RJM62
Touchdown! Greaser!
- Joined
- Jun 15, 2007
- Messages
- 13,157
- Location
- Upstate New York
- Display Name
Display name:
Geek on the Hill
While I was in a card-less state after a recent debit card fraud event, I used ACH from my checking account to pay some bills. I'd always had doubts about the security of the system because all the needed information is printed right on the checks; but since I rarely write paper checks, anyway, I wasn't too concerned.
What raised my eyebrows is that one of the bills I paid was not in my name, but a relative's, who has a different first and last name, and who lives in a different state. My name doesn't appear anywhere on the account. But the system gleefully accepted my checking account information and successfully processed the transaction, anyway. (I used an old, rarely used, but still-valid checking account during that time, by the way.)
Frankly, it was a few days before the significance of the payment's being successful hit me. What it tells me is that anyone who's ever received a check from anyone can use that account to pay their own bills. All the information needed (account name, routing number, account number) is printed right on the check; and apparently, as long as the items validate to an active account, the transaction goes through.
This seems pretty bizarre to me. At a minimum, why doesn't the banking industry insist on each account being assigned two account numbers: one printed on the check, and the other known only to the account holder, with the "secret" number being the only one that will work on a paperless transaction? That seems simple enough to do compared to "real" security improvements that might actually cost the banking industry money to implement (and which, therefore, will never happen).
"Real" security improvements would be along the lines of encrypting the routing and account numbers, and printing them on the checks as bar codes or indicia. The recipient's bank would need a database of encrypted routing numbers to know where to send the check, but could send the account number in its encrypted form. The bank holding the account could then associate the encrypted number with the actual account.
A "real" solution like that might cause banks' profits to dip by a fraction of a percent for a quarter or two, however, so I don't expect it to ever happen.
But having two separate account numbers would cost nothing in terms of hardware or printing, because the paper check part of the system would be unaffected. The only thing that would be affected would be non-paper transactions, which would be required to only use the "secret" number.
Does anyone who (unlike me) actually knows what he or she is talking about with regard to check processing procedures have any comments about this?
-Rich
What raised my eyebrows is that one of the bills I paid was not in my name, but a relative's, who has a different first and last name, and who lives in a different state. My name doesn't appear anywhere on the account. But the system gleefully accepted my checking account information and successfully processed the transaction, anyway. (I used an old, rarely used, but still-valid checking account during that time, by the way.)
Frankly, it was a few days before the significance of the payment's being successful hit me. What it tells me is that anyone who's ever received a check from anyone can use that account to pay their own bills. All the information needed (account name, routing number, account number) is printed right on the check; and apparently, as long as the items validate to an active account, the transaction goes through.
This seems pretty bizarre to me. At a minimum, why doesn't the banking industry insist on each account being assigned two account numbers: one printed on the check, and the other known only to the account holder, with the "secret" number being the only one that will work on a paperless transaction? That seems simple enough to do compared to "real" security improvements that might actually cost the banking industry money to implement (and which, therefore, will never happen).
"Real" security improvements would be along the lines of encrypting the routing and account numbers, and printing them on the checks as bar codes or indicia. The recipient's bank would need a database of encrypted routing numbers to know where to send the check, but could send the account number in its encrypted form. The bank holding the account could then associate the encrypted number with the actual account.
A "real" solution like that might cause banks' profits to dip by a fraction of a percent for a quarter or two, however, so I don't expect it to ever happen.
But having two separate account numbers would cost nothing in terms of hardware or printing, because the paper check part of the system would be unaffected. The only thing that would be affected would be non-paper transactions, which would be required to only use the "secret" number.
Does anyone who (unlike me) actually knows what he or she is talking about with regard to check processing procedures have any comments about this?
-Rich
Last edited: