanity.
 
Last edited:
I wanted to transfer some funds from my brokerage account to my checking account at another institution. I clicked on their "external transfer" option. It said I needed to sign up the external account first by giving them the routing number and account number. I did that.

Then it explained that to verify everything was correct, they would make two small transactions over the next two days. OK, that's fine. I don't want them to send a large sum only to find out I screwed up.

B U T !
Then they say they will WITHDRAW that money in one transaction. At that point I contact them to tell them the transactions were successful

I had no idea that giving them my routing number and account number would allow them to withdraw funds! How can they do that? Doesn't that mean that anyone that sees my paper check can get my R & A numbers and make withdrawals?

I trust the brokerage. I have had an account there over 50 years and I used the same web site I use every day and it had all my information, balances and transactions so I know it wasn't a scam. I was just unaware they could withdraw money from my external account.
Sure they can withdraw from your external. You authorized them to do it.
 
It's an amazingly antiquated and insecure way of doing verification. Most of the time these transactions are under $1 so that's a 1/99^2 = 1/9801 probability of success. Not very high for an individual attempt (although still much less secure procedures we use for far less important things), but given that routing numbers and bank account numbers fly all around and are often part of data dumps, not secure at all in bulk. Everything we do surrounding security in the personal banking world seems to be stuck in 1985. My personal bugaboo is that I have yet to find a major financial institution that doesn't exclusively use SMS for two factor authentication, if they support 2FA at all. SMS is better than nothing, but by far the least secure form of 2FA. I need a Google Authenticator code to log-in to my Facebook account, but neither my bank nor my brokerage account support it. Insanity.
By SMS do you mean texting you a code that you then enter to complete your sign in? I have accounts at four banks. They all do it now. One of them even does it when I’m signing in on the App on my phone. That seems kinda weird. If someone got my phone and somehow got my User Name and Password to get that far, we’ll then yeah, they’re gonna get the code.
 
By SMS do you mean texting you a code that you then enter to complete your sign in? I have accounts at four banks. They all do it now. One of them even does it when I’m signing in on the App on my phone. That seems kinda weird. If someone got my phone and somehow got my User Name and Password to get that far, we’ll then yeah, no sheet, there gonna get the code.

Yes, SMS based 2FA is texting you a code when you try and login. Like I said that is better than *no* two factor authentication, but it is the least secure of the 2FA methodologies out there. SMS based 2FA is very susceptible to SIM swapping attacks where someone can remotely clone your SIM card information and route your calls/SMS to them instead of you (more info: https://www.phishlabs.com/blog/sim-swap-attacks-two-factor-authentication-obsolete/). This is as opposed to more secure methods like time-based one time passwords (TOTP) which is what Google Authenticator, MS Authenticator etc. use which is where you have a rotating code that refreshes itself every 60 seconds or so. These are generated using the time and a random seed that is only exposed at the time the authentication is setup and is much more secure. There are even more secure 2FA techniques like push-based 2FA and hardware based 2FA (e.g. Yubikey). A good comparison of 2FA techniques here: https://www.androidcentral.com/definitive-ranking-two-factor-authentication-methods
 
Sure they can withdraw from your external. You authorized them to do it.
I didn't know I was authorizing withdrawals when I gave the info. I was told how it would work AFTER I gave them the info, but BEFORE I hit the "ACCEPT" button. So I did give them permission but only after I gave them the actual numbers.

I'm not worried that my brokerage company is going to steal from me. I'm just surprised that they are able to make withdrawals based on that info. What's to keep anyone from withdrawing from my account once they get the R & A #?
 
I...
I'm not worried that my brokerage company is going to steal from me. I'm just surprised that they are able to make withdrawals based on that info. What's to keep anyone from withdrawing from my account once they get the R & A #?

You might check with your bank and ask them how they verify/validate ACH transfers. And what is the bank's procedure (if any) regarding correcting errors.
 
I didn't know I was authorizing withdrawals when I gave the info. I was told how it would work AFTER I gave them the info, but BEFORE I hit the "ACCEPT" button. So I did give them permission but only after I gave them the actual numbers.

I'm not worried that my brokerage company is going to steal from me. I'm just surprised that they are able to make withdrawals based on that info. What's to keep anyone from withdrawing from my account once they get the R & A #?
From your post.
“….Then it explained that to verify everything was correct, they would make two small transactions over the next two days….”
I’m sure you pushed a button authorizing them to do that
 
The other stupid thing about the "send a text" is how many people do stuff on their phones. If someone gets hold of my phone, where is that text message going. It's pretty much useless from a safety standpoint.
Unless if you do something very insecure like have no passcode on your phone, or an incredibly easy one to guess (1234, 0000 etc.) breaking into your phone hardware is generally not the path of least resistance. We saw how much pressure the government tried to put on Apple to provide tools for them to break into the San Bernardino shooter's phone and produce backdoors in the future. Ultimately it seems they were successful in breaking in to that specific phone with that specific version of iOS, but it took much more effort than your average attacker is capable of or willing to spend on an average person's account (possibly for a very high profile target). If you want to attack Joe Average's financial assets, there are many easier ways than breaking into the phone itself.
 
Last edited:
You are worried about the R&A just because it's electronic. There's nothing different about it being online as its already out there on the bottom of every paper check you write.
 
You are worried about the R&A just because it's electronic. There's nothing different about it being online as its already out there on the bottom of every paper check you write.

That's not really true. Moving insecure systems that were once based purely on physical things (e.g. paper checks with R&A on it) online makes it more insecure (in the absence of any, or with inadequate, additional security measures) because it vastly increases the attack surface from people who might reasonably have access to your physical thing (i.e. people who live near you, interact with you, bank employees etc.) to everyone who has access to the internet (which is obviously several orders of magnitude greater). This is not an argument against online systems by any means, as a techie millennial I despise having to deal with physical financial objects like checks and cash, but just one against taking systems that rely on physical security, to the extent that they are secured at all, and simply placing them online. Rather than cludging checks with R&A numbers to the online world to enable sending money between institutions, we should use a system that is specifically designed with online security in mind to do so.
 
From your post.
“….Then it explained that to verify everything was correct, they would make two small transactions over the next two days….”
I’m sure you pushed a button authorizing them to do that
Do you mean like when I said this:
I was told how it would work AFTER I gave them the info, but BEFORE I hit the "ACCEPT" button. So I did give them permission but only after I gave them the actual numbers.
 
You are worried about the R&A just because it's electronic. There's nothing different about it being online as its already out there on the bottom of every paper check you write.
Not real sure how you came to that conclusion, when in my OP I said this:
Doesn't that mean that anyone that sees my paper check can get my R & A numbers and make withdrawals?
 
Do you mean like when I said this:
I’m having trouble getting my head wrapped around that. I cannot believe they made the transactions to the external account before you authorized it. Did it go like this? They told you how it would work. You gave them the account information to the external account. Then you pushed the button. Then they made the transactions. In that sequence.
 
You have the ability to dispute the electronic transfer through your bank for 5 bus days, I think. Commercial transactions are different dispute timeframe.

Except wires. Wires are cash. Immediately available funds.
 
That's not really true. Moving insecure systems that were once based purely on physical things (e.g. paper checks with R&A on it) online makes it more insecure (in the absence of any, or with inadequate, additional security measures) because it vastly increases the attack surface from people who might reasonably have access to your physical thing (i.e. people who live near you, interact with you, bank employees etc.) to everyone who has access to the internet (which is obviously several orders of magnitude greater). This is not an argument against online systems by any means, as a techie millennial I despise having to deal with physical financial objects like checks and cash, but just one against taking systems that rely on physical security, to the extent that they are secured at all, and simply placing them online. Rather than cludging checks with R&A numbers to the online world to enable sending money between institutions, we should use a system that is specifically designed with online security in mind to do so.
Cludging? Off topic but not sure I've ever seen that word. Cheers:cheerswine:
 
I’m having trouble getting my head wrapped around that. I cannot believe they made the transactions to the external account before you authorized it. Did it go like this? They told you how it would work. You gave them the account information to the external account. Then you pushed the button. Then they made the transactions. In that sequence.
Yes.
I gave them the R & A numbers.
Then they told me they would make two deposits and a withdrawal. And THEN asked permission.
I gave permission.
They made two deposits so far and the withdrawals should happen soon.
 
They deposit two amounts, say 42c and 69c. You confirm those amounts to them. They then take their buck eleven back. The end.
 
I don't understand the problem.
The main problem is that I didn't know that people could take money out of your account with just the routing number and account number. Those numbers are on every paper check in the world. I would have thought they would need a password or some other authorization to be able to withdraw money from someone else's account.
 
The main problem is that I didn't know that people could take money out of your account with just the routing number and account number. Those numbers are on every paper check in the world. I would have thought they would need a password or some other authorization to be able to withdraw money from someone else's account.
you said you gave them authorization
 
The main problem is that I didn't know that people could take money out of your account with just the routing number and account number. Those numbers are on every paper check in the world. I would have thought they would need a password or some other authorization to be able to withdraw money from someone else's account.
Presumably I as a random person cannot go to a bank and say "here are some R&A numbers, please take out all the money of these accounts". As an individual you have to go through the test deposit/withdrawal authentication to prove you have access not only to the R&A numbers but also the account itself. Financial institutions presumably have some agreement with one another that they will allow these test deposits & withdrawals without explicit authorization of the account holder, and presumably these deposit/withdrawals must be for an amount less than $x and the deposit must come first etc etc. This is some agreed methodology for authorization between financial institutions (and one would hope with some oversight from regulators).

Institutions can often do things that we as individuals cannot.
 
The simple answer is yes, there are quite a few bill pay situations I've seen where all you need is the information printed on the check (name, address, routing and account number) to access funds from an account. This is why I try to rarely use paper checks, and when I do, only to trusted people. The problem is now with mobile deposit of checks, even someone you trust might lose a check after it was deposited, and now your info is out there. They system is horribly antiquated and largely relies on trust. The best defense is to only write checks/authorize withdrawals from one account that only has the balance needed to cover the expected expenses going out.
 
The main problem is that I didn't know that people could take money out of your account with just the routing number and account number. Those numbers are on every paper check in the world. I would have thought they would need a password or some other authorization to be able to withdraw money from someone else's account.
I've wondered the same thing.
 
you said you gave them authorization
What's to stop an individual who sees one of your paper checks from using the information to make an ACH withdrawal from your account WITHOUT your authorization?
 
What's to stop an individual who sees one of your paper checks from using the information to make an ACH withdrawal from your account WITHOUT your authorization?
They would have to have access to your online account as well.
 
Yes.
I gave them the R & A numbers.
Then they told me they would make two deposits and a withdrawal. And THEN asked permission.
I gave permission.
They made two deposits so far and the withdrawals should happen soon.
The controls are legal, not technical. Lets look at a few different payment methods:

- Physical Paper Checks: All you need is the routing number and account number. Anyone who sees one of your checks can make their own check with a standard computer printer and that check will technically be accepted and goods will be exchanged. Doing this, however, is fraud. If you get caught, you get fined and end up behind bars.

- Credit Cards: All you need is the credit card number and expiration date. Anyone who has those two pieces of information (which they can get in a number of ways, just like checks) can find someone who will technically accept it and exchange goods. Doing this, however, is fraud. If you get caught, you get fined and end up behind bars.

- Cash: All you need is a piece of paper that looks like cash. Anyone who has that can probably find someone who will technically accept it and exchange goods. Printing up your own, however is fraud. IF you get caught, you get fined and end up behind bars.

- ACH Transactions: From a technical network perspective, all you need is the routing and account number. The raw ACH network will move money for anyone WITH ACCESS with those two pieces of information. That said, people who have access to the ACH network do not build ways for other people to abuse it easily. This is why there is a concept of verification happening here. Your broker wants to make sure that you're not using someone else's account. Anyhow, find a way to cheat the system, get caught...and end up with a fine and behind bars.

Your shock seems to be coupled to expecting a technical control to prevent this. Given that the ACH network is based on the concept of paper checks, and paper checks couldn't implement computer network based technical controls, the raw network itself does not. As scary as that sounds, with some thought, you'll see its not much different than any other payment method. For historical context, the ACH network has worked like this for nearly 50 years.

Signed,

A guy who has made his living in financial technology (on the side that doesn't put you behind bars).
 
OT but, banking related. In order to pay off a mortgage early that you had been making auto payments on that were set up using an online system requires a fax machine and a cahiers check! Ok, technically you don't need a fax machine to send a fax anymore which makes this even weirder to me.
 
OP: This is why I never keep much money in my checking account and never use my savings account for electronic transfers...
 
OT but, banking related. In order to pay off a mortgage early that you had been making auto payments on that were set up using an online system requires a fax machine and a cahiers check! Ok, technically you don't need a fax machine to send a fax anymore which makes this even weirder to me.

The fact that fax is considered a legal form of transmission but encrypted email is not is infuriating to me. I had to transfer my medical records to a new office and I had the entire thing in a PDF on my computer. Of course new doctor can’t receive that information via email, so I had to fax it. But it’s 2022 and I don’t own a printer not to mention a fax because, why would I?, so I end up having to use some dumb faxing service thing online. Soooo much more secure than just encrypting the file and sending it via gmail…
 
The controls are legal, not technical. Lets look at a few different payment methods:

- Physical Paper Checks: All you need is the routing number and account number. Anyone who sees one of your checks can make their own check with a standard computer printer and that check will technically be accepted and goods will be exchanged. Doing this, however, is fraud. If you get caught, you get fined and end up behind bars.

- Credit Cards: All you need is the credit card number and expiration date. Anyone who has those two pieces of information (which they can get in a number of ways, just like checks) can find someone who will technically accept it and exchange goods. Doing this, however, is fraud. If you get caught, you get fined and end up behind bars.

- Cash: All you need is a piece of paper that looks like cash. Anyone who has that can probably find someone who will technically accept it and exchange goods. Printing up your own, however is fraud. IF you get caught, you get fined and end up behind bars.

- ACH Transactions: From a technical network perspective, all you need is the routing and account number. The raw ACH network will move money for anyone WITH ACCESS with those two pieces of information. That said, people who have access to the ACH network do not build ways for other people to abuse it easily. This is why there is a concept of verification happening here. Your broker wants to make sure that you're not using someone else's account. Anyhow, find a way to cheat the system, get caught...and end up with a fine and behind bars.

Your shock seems to be coupled to expecting a technical control to prevent this. Given that the ACH network is based on the concept of paper checks, and paper checks couldn't implement computer network based technical controls, the raw network itself does not. As scary as that sounds, with some thought, you'll see its not much different than any other payment method. For historical context, the ACH network has worked like this for nearly 50 years.

Signed,

A guy who has made his living in financial technology (on the side that doesn't put you behind bars).
Is there any provision for the victim of an unauthorized withdrawal to get the money back?
 
How does lack of authorization prevent an unscrupulous person or business from withdrawing funds?
What would be the process they would use to make an ACH withdrawal without authorization?
 
Last edited:
Back
Top