Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: Why hasn't the ACH system been more abused?
223 points by gernb on Aug 29, 2022 | hide | past | favorite | 264 comments
IIUC, the ACH system

https://en.wikipedia.org/wiki/Automated_clearing_house

Is utterly insecure. Anyone with your routing number and account number, 2 numbers printed on every check, can ask your bank for all of your money and the bank will not confirm anything with you.

My first experience with this was Apple's credit card that can only be paid via ACH and I was shocked when I typed in my info into the apple wallet app and then it took my money without the bank confirming anything with me.

Why hasn't this been more of a problem? Are their mitigations? These numbers can be stolen from data breaches even easier than passwords as they won't be salted and hashed, they'll be the actual numbers right? The entire payment regime in the USA seems to be switching over to ACH. Should I be worried?




The simplest explanation is: ACH is reversible. If the consumer notifies their bank of an unauthorized debit within 60 days, the money gets yanked from the originating bank and put back in your account.

The originating bank will then do the same to the merchant who debited your account, with feeling and 4 part harmony. If they do this too much (>1% unauthed, or >5% overall), then they get cut off. (Exact thresholds depend on the bank and their risk tolerance and what they've underwritten the merchant for. But those are about the highest numbers you'll see, though sometimes NSF returns can be higher. )

ACH never settles. There's no security as such. An ACH transaction happens overnight, on trust, and may come back (by agreement) 60days later, and longer in cases of extreme fraud. So any time you're seeing a 2-3 day hold on ACH, it's the bank doing risk management decisions, not something in the underlying transfer. (note, that may not be strictly true for some correspondent small banks in alaska or other odd time zones, where there really is a day+ delay on things)

The only thing that's keeping fraud under control is the banks doing underwriting on the merchants who can do debits. They're on the hook (ultimately) if there's fraud, so it's in their interests to keep it clean. They're also not likely to cut and run, because banking connections to the ACH network are not cheap/easy to come by.

(source, I've worked in this space for 18 years)


This is the best answer here so far (and also a reasonably good explanation of why, at least in my opinion, crypto is still completely non-viable as a real medium of exchange).

The key is that there is a process for reconciliation. It IS NOT ENOUGH to simply have a ledger - you also need a mechanism for enforcing that the ledger matches reality. And reality is complicated, filled with reasonable disputes over terms and deals (in the best case) and outright fraud and theft (in the worst case).

A given party may be able to temporarily pull money from you with two numbers, but the process around reconciliation makes it so that you, the customer, are protected from the actions of the mediary (because at the end of the day, they're selling this service, and are responsible for their actions in relation to providing credit). This incentivizes those institutions to be careful, protect their reputation, and avoid taking on obvious risks.

Essentially - the system is structured in a way where incentives align to prevent abuse. And entry into the playing field is expensive and limited enough that institutional reputation matters.


> And reality is complicated, filled with reasonable disputes over terms and deals (in the best case) and outright fraud and theft (in the worst case).

Yep, and also methods to bring forward and rectify those disputes, as in the courts. I always wonder how many court orders each day need to go through the banks for enforcement, through wage garnishment, sheriff's auctions, power of attorney, etc.


What about international ACH transfers? What if an overseas bank just claims they didn't receive your transfer when they did?


ACH is a US dollar bank transfer system between US registered and regulated banks.

"Overseas ACH" isn't a thing; anything which looks like it is fronted by a US institution


Am I misunderstanding the Wikipedia article?

>There are various ACH systems around the world. The World Bank identified 87 systems in their 2010 Survey

Seems to me like there are many different ACH systems, but perhaps the one referred to colloquially as ACH is specifically FedACH, the American system.

https://en.wikipedia.org/wiki/Automated_clearing_house


ACH is a US-centric term that seems to be used for both the general concept of netted/batched customer-facing interbank transfers, as well as the US-specific set of agreements, rules, participants, and regulating body that together implement one such network.

There are many national and international equivalents, but the linked Wikipedia page gets many of the examples pretty wrong, listing e.g. card acquirers/processors and central banks as examples for other such networks.

Direct equivalents would e.g. be SEPA Credit Transfer (but not SEPA Instant) and SEPA Direct Debit in the Eurozone or FPS (credit push only) in the UK.


> Seems to me like there are many different ACH systems, but perhaps the one referred to colloquially as ACH is specifically FedACH, the American system.

Giro might be the other, possibly broader term for something similar:

https://en.wikipedia.org/wiki/Giro_(banking)


Moreover, not even overseas transfer exists in the "ACH sense". Money is moved between ledgers of the same currency so what you will have is a correspondent bank holding your position in that currency.


There's this.

https://www.nacha.org/content/international-ach-transactions...

It still Nacha which is a US institution as you mention. However, I don't see how that protects in the case of a fraudulent overseas transaction. What recourse do you have if an overseas bad actor tricks you into sending money to his overseas account via international ACH?


I worked for a NACHA processing backend for some years, the mechanism of protecting overseas transactions from bad actors is usually based on sending additional information contained in the IAT transaction, which includes some extra data from both the origination and the receiver[1]. When the bank process it, it could either:

1) settle the transaction in the next few days (3 usually).

2) ask for additional information on the next few days.

3) deny (return) the transaction if it looks too suspicious according to the bank.

[1] https://www.nacha.org/system/files/2019-07/IAT-Specific-Data...


What if an overseas bank just claims they didn't receive your transfer when they did?

Others have covered the overseas part, but for the bank claims they didn't receive you're transfer part, I would expect that to show up on the settlement process. If there is a disagreement between banks, when they later check how much each bank owes each other, there should be a discrepancy the banks need to work out.

Note: not an expert in how ACH works or how settlement is done.


Usually there's a 3 day window for the money to settle, if the bank claims that it did not receive the transaction on this time window, they will "deny" the failed transaction and send to the originator a "return"[1] which contains the type and explanation of why did it failed, and the money won't be transferred to the receiver.

If it surpass the 3 day window a "late return" will be sent to notify the origination that the transaction failed, however, the money may already have been transferred to the receiver.

[1]: https://www.moderntreasury.com/learn/ach-return-code-referen...


International money transfers are typically done through SWIFT.

https://en.wikipedia.org/wiki/SWIFT


IATs are a pretty niche thing, but I think they're still to a correspondent bank in the US. Not common, and most banks won't allow you to originate them without special arrangement.


> crypto is still completely non-viable as a real medium of exchange

There are some projects which are attempting to fill in the "TradFi" gaps and support clawback at the protocol level.

I am aware of at least this project but I believe there are others.

https://developers.stellar.org/docs/glossary/clawback

(disclosure: I have like $10 of XLM).


Maybe that explains why Moneygram, Stripe and many others have ignored Bitcoin, and Ethereum for their use case in payments and remittances and instead have chosen cryptocurrency technologies and chains like Stellar. This tells me that there are some that are more useful than others and will survive regulations and there are some that won’t.

So the regular outcry about “crypto is still completely non-viable as a real medium of exchange” is just complete nonsense; parroted here once again.


I'd say it's mostly a lack of understanding. Cryptocurrency != (bitcoin || ether).

Problems that have been solved in a "Traditional Finance" setting (eg. clawback, chargeback, dispute resolution) are either solved or being worked on by many different cryptocurrency projects.

The question which remains to be answered is whether or not cryptocurrency can solve problems that TradFi can't solve or can it solve them in a better way, or more efficiently, etc.


> The question which remains to be answered is whether or not cryptocurrency can solve problems that TradFi can't solve or can it solve them in a better way, or more efficiently, etc.

The Stellar Network (and to some extent Algorand) seems to be more efficient than the current system and they aim to work with it as their solution(s) works faster, globally and cheaply, hence why Moneygram chose Stellar for its new product and why Stripe removed Bitcoin payments and re-entered again until regulations were clearer and more cryptocurrencies were available.

Not all cryptocurrency technologies are the same.


> a reasonably good explanation of why, at least in my opinion, crypto is still completely non-viable as a real medium of exchange). The key is that there is a process for reconciliation. It IS NOT ENOUGH to simply have a ledger - you also need a mechanism for enforcing that the ledger matches reality. And reality is complicated, filled with reasonable disputes over terms and deals (in the best case) and outright fraud and theft (in the worst case).

You do realize crypto can be wrapped up in a settlement layer, right?

Cash has the same problems until you introduce a settlement system.


> careful, protect their reputation, and avoid taking on obvious risks

what you say is true, but system-wide, this gate-guarding by reputable parties costs unimaginable numbers of dollars in fees and delay. Everything you list is obviously desirable except.. it has gone far in the other direction -- disproportionally expensive, too much gatekeeping.

For the two billion new customers in global trade that have emerged in the last twenty years, for commodity transactions.. why pay? For those that want to tie together dubious foreign agenda with market regulation (oil & gas markets), keep your own credit records and regulators.. but dont hold the rest of the world hostage.

crypto is inevitable with these networks, so make some interesting and useful ones. Of course the old system will object.


There are valid use cases for both types of transactions: those that require an option for chargeback as well as those that must be settled with finality.

The difference is that while crypto can do both, the legacy finance system cannot.


Yes, there are valid use cases for irreversible payments, like closing on a home. Banks do have solutions for this: wire transfers. Which is what you’ll use if you buy a house in the US.


Wire transfers are just as reversible.

Nothing in banking is un-undoable. Some just require more effort to undo.


Only in the case of a mistake or fraud. So if the recipient got the right amount in their account: it’s a done deal, same day.

As opposed to ACH which could bounce or you could issue a stop payment.


The definition of mistake is quite broad. Not all parties may agree to what is and isn’t, requiring litigation, but the transfer itself isn’t a done deal until a very lengthy process has been exhausted.


Zelle can't be undone if it's done from your account. They just take the money.


Of course it can. Zelle and your bank may not be keen on doing it, but it’s no less reversible than any other transfer.

And for fraudulent transfers, Zelle’s trying to pin them on the customer is them hoping you’d give up rather than remind them that regulation E governs it as well, and they used to acknowledge that on their web site.


I was going to suggest “cash” as the other option.


How do you do a chargeback with Bitcoin? Or is that a different cryptocurrency feature?


There is a feature in bitcoin called replace-by-fee (https://en.bitcoin.it/wiki/Replace_by_fee). But that is not completely analogous to a refund because vendors will wait many blocks before accepting a transaction (to prevent finney attack).

If you want to have a third party mediate the exchange, you can use a multi-signature transaction (https://monerodocs.org/multisignature/). For example you send the cryptocurrency to a 2-of-3 address where the mediator, the vendor, and the customer each hold a key and two of them are needed to move the funds (the mediator sides with either vendor or customer, or the vendor and customer both side against the mediator). Or you can send the cryptocurrency to a 2-of-2 address, which allows the customer to permanently withhold the funds from the vendor at the cost of withholding some funds from themself that they put down ahead of time, like an escrow that is locked in case of dispute.


One way to get something like chargeback is 2-of-3 multisig. The transaction has to be signed by any two of: sender, receiver, and a neutral arbitrator. If sender and receiver agree, the arbitrator never has to hear about the transaction.


That is nothing like chargeback. It would be like chargeback if you could rescind a signature, once you notice a mistake.


That wouldn't be chargeback either. You have to get the bank to do the chargeback, you can't just do it yourself.

If you wanted something more like that, you could pay via a smart contract that holds the funds in escrow for a while, with the arbitrator key able to refund the money to you.


You cannot, which is what grandparent was complaining about.


You can, with script. Most of us don't want that particular "feature".


Can you share some examples or use cases of transactions that must be settled with finality?


Twice I've sold an old car to somebody who answered my ad. I wanted cash on collection only, because I was selling the car to someone I didn't know, couldn't reliably trace and therefore could not trust. If they'd reversed the payment afterwards, I'd have been down a car.

Both parties to this kind of transaction understand why finality is required, and don't have a problem with it. It's a second hand "sold as seen" transaction. The buyer knows where the seller likely lives. The seller doesn't know anything about the buyer. Neither party typically carry that kind of cash around, so there are two trips to the bank (with their own risks) that could be saved if there were some sort of easier digital equivalent.


If they'd have turned the corner to see the engine fall out from underneath the car, while you'd have already strolled off the scene with the money, they suddenly wouldn't be so happy with finality. I think finality in transactions is more something about "the nominal case". If I'm a transaction processor with significant volume, I would like to reach some final state without too much intervention, but I can still handle the exceedingly-rare exceptions with (expensive) humans. Where that point lies differs per application, also dependent on what kind of service I'm wanting to deliver.


> If they'd have turned the corner to see the engine fall out from underneath the car, while you'd have already strolled off the scene with the money, they suddenly wouldn't be so happy with finality.

Maybe, but since I also wouldn't be too happy if they reversed the transaction after taking the car, we both agree in advance that the sale will not be reversible. For the payment, that's done by using cash (and the possession of it), and for the car, also just possession. I give the buyer the opportunity to inspect the car before committing to the sale, and then it is "sold as seen". Unless I committed fraud, the engine falling out from underneath the car will be the buyer's problem, including in law.

It is always possible to seek redress through the courts whether the financial transaction itself was reversible or not, so that's not relevant here. Neither is the fact that to do that knowledge of identity and evidence is required; those concerns also exist regardless of transaction reversibility.


That's why you test-drive a car and/or have it inspected. If it is a clunker and the price of the inspection approaches the price of the car you can just take the risk. In any other case an hours worth of time of a competent mechanic will tell you all you need to know. After that the risk is yours if you decide to go through with the purchase. If something does turn up that wasn't disclosed the seller will usually be happy to adjust the price. And if not you are only out the inspection fee. Typically $50 to $150 so well worth it on any vehicle purchase that is in the price range where 'engine fell out' feels like it isn't on the menu of expected events.


> If they'd have turned the corner to see the engine fall out from underneath the car, while you'd have already strolled off the scene with the money, they suddenly wouldn't be so happy with finality.

Which is exactly the point of the finality of the transaction. Private party car sales in the US typically are not warranted. The risk of maintenance on a used car is non-zero, and the buyer accepts this risk when buying a vehicle with no warranty.


The Silk Road.

But in all seriousness, if you are a vendor then any purchase by a customer that is not associated with a legally accountable entity must be settled with finality, because you have no way of preventing charge-back fraud yourself.

In cryptocurrency marketplaces, the customers vet the vendors, not the other way around. This is because the vendors have a higher upfront investment in their business and reputation. The customers are not expected to maintain a reputation (for sake of their privacy) or an investment (outside of an multisig escrow) so any attempt to vet them is prone to sybil attack.

The process of vetting customers is usually assumed by some monopolistic intermediary like PayPal. These companies are able to vet customers by implementing a mass surveillance system.


If you are a merchant selling goods and services for money, and had the choice between transactions with finality and without, you will always chose transactions with finality.


If customers demand reversible transactions, you will choose reversible transactions or you will not have customers.

There are, for instance, no longer many mainstream online merchants who accept only irreversible transactions. There once was a time when online transactions were primarily paid via money order, but PayPal and credit card processing has made that obsolete.


> If customers demand reversible transactions, you will choose reversible transactions or you will not have customers.

I think most customers pay with credit cards more because of convenience (or rewards, where applicable).

There's a myriad of QR payment systems popping up around the world (e.g. WeChat, UPI, PayNow) that are getting considerable adoption — and those aren't reversible. They're popular because customers don't have to worry about carrying enough cash with them.


You can't compare in-person and e-commerce payments in that way. The risk for the merchant and the customer is completely different:

A physical merchant usually has a storefront in a public place that they can't abandon on a whim, a reputation to lose etc, whereas the customer is usually anonymous and mobile. This is why customers are generally ok with paying using a (to them) irreversible/final payment method, and merchants will insist on it.

In e-commerce, the risk lies almost exclusively with the customer: An online store's reputation is not easy to judge (and brand impersonation is its own risk), and even at reputable merchants, the time between order and delivery is much longer, goods can usually not be inspected ahead of time etc.

Not coincidentally, the various card schemes' rules reflect this circumstance by assigning default liability for online payments to the merchant (or their acquiring bank, in case of a fraudulent or bankrupt merchant), whereas for in-person payments it lies with the cardholder (or in case of fraud with their issuer, in some circumstances).


And you typically get your product immediately when purchasing at a physical storefront.

In the early days of eBay, it wasn’t unheard of to send out a money order in the mail, wait a month, and never get the item.


That’s why I said

> if customers demand

Rather than

> customers demand

The landscape of trust online is varied. Someone is likely to have lower trust for random website you’ve never heard of (which was most stuff in the early days) than an established business or one with a physical presence.

Now that online retail is mature and trust is high, credit cards are more for convenience, but this wasn’t the case in the early days… and still isn’t the case for lesser established sellers or marketplaces.


When was this time that online payments were done with money orders? Some of the earliest online merchants that were associated with AOL and Prodigy accepted credit cards. Amazon definitely accepted credit cards from day one.


In the mid to late 90s many retailers online operated like mail-order catalogs with catalogs delivered via http. Many of them were mail-order businesses first, and so they accepted payments for online purchases the same way they did for their majority of their customers.

This was also normal for eBay payments at the time.

There were, of course, a few that did accept credit cards, but many people were weary about using those features because very little of the web used HTTPS at the time. Even Amazon accepted money orders (and personal checks!) for this reason.


Not always. If customer fraud is low and customer wariness is high, you might well find that providing customers the safety of the option to reverse the charge gets you enough more money that it nets you more overall. Even more so if "finality" of the technology means that users instead turn to the courts to dispute your charges.

There is a narrow sense in which the merchant "always prefers finality" but it isn't the relevant sense.


Buying a house. This is why title companies will only accept wire transfers, not ACH.


Buying a house does not have 'finality' in that sense. This is why you buy title insurance - many things can happen where it turns out you don't own the house like you thought.


If I sell someone a meal and they eat it, I really don't want that money to leave my account, because I have no recourse on my side.


Okay so what if you give them the wrong meal and they want money back?


Happened recently, ordered pizza but they delivered to wrong address. Called them they wanted to deliver pizza again but it would have been too late. So they refunded the transaction, though seemed a little reluctant.

My guess is that if I had no option to do a chargeback, it would have been harder to get a refund then.


Then the dissatisfied customer throws a fit and warns their peers that the vendor isn't trustworthy.

There is an asymmetry here because anyone can be a customer but not everyone can be a vendor- that requires a certain level of reputation and upfront investment. So it is more risky for a vendor to scam a customer than the other way around.


Thank goodness that the merchants that I do deals with do not force me to pay with cryptocurrency.


I don't know, I hear all the time about people buying things on amazon or something and when it arrives it's just crap and you can't get a refund. At the end of the day, getting a refund is not about the payment method, it is about your business relationship with the vendor.

Cryptocurrency transactions require high trust in the sense that they cannot be refunded, but they also require low trust in the sense that the vendor cannot possibly steal any more money than what you sign them.


If you are going to argue by anecdote at least use a believable anecdote. Amazon have one of the most customer friendly refund policies and always offer a refund or replacement- obviously because they are just pushing it on to their sellers but still, they do.


> Amazon have one of the most customer friendly refund policies and always offer a refund or replacement- obviously because they are just pushing it on to their sellers but still, they do.

With an open season of friendly / chargeback fraud, customer lies, refund tricks, etc which customers keep doing every day and so on which too many of that and Amazon will ban your account and they should.


I'm not sure if you have a point?


My point is very clear. Such lax customer policies is open to high abuse and friendly fraud which hurts both the customer and the merchant.


there is nothing inherent in cryptocurrency that prevents clawback.


If this was true, then why do most restaurants have you pay after you eat?


İf the meal is bought with stolen funds...


then the cook should be left uncompensated for their work? There is no "fair" outcome in this situation, so you should at least make the system fail in a reliable way.


Normally, with credit cards and stuff, the onus is on the vendor that made the sale, technically they should verify the Id of the user match with the name on the card and stuff.

Most don't do because convenience wins for the user and increases the value.

The user knows if something is wrong (like stolen funds, accounts etc) they will get their money back, and trusts the system so spends more.

İf you don't provide this trust system, they won't spend as much as they do.

You will get less volume.


Hiring a hitman?


I think wire transfers are generally irreversible.


>> a reasonably good explanation of why, at least in my opinion, crypto is still completely non-viable as a real medium of exchange

The way I see it, the reversibility of ACH is mostly a 'workaround' of ACH's security flaws. If a crypto does not have security flaws, then it does not require such workarounds. The only drawback is that it cannot correct for human error. But IMO, I don't see human error as a major issue since it's a reality of life that people should be responsible for their mistakes. There are an infinite number of ways in which a person can ruin their lives within the space of a minute, sending money to the wrong address is just one more of them.


> it's a reality of life that people should be responsible for their mistakes.

Society has absolutely zero sympathy for this point of view.

Eventually society will give genuine, serious consideration to crypto.

"No ability for the legal system to reverse transactions in the case of fraud you say?"

And that will be that.

No-one in the majority of the populace actually wants an ungovernable financial system.


So, what happened with the DAO?


>and also a reasonably good explanation of why, at least in my opinion, crypto is still completely non-viable as a real medium of exchange

I understand HN is a shit-on-crypto echo chamber but it's naive to think crypto is just settlement.

Settlement is simply a low-level primitive. With smart contracts, you can build whatever mechanism you want before making something final. Multisig, clawbacks, timed-delays, time-locks, escrow, recovery wallets, etc.


This is why Plaid is so successful, it allows banks/fintech companies to validate that the information on the counterparty account matches what you claim, that it has sufficient amount, name and email matches. The bank can also decide if he wants to deny an ACH debit or do a manual review of it, for example above a specific amount of if its the 1st ach debit. Also the clearing days (when you will see money in your bank) will be different depending on different risk factors. You can read more here about how to mitigate ACH fraud with tools such as Plaid - https://guides.unit.co/fraud-and-disputes/ disclaimer - I am an engineer at Unit.


Plaid also allows its customers to scrape 24 months of transaction data from bank accounts, and gain a constant stream of data about ongoing transactions from the bank account.

It’s a very intrusive data-mining service that should not be trusted with bank account credentials, at-least if you care about data privacy.

Change your bank account password, and you may even see Yodlee (like Plaid) trying to login to your bank account every night to scrape daily transaction data based on some ’bank verification’ you previously gave to some app or 3rd party.


Yeah, place many places where you can pay with ACH require validation that you have access to that account by making small transactions. Plaid will be "instant", but manual ACH will take a few days, even though manual ACH could be the same kind of "instant".


Recently used Plaid to deposit into Kraken and I was amazed, it's like magic.


> If the consumer notifies their bank of an unauthorized debit within 60 days, the money gets yanked from the originating bank and put back in your account.

What if, in this order:

1. they take $10k from my account to their account

2. they take the $10k out of their account immediately

3. I call my bank and ask them to reverse the transaction (aka the funds are no longer there to yank back)


10k is the limit on most forms of ACH to consumer accounts. You're also hitting reporting requirements there, so it's not likely to go through in the first place without scrutiny. However.

Most likely, the originating bank will release the money to the account that requested it a day or two later. 3 business days is pretty typical. More if they're high risk.

You complain, make a statement under penalty of perjury that it's Unauthorized. Your bank sends a return (R10 or one of the other shades) to the Fed. The fed debits the originating bank, and sends them the return message. You've got your money back, and it's the originating bank's problem.

The originating bank then has a potential problem. They go after the company that initiated the debit. Depending on things, that might be a company or a 3rd party payment processor. If it's a 3pp, then they probably still have money from that originator or another, and now it's their problem. They may have a reserve or rolling settlement against such things.

But generally, it's the fact that there's a trusted third party (The Fed) that makes sure that banks pay up on returns that makes it not your problem.


I've done ACH for amounts over $1,000,000. I was expecting to get a call from the bank, etc, but it just worked. I was the owner of both accounts, but they were with different institutions.


If you push the money from one account to another, limits are much higher. Do an ACH pull and you’ll have lower limits and may require Authenticator through micro deposits or plaid like provider. 60 day claw back time applies to ACH pull.


From my own random sampling of banks, I find the exact opposite - pulls generally have higher limits than pushes. This makes sense when you think about how the system operates.

A push puts the financial responsibility for fraud on the originating bank. Imagine account X pushes to account Y, and then account owner Y walks into the bank looking to withdraw cash. From Bank Y's perspective, everything looks fine. Later on, bank X finds out the push was fraudulent, but bank Y has relied on the transaction to dispense actual cash. Bank Y may help investigate, but they surely aren't going to be out the cash due to relying on X's false transaction.

Whereas the pull transaction (with Y as the originator), bank Y will put a withdrawal hold, scrutinize the cash withdrawal and ask if this is really their customer, etc, since there is no other party they can blame.

I also personally tend towards using pulls because that's the way the system expects to work since it grew out of checks. If one pushes money and it never shows up, then the blame is ambiguous. From the originator's perspective they've completed what you've asked them to do, and from the receiver's perspective they know nothing. Whereas with a pull, the main thing you're doing is asking the originator to credit your account. If the transaction gets lost without your other account getting debited, then the discrepancy doesn't really affect you.


Are ACH pushes reversible too?

I have a weird, occasional fear that some of the companies I do business with might eventually enter a Chapter 7/11 bankruptcy of some sort, and that my ACH push payment could be clawed back.


Yes, it was a push. I guess that makes a little sense, though it doesn't offer protection if someone got access to my account.


Reg e covers that. You aren't responsible for transactions you didn't do. It will take longer to get back your money than an ACH reversal.


There are different rules when the same person owns both accounts.


Multiple things could happen:

- Their account will be negative - Bank wouldn't allow them to withdraw 10k due to a hold - Bank wouldn't allow them to spend money due to a hold

Anyway, in the end, victim's bank will get money back. A lot depends on the relationship of the scammer with their bank:

- On my fresh account, I once did an ACH transfer around 15k, the bank placed a 60-day hold on those funds, it was a saving account, so I literally couldn't do anything with it for 60 days.

- Some time later, the same bank got a 500k ACH transfer, bank placed a hold on half of it, but allowed me to withdraw the rest.

- Another time I had 15k ACH transfer on "well established" checking account, bank still placed a hold on 10k.

If it's a "fresh" bank account - you're not getting money out, specially if it's a transfer between two random consumer accounts until bank feels safe.


Step 2 is very unlikely to be possible: It is in the payee's bank's own interest to prevent this from happening as much as possible, since they will ultimately be liable for the lost funds.

Banks and payment service providers generally mitigate this risk by e.g. demanding a security deposit and/or delaying funds availability for new customers.


The second bank will be looking at their security footage to find the crook who overdrew their account for $10k


> So any time you're seeing a 2-3 day hold on ACH, it's the bank doing risk management decisions, not something in the underlying transfer.

I'm not sure if this is what you meant to begin with, but the institution is probably not doing anything at all. They're just waiting to see if the name gets flagged and to give you time to cancel your credit card or whatever it is. The fishiest transactions start to smell immediately and all you have to do is wait a second for the smell to waft in.


Unrelated question:

> with feeling and 4 part harmony

What do you mean by this in this context? I tried googling it, but only found results on musical theory. I guess you mean this as a (funny) metaphore?


Yes, a metaphor for doing it "even more". He means that they will be angry and will do more than just reverse the transaction: they will punish the merchant who fraudulently debited your account. They will levy a fine on them (any merchant who is plugged into the ACH system will have signed a contract with their bank agreeing to accept such fines and possibly put up a bond), or even perhaps ban them from making any future transactions, seriously harming their business.


Yes, in fact it's two metaphors in a row.

"Once more, with feeling," is a cliche that a conductor might say to an orchestra during rehearsal. Presumably professional orchestras usually play with feeling, even on the first attempt. So the conductor means, somewhat condescendingly, more feeling. It has been said so many times by so many conductors that it has become a running joke. If you were doing a comedic impression of a conductor, you might insert that phrase.

Four-part harmony is the performance of a song by four singers (or four groups of singers): soprano, alto, tenor, bass. You could have just one person sing a song, but if you have a whole chorus sing it, it will sound fuller (though not always better).

It was a funny way to say that the bank not only will require the money from the person who began the transaction but also will impose severe fees.


It's from Alice's Restaurant.


I got the reference immediately, but astonishingly, Googling the slightly misquoted phrase utterly fails to turn up a link to the song lyrics, or the Wikipedia page on the song which contains the phrase.


How reversible is it? I received my first fraud call where the scammers were asking for check payment - they wanted the routing number and check number to get payment (about $400 or so- it was for a “cable refund service”).

I was curious if I could track them down by giving them real info but wasn’t convinced enough about the reversibility of it to risk basically my entire checking account.


They would have transferred the money to another bank account. Then the "money mule" who owns that bank account would have been instructed to wire the money internationally, withdraw cash, buy gift cards, buy cryptocurrency, etc. (hard to reverse or trace transactions). Once the victim reports fraud, the money would have been moved to India, Russia, Ukraine, Nigeria, etc. The cost of the fraud falls on the end victim, or the money mule intermediate. The police might arrest the money mule.

https://krebsonsecurity.com/2010/01/top-10-ways-to-get-fired...


...about $400 or so...

Is there any particular reason to believe that the number the scammers said they were going to take was the actual number they were going to take?


Hence why I said my entire checking account :)

Interestingly enough the amount the scammers “quoted” continually increased as I was on their “recorded line” - it started at $250 or so and kept increasing.

I pretended to be incensed at their lack of integrity, but they just shouted back and eventually resorted to their master insult - calling me a mother fucker. I wish they would come up with some better insults as I’ve been called that exact thing hundreds of times now. Do they teach that at school or something?


What if the fraudulent account is emptied? Then it seems there's no money to reverse.


You'll have a negative balance in your account and owe the bank. And they may not allow you to close your account if you have any ACH transfers within the reversal period.


It doesn’t matter. Money moves. Fed doesn’t care about account balances on individual accounts at a bank.


> with feeling and 4 part harmony.

Definitely lol’d at that, thanks


Does Zelle work the same way?


No, Zelle uses different rails. It may be Real Time Payments, but it also may be something else entirely, because the company behind it is Fiserv, which is one of the big few providers of core banking software.


> If the consumer notifies their bank of an unauthorized debit within 60 days

As if. Ask the tens of thousands of people who have been scammed sending ACH payments if the bank has ever fucking reversed jack shit for them.


It's the same question as why people keep so many valuables in houses where you can just break a window, walk in, and take stuff: because you go to jail if you do that.

If ACH was different and you could just, say, walk up to an ATM and punch in a routing/account number and withdraw cash, it'd be a very different situation. You can only interact with the ACH system through a regular bank, and regular banks have KYC regulations that mean the recipient of those funds has a name, address, and SSN. Doing theft via ACH means the funds end up in account clearly tied to your identity, and you go to jail.


Bingo. This is something the cryptocurrency extremists just willfully refuse to acknowledge. It turns out that transaction reversibility and the ability (and willingness) of law enforcement to get involved are extremely useful tools in most commerce scenarios.


There is nothing inherent to cryptocurrency that prevents the ability to reverse a payment, it can be done in a contract, only both sides must agree to use it. Personally i see the inability of government ( or anyone else ) to arbitrarily modify transactions as crypto's greatest strength. Want reversibility? you can have it. Want a custodial institution to manage your account? you can have that too, Nothing stopping you. The system is flexible and secure in ways the traditional financial system is not.


The parent is referring to reversibility without both parties agreeing. I send merchant money from my bank to buy widget. Merchant doesn’t send me widget. Bank can reverse transaction without needing merchant permission. And the buck stops with the courts who can enforce the final action.


Can you really say this and not see the problem with it? Is it possible so many people have become this utterly complacent they can’t see tyranny when it’s right in front of their faces?

The same banks that caused 2008 and got bailed out can unanimously control transactions. The same banks that cause endless global conflict, that fix elections, that manipulate politicians, that rig the fabric of capitalism and democracy all around the world, that enable socialism for the rich and rugged individualism for the poor…those same banks are the ones you trust to “reverse transactions without permission”.

This is the problem crypto fixes. It removes the banks power. It has reversibility; it just needs to be integrated with the/a identity mechanism and legal system. The main purpose is to cut out the bankers.


I just want to be able to get a refund if the toaster that I ordered doesn't get delivered. How would crypto go about doing that without it being in the sole discretion of the seller?


How do you do that now, with a market like Amazon?

It works the same way. You can introduce voluntary trusted market intermediaries and utilize things like escrow. Big enough markets can provide liquidity such that all transactions appear realtime, but sellers can provide a deposit to the market to cover problems.

That is one method among a gazillion.

We do not need banks. All bank functions need to be mathematically automated with no trusted parties.


There is nothing preventing the use of neutral third party contracts, For example a non profit arbiter of such cases, recognized for impartiality in an open market. Just like the better business bureau, or similar organizations. Merchants can display a "your purchase protected by" banner, the market itself will determine the best form the material incentives for such an organization would take, perhaps "loser pays the fee" could work, or a subscription model, more like a traditional bank.


If reversibility is needed any "cryptocurrency extremist" will tell you that there is no trustless solution to this kind of transaction and that a trusted intermediary (usually an escrow) is needed.

This is what happens with fiat money anyways, it is just so intimately mixed by now (credit cards, ACH, etc.) that you figure it's the only kind of transaction that exist or should exist.

Crypto is providing an alternative to this point of view, if you don't think you need it, don't use it, pretty straightforward... and if you want to stop it because you want people to think like you, try to stop it, let's have fun.


I think it’s the evangelism of crypto that irritates people, not the personal use of it, although there are the obvious environmental issues with that too.


I don't think anybody asked what was annoying about crypto, we are talking about irreversibility and why it can be a useful option for some people. But thanks for sharing your concerns I guess.


you spent the last paragraph of your comment complaining about people having a problem with crypto as if you have no idea why that might be

also perhaps consider taking a less passive aggressive tone. throwaway accounts are not an excuse to be rude


There isn't a single "complaint" in the paragraph you refer to.

If stating the factual matter of what you can do with or against crypto is "rude" to you, feel free to not answer next time, as your whining/concern trolling won't change much to these facts... especially when they don't relate to what was debated: reversability of transactions.


This doesn't really answer the question though. People steal things all the time. The easier it is to steal the more they do it. Bikes, breaking into cars, purses, etc...

We have passwords and two factor to prevent this stuff for lots of situations but in this ACH case we seem to have nothing. What's special about ACH vs all other situations? Why do I need a password and two factor on other accounts but not ACH? It's just as illegal to break into those other accounts is it not?


You can't just take money with the numbers.

You have to be a bank or otherwise registered with the clearing house.

So you can ask your bank to pull money from my account, and if I object my bank will claw back the money from your bank and they will know who you are.

And if it wasn't all a misunderstanding or a typo, then they know where to find you.


You can just take money with the numbers. A business can just ask for ACH account info for payments. That means a customer could use someone else's "numbers" to fraudulently buy thigs. And maybe that other person wouldn't be liable for the fraudulent transaction, but the customer would still have the stuff they bought without leaving an ID behind.


What businesses allow you to pay via ACH?

Off the top of my head, the only ones I can think of are utilities, other banks (so you can make loan payments), and consumer payment processors like PayPal. In the first two, they'll have your ID. In the latter, they do the "make two deposits" thing to verify you own (or at least have access to) the account.

I can't go to Wal-mart and pay via ACH. Do they even take personal checks anymore?


> What businesses allow you to pay via ACH?

Pretty much anyone with a Stripe account can accept payments via ACH.

https://stripe.com/docs/payments/ach-debit

I worked at an ISP and we definitely appreciated it when our customers paid via ACH instead of credit card. (Less fees.) We were tiny, too; you don't have to be a giant company to get this going.


Stripe is still "your bank".


Of course they still take personal checks. How else would elderly granny that does not trust "plastic" pay? Some would do it with cash, but many have paid with checks their whole lives, and will not stop until they drop dead.

And it certainly used to be common for e-commerce sites to accept "electronic checks" by having you type in the routing and account numbers, with no additional verification. These days, there usually is additional verification.

It is still commonly accepted with no verification for payment for things like utility bills. This appears to be on the assumption that if there is check fraud they probably know the guilty party, because who else would be trying to pay your power bill?


Happens plenty in B2B but, again, reputational risk is involved


This business would run the risk of being cut off from the financial system.


Okay, but the business has no way of stopping this attack, so it is fruitless.


You could hack someone's business bank account and ACH debit other people, yes.

But then you have to get the money out of that account, and into cash in your hands without leaving a trail that leads to you. It's possible, but complicated. And if you could do it, there was probably already significant money in the account you hacked into in the first place. No need to pad it with ACH debits that might set off alarm bells.


The answer is that people DO steal via ACH, just like people rob houses. They are caught and prosecuted. What makes you think no one ever steals via ACH?


I actually know someone who was a victim of this, they had written some checks and the recipient had used them to make unauthorized withdrawals. I believe everything was reversed after the police got involved.


The question I think is more “why does someone have to give me their account details and so allow me to remove an arbitrary amount rather than me providing my account details knowing that all you can do is give me money?”


This. Same as fraud. I could put up a website right now, point some ads to it, and start harvesting thousands of CC numbers to sell. But then I would go to jail.


18 U.S. Code § 1343 - Fraud by wire, radio, or television

https://www.law.cornell.edu/uscode/text/18/1343

ACH fraud is wire fraud


Is credit card fraud not?


"Credit card fraud frequently involves elements of both bank fraud and wire fraud"

https://www.justia.com/criminal/offenses/white-collar-crimes...


> because you go to jail if you do that.

The people involved in money transfer scams are never, ever going to jail, ever.


Wow, you can't do crime because it's illegal!

How do you explain the widespread availability of "drop" accounts in the US? Cybercrime forums are full of people offering services to "cash out" illicit bank transfers into cryptocurrency.


Another explanation:

Integrating over all of the possible outcomes of wire-fraud, being put in prison is more likely than making millions of dollars and using them as you please.

Or, at least, enough people believe this, and also prefer not to be in prison, that they do not commit wire fraud. It might also be because it's difficult. (I don't personally know how I'd take up wire fraud, if I wanted to start.)

"Being put in prison" is a likely outcome because of complex and overlapping human constructs that have lead to power structures where other people can force you into a prison. This is why it's relevant that it's "illegal". Briefly, "we live in a society".

The kind of "shape" wire-fraud has (in terms of the likelihood of its outcomes, i.e. very high risk, low chance of reward) is found in many things. A lot of illegal things have this shape.

The above commenter probably assumed all this to be 'background'. With that "because you go to jail if you do that," is a succinct and basically correct statement, even if it is not prefaced with every possible exception.


But wire fraud isn't rare. There are large gangs that specialize in opening bank accounts using fake documentation who then offer these accounts on a variety of fraud-related forums.

Every Eastern European craigslist scammer has access to US business bank accounts to accept payments for their nonexistent cars and boats.


The question wasn't "why is there NO abuse of the ACH system" it was "why isn't there MORE abuse of it"

The answer is, it is illegal, and easy to catch, so people don't abuse it as much as they would if it wasn't illegal.


>The answer is, it is illegal, and easy to catch, so people don't abuse it as much as they would if it wasn't illegal.

Why is it easy to catch? The OPs premise that you have to provide identification to open bank accounts is obviously false.


It's not that you can't, it's that the risks of getting caught doing it and punished for it are too high relative to the reward.

If you don't believe that deterrence is a real thing, there is a lot more human behavior that needs explanation than just the relative lack of ACH fraud.


You still don't seem to understand why "it's illegal" is not a great insight to lead your example with. Even if true, the answer would lead with what makes this illegal thing so less prone to violation than other illegal things.


it is illegal and easily detectable


How do you explain the widespread availability of "drop" accounts in the US? Cybercrime forums are full of people offering services to "cash out" illicit bank transfers into cryptocurrency.


I got that part. Still doesn’t justify a comment that starts with a paragraph implying that illegal things can’t happen because deterrent. That doesn’t help.


They never implied that it couldn't happen, they implied it didn't happen that often because it is illegal.


Which is a bad explanation. Lots of illegal things happen often anyway. Implying that being illegal automatically contains it is a bad explanation and a bad premise to start from. The question is, why is this illegal thing not more violated? Just like I said in the past two replies.


It being illegal makes parties involved forced to cooperate. If someone hacks your Twitter and tweets something - the FBI isn't going to investigate who did that. If someone commits a wire fraud with your account - FBI will investigate.


no one said they can’t, just this is largely why they don’t. are you going to rob a supermarket where you have to hand in ID at the door? or will you find somewhere easier?


https://www.nbcnews.com/news/world/margaritas-story-how-one-...

https://www.ice.gov/news/releases/russian-man-pleads-guilty-...

They do this, at giant scale. When you're earning tens of thousands of dollars per account, it's worth it to train people to go open bank accounts using fake passports.


That my point: “it’s easy to catch and enforce” would be the relevant fact to lead with, not “duh it’s illegal silly!” The latter is true for a lot of things that aren’t enforced, and is really condescending to start with.


It's easy to track where the money has gone, which means this type of fraud has high risk of getting caught. You need a rube to hold the receiving account and then a money laundering method to get it away from them cleanly, which is all a lot harder.


Just an anecdote that may not be possible now but in the 90's someone emptied my checking account in Austin with a series of a dozen 2000 dollar withdrawals (was about to put down payment on house) to cash via drive through lanes at different branches of my bank in a different city (Houston) with a fake ID in the space of an hour or so, that ID had my name with a different photo, gender and different race (there was a drive through photo of the person).


Did you get that money back (I’m not to familiar with financial protections back then)


Yes. I was pretty weirded out when my ATM card was rejected for being locked out of my account, and when I went into the bank when it opened the next day, the teller sent me to talk to a bank official, after a little investigation they compared I think the fax of the photo in drive through to me (I remember seeing the person in the car), and made me sign a document saying I was not involved and would help them prosecute the case if they caught the person who did it, and created a new account for me with my money in it after a few days.


This seems like the most relevant answer. The account debiting the funds will have had a fair amount of due diligence and real people associated with it. Some real person will be left holding the bag when the flood of complaints comes in. Timing it so that you get a fall-guy to open the account, get ACH debit rights, steal the money, and get it out and laundered would be non-trivial. And doing all that in some way where the fall guy can't identify you.


This explains the package manager scams I see in my inbox. I keep fraud, crypto, and purchase scams in folders. It is a bit like collecting spores, molds, and fungus.


Interesting so if you manage to gain control of someone else’s account, you pull up the last check from the richest person you know and pull from their account. Then you use that to fund a crypto account, buy some crypto that can be exchanged on a automated defi exchange and you’re good to go.


What I've never understood is why the US system relies so much on ACH Pulls rather than Pushes? For example, most banks allow you to pull money from an external account (by verifying you own the external account using something like Plaid Identity or microdeposits) but don't always offer the ability to push funds.

It seems pulling is much more open for abuse than pushing funds. Perhaps it has something to do with the originator having liability for a potential returns.

In Europe, I've never seen any bank allow customers to pull funds (something like a SEPA I guess) but its extremely common to push funds very easily to another account just by entering their IBAN (not so in the US though).


The ACH system was based on older check (cheque) clearing systems. In those systems the bank in which the check was eventually deposited was basically pulling funds.

The US never had a Giro system. The main push based payments have generally been "wire transfers", which have significant cost, or ACH-based Direct Deposit, which is pretty much only used for payroll situations.

Even payment cards are fundamentally a pull based system.

Only Paypal, Venmo, CashApp, or other similar services have a push model, and those pretty much always wrap an under the hood ACH pull.


Interesting to learn about the history but why aren't they pushing funds today? It's technically all possible and presumably would have less fraud? Or in other words, why do most of the rest of the world favor pushing funds through their ACH-equivalent systems?


This requires a new payment system. That’s why there’s RTP from The Clearinghouse and upcoming FedNow. US is late to the game on instant payments.


No, my point is that it doesn't require a new payment system to enable this. ACH very much supports pushes.


Well US banking is slow. Third world slow.

ACH pull allows the person being paid to verify the money is inbound, rather than I sent you the money, honestly, now i would like the keys to that car please.

In the UK (almost europe) the pull version is direct debits and standing orders, or card transactions.


At least in Switzerland pretty much all the banks offer a service called LSV+ trough which you can authorize a third party to pull money from your account. Supposedly (personally I don't know anyone using it) it is often used for recurring bills like utilities, credit card, internet etc.

But as far as I understanding you have to submit a form with a wet signature to the bank for each third party you want to authorize before they can withdraw. Also, you have 30 days after a transaction to dispute it.


That's what GP meant by "consumer". Direct debits are available only to C2B and B2B payments, and with the string guarantees.


SEPA Direct Debit, which works on the pull profile and is very similar to ACH, is extremely common at least in Germany.

You can only use it (as the puller, not the pullee) if you're a business though.


Yeah, that's what I mean, doing a SEPA Direct Debit is not really available to an end consumer, at least not in any of the banking apps I've used. But in the US, pulling funds from another account is fairly common.


We use ACH Pushes to pay our contractors


Maybe I am missing something, but isn't pushing this way usually possible by one-time BillPay?


In my experience, some banks offer ACH pushing through Bill Pay but often an ACH is only made if the recipient is on a master list of known institutions (like for paying your electricity) and if the recipient is not on this list then a check is sent by mail. YMMV though


It is, but assuming that GP is from Europe, the confusion will be around the distinction between bill payment and P2P payments, which seems arbitrary to bank customers in many other countries:

With SEPA credit transfer (and other similar systems), bank customers can send mony to any other account directly and automatically by only stating the recipient's account number and amount. There is no list of well-known/trusted(?) payees; businesses and individuals can receive money from other businesses and individuals alike.

In the US, for reasons that I don't fully understand yet, this type of P2P push ACH payment is generally only offered between accounts that have been verified to belong to the same person. I suspect that it's largely a question of money transmission licenses, the recipient's unwillingness to freely hand over their account number (due to concerns about unauthorized ACH pulls!) and/or fraud liability.


Bill pay on the backside is ACH push but users never see it. Bill pay will send physical checks as well.

ACH push isn’t that common at the consumer level. Very common for other things like payments/payroll.


The main service provided by banks is that they sell trust.

Only banks and financial institutions can directly send ACH transfers.

Unlike wires, ACH transfers take time to settle.

Banks are tasked with only allowing authorized transfers. Any bank that does not take adequate precautions will be kicked out of the system.

The profit banks can draw from participating in the financial system is much higher than the amount they can steal once before they get banned.

That's why most banks ask for verification (logins via plaid, micro deposits, etc), before allowing ACH withdrawal requests from other accounts.

But the most important reason why people don't do this, is that it's very easy to get caught. To actually submit an ACH request to a random account, you have to appear somewhere in person (unless you do small checks up to your daily bank limit via picture, which will quickly have you caught since your phone and account is linked to a real person).

Some CCTV tapes later, and you'll be put in jail for a very long time.


ACH and Wires have similar times to "settle". However, rules within Fedwire and NACHA allow banks to hold ACHs for a few more days before releasing them to the customer. But technically funds are both arriving within 24 hours or so.


Not exactly. Both are overnight, but ACH has 60 days period to reverse. I've had money held for the entire 60 days period in the past.


They held your funds for 60 days? I didn't know this was allowed?


It's to make money-laundering harder. Prevents you from opening an account, transferring money to it, then immediately out of it and closing the account.

60 days hold is legal because that's for how long ACH transactions are reversible. Such long holds only happen if you have zero prior relationship with bank. I work in FinTech now and such things finally started to make sense to me.


ACH is a legacy system that can be easily abused for sure - what's saving it is the fact that it's not real-time like it's newer counsin RTP. It also helps that withdrawing money via ACH requires an account and payment processor willing to clear ACH for you and shoulder some of the responsibilty.

Yes, you can copy the numbers and make a fake checks to cash, but security features on the check helps with validation and most Check Cashing places don't cash big checks - mainly because they take on the liabity if the check bounces. It's also the reason why most bank requires you to have an account with them to cash a check depending on the amount.

So in summary, it's relatively "secure" due to validation & delay clearing the check. Scammers know this very well - that's why they resort to overpaying invoices/items with fake checks only to demand refund from the unsuspecting mules - who end up holding-the-bag once they send out the refund, only for the check to bounce.

Another similar legacy system that is easily and more abused is checks via mail - it's easier to cash a REAL check with a fake ID compared to a fake check for reasons I mentioned above. Why some companies still insist on paying or being payued via a check is beyond me!!

Stolen checks is a bigger issue compared to ACH - in fact it's a federal offence to steal mail, post office even have Postal Police to deal with the issue.


There's a lot going on behind the scenes that we don't see.

The bank is not wiring your money instantly. As I understand it, it takes 2-3 days for your bank to do the actual security confirmation. What Apple is probably doing is effectively floating you a line of credit assuming that the ACH goes through. And your bank is probably passing you along the transaction in a "pending" state.

There are a lot of security checks just to be in the ACH system. Ask someone who does payroll what it takes to set up direct deposit. Just having the numbers ain't enough even to put money into an account.

It's a bit analogous of how TLS/SSL work. Yes, you can just issue your own self-signed certificate. But that doesn't mean anyone will trust it.


ACH is overnight. Any 2-3 day thing is the bank doing risk management. There's a presumption of success, and if there's an issue, you'll get a return.

There's no 'pending' state on ACH. It's done in one shot, in as little as 94 characters.


Sure, I was specifically referring to OPs example of adding funds to an Apple wallet.


> There are a lot of security checks just to be in the ACH system.

But most of them depend on the customer reviewing their transactions and reporting fraud. Otherwise, it can and will go undetected.

I personally don't care to review my transactions, it's a hassle, simple 2FA would do away with it.

I live in Denmark, we have similar systems for automatic payment, but at-least it now let's me see who has a mandate to withdraw money from me on a monthly basis. That said, it still a sorry state of affairs. The EU mandated 2FA on all internet shopping, this works, it got done, it's ugly and some of the 2FA systems look sketchy, but online shopping frequently involves an app or a text message for authentication.


There's a ton of misinformation in this thread - this is not at all what ACH is. ACH is specifically how banks move money between accounts. It's not at all analogous to wire transfers or more generally payments.

ACH being public information is a bit like nameservers being public.


> Just having the numbers ain't enough even to put money into an account.

Not sure what you mean by that - having the numbers would seem to be the only thing needed to add money into an account.


Yeah - 10+ years ago I saved the routing/account number off my last check in my bank provided checkbook into my password manager. Whenever I need to pay via ACH for anything I just copy and paste those numbers - works fine.


For the bank, yes.

When I put my ACH details into my Cash app, or Apple pay, or whatever - I am not actually directly creating an ACH transaction. The two organizations are still going to do the transaction on my behalf.


> Anyone with your routing number and account number, 2 numbers printed on every check, can ask your bank for all of your money

Mostly because this is not true. Anyone can’t do it. It’s relatively easy to get permission to get deposit access. Getting withdrawal access is not especially easy. And it’s capped at an amount relative to your credit rating.

And the people who do have withdrawal access need to have a good business reason to do withdrawal, and don’t want to lose their access.


It does get abused. With counterfeit checks.

You may have come across the sort of scam where someone wants to "buy" something you're selling. But they send you a much larger check. "Please send us the extra/surplus", they say. Or, "the rest is for shipping, send that to X, they'll pick up the item". Then when the check works its way through the system, is found to be fraudulent, the transaction gets reversed.

https://www.fdic.gov/consumers/consumer/news/august2019.html

Wiring money is something outside the norm in the US banking system. I think if it were more common, then ACH fraud would be far more common.

Anecdote: When I wanted to wire money (overseas), the hassle at my bank was plenty. Every piece of paper had in huge letters "this could be fraud! Once this transaction happens, the money is gone! Forever!" (slight exaggeration).


This system you are calling ACH is also just called an "eCheck". If you write a check at say WalMart, they just scan it at the register and do an "ACH". Like others here have said: "KYC" know your customer rules make it hard to do fraud this way without getting caught.

People do abuse this all the time, look for the bad check writer program in your county. It's not switching over to ACH, that's how it has worked all along. I recommend Catch Me if you Can by Frank Abagnale.


There are a couple of ways this transaction can go, with different rules. There is an ACH truncation on checks, with follows ACH rules of reversability. In that case, they're only sending the MICR line of the check, not capturing an image.

There's also Check21, which is much more likely to be what they're doing. That takes a front/back image, and is essentially electronic settlement of checks, using check settling rules. For true fun, the electronic image can later be printed out on a larger piece of paper with it's own MICR, and now it's an IRD (image replacement document) and it can go back into the legacy paper settlement system.


I don't believe eChecks and ACH are the same - eChecks are associated with a check number but this isn't the case for the many ACH transactions I have seen. Additionally, every eCheck I've encountered also had a required consent question ("Do you authorize us to...") whereas this isn't the case for ACH transactions.


"Anyone with your routing number and account number, 2 numbers printed on every check, can ask your bank for all of your money and the bank will not confirm anything with you"

Well, sort of. A very broad set of people can do ACH deposits into your account. A much smaller set of people (though still lots of them) can do ACH withdrawals.

Also, some banks offer a way to have a whitelist for entities allowed to do ACH debits/withdrawals. Chase calls it "ACH Debit Block" for business accounts.


How is this decided?


Varies by what company and service you're using. Here's what Chase says about adding the ability to ACH debit customer accounts to a business account:

https://www.chase.com/business/online-banking/ach-collection...


The bank decides arbitrarily but effectively since if you're a crook, they lose that money so they limit the ability to the degree that they trust you, and once their own money is on the line, banks weirdly become much more effective at restricting fraud.

In essence, it's just equivalent to any other customer risk management by the bank, since allowing you a certain amount of ACH withdrawals is in some sense similar to credit risk.


The same as any other banking product? Due diligence, know your customer laws, and incredibly high fees.



Simple: ACH is the 800-pound gorilla of banking in the United States and the established players basically have zero incentive to change. It is in fact only a losing proposition for them. The banks make great fee-based money from the ACH system and the lag times in ACH create lots of juicy arbitrage opportunities.

It is true that the system is insecure and terrible for consumers, but this is not an issue for the banks. They have insurance.


> The banks make great fee-based money from the ACH system

Confused. The companies that give me the option of ACH vs Credit Card always charge 2-3% to pay via credit card and nothing to pay via ACH. Why wouldn't they pass on ACH charges to me if they are a "great fee"?

update: I see from another link that Chase charges $0.25 per transaction so not such a great fee. But maybe across tons of charges it adds up.


Not the OP.

The 2-3% credit cards charge as fees are largely used to deal with fraud.

There were 30 billion ACH transactions in 2021, and this number has been growing by 8%+ YoY for a while now. $0.25 a transaction is solid revenue when you consider that it's almost pure profits because fraud isn't a big issue and the computational power to manage ~100 million transactions a day is pretty modest.


This is true, and even more so.

Medium and large ACH customers pay much less than $0.25 per entry, which reflects the security and low-risk nature of the network.


The post is asking about the low rate of fraud


What fees and what arbitrage opportunities?


My edtech startup was contacted by an English-language school in a country where we have never advertised and have zero presence. They had a few questions but within 2 hours, they were ready to make a several-hundred dollar purchase.

I was a bit suspicious because the sale was so easy (selling to schools is normally a slog, even inbound), and because they immediately asked for our ACH information. I contacted my bank to ask if I give them my ACH info, is there a chance they can do anything bad to me?

My bank offered that I could give just the last 4 of my account number, which could be matched to my account based on the business name that would also be provided.

This seemed like a good solution, but after trying several times we gave up. They paid via PayPal instead, and we've never had an issue with them. But the experience made me think about how ACH works, and the risks involved!


To understand this, you have to think past step 1 of the evil plan to steal all your money. First, in order to do ACH withdrawals, one must have a bank account that is strongly tied to your identity. So as a criminal, I steal your bank account number and force a fraudulent withdrawal - now that money is sitting (*not really, that's point 2) in my personal bank account, which is easy to trace.

Second item - these transfers take a few days to settle, so I've "stolen" your money, but I can't withdraw or transfer it to my EvilBank offshore account for a couple of days.

And finally, if you don't notice and tell your bank about this, and I can wait past the settlement period and withdraw the money, now I've got federal law enforcement after me for wire fraud, and they know who I am due to #1, so I'm in a world of hurt.


> a bank account that is strongly tied to your identity

Correction: strongly tied to some identity. For online banks, for example, there's not much they can do to check if it's not a stolen identity. You'd need a lot of data - SSN, addresses, driver's license, etc. - but it's not out of the question to obtain such data from dark markets. Of course, withdrawal still be a problem, and this identity package will likely be burned once the first fraud notice will happen, so it may not be worth it to waste it this way.


Do these online banks even permit their customers to issue ACH withdrawals at all?


Yes, I regularly use ACH to send and withdraw funds from my online accounts. That's pretty much how I do all my banking - I almost never set foot in a physical branch unless I need something big like buying a car. Of course, before opening online bank account, they ask me SSN and all kinds of details, but good stolen identity package (e.g. from the same bank that I gave all those kinds of details, or from one of the credit bureaus) would cover that.

That's why you have to freeze your credit, btw. They won't open an account on SSN with frozen credit - you'd have to unfreeze first, and that's usually harder to do for a crook.


It is abused, it's called check fraud. However the same as automobile accidents, it's old news, and just apart of every day life.

People have been doing all forms of check fraud. One popular one is where they'll send a check, you cash it, money shows up, and it reverses later because it's fraudulent.


Everyone here is on the right track, but to be more specific – people don't misuse the ACH system because there are specific laws on the books to protect against it.

If you walk into a police station and tell them someone hacked your Facebook account you will be laughed out of the building. Most other online crimes are dealt the same way. If you instead mention check fraud, wire fraud or postal fraud, the FBI will be knocking on your door to help out (not exaggerating, this really happened with someone I know).

Your house isn't secure because there's a big heavy lock on the front door. Anyone can cut through it, or break a window, or demolish a wall if they want to get in bad enough. It's really the threat of consequence that keeps criminals out. The banking system works mostly the same way.


'It's really the threat of consequence that keeps criminals out'

Recall what happened when Oakland Police announced they didn't have the resources to investigate property crimes: home burglaries when through the roof.


This was the most kind boggling thing I encountered when I first moved to the US (that and the signature/nothing at all nature of using a card to pay for anything).

I asked about why they didn’t at least require any checks to be issued on checks that they issued and I was told it was because people might not want to use bank provided ones??

But yeah the fact that the way you did a direct deposit is give someone your bank account# and then they withdraw however much money they want from it, and they can do so in perpetuity, is absurd.

In NZ - and I presume most of the rest of the world with such systems - the only thing you can do with someone’s account details is deposit money.


Go ahead. Print a personal checkbook with someone else's name, account number, and routing number on it. Write yourself a check and sign it. Then try to cash it or deposit it. See what happens. I double dog dare you.


I had it happen to me once - somebody washed my check (i.e. removed the original sum and payee and replaced it with larger sum and different payee) and tried to cash it. The bank called me, because the check looked weird, I said "huh? never heard of those" and they refused to cash. Unfortunately, the fraudster promptly run away from the bank - or so they told me - so that's where the thing ended.


In the United States, money transmission is a regulated space. I.e. you must meet a minimum set of regulations in order to hold that license. That license requires you be able to do things like handle fraud, chargebacks, dispute resolution, etc...

Everyone implements these processes, and if you get a money transmitter that doesn't, generally, every other money transmitter in the space will mark transactions from that actor as high-risk, either rejecting tx's from them, or sibjecting them to longer holds, or just straight out rejecting them.

If you don't have a license of your own, your on ramp is through someone who does. They can underwrite the risk of your membership in the financial system as a whole, but if they find out (and they will, because their business contracts come with audit, FWA, and due diligence clauses) you will find your access cut off, and if it's brazen enough, lawsuits getting served.

Now, what does this mean?

If you hand someone a blank check, they can absolutely take you the cleaners. However, if someone crafts a malicious ACH payload, the origin of that can be traced from your bank, back to the clearinghouse, from the clearinghouse, back to the originator, who will have their processes scrutinized/investigated.

Generally Accepted Accounting Principles and double-entry accounting is the magic glue that ties everything together. If you follow the rules, you will have a transparent trail to follow.

If you don't, you've entered suspected money laundering land.

As a customer...

If you're deposited somewhere that is FDIC insured... You're golden up to $100,000ish.

If they aren't FDIC insured, if there's a dispute department, you should be good. You should still treat it as higher risk though in that if they get bank run'd, they do not guarantee at all you can get any money back. These are regulatorally speaking, not banks. They can take deposits, do transactions, dispense/administer interst bearing accounts (and do often pay higher interest due to the higher risk involved with depositing funds there), and do bank like things, but they are not banks.

If you can't get in contact with a human being, good luck, and godspeed. You are braver than I.


FDIC Insurance has nothing to do with ACH fraud - it covers cases where the bank itself fails. NACHA has its own process for ACH disputes/reversals/returns.

Not sure what GAAP and double entry accounting has to do with this.

The fraud here is not from end users "crafting a malicious ACH payload". End users don't interact with NACHA in that way. The more common case is when users, via their bank, are doing ACH Pulls from accounts that they shouldn't be. Most banks that offer direct ACH Pulls to their customers use a third party like Plaid Identity or microdeposits to prove ownership of an external account prior to initiating the ACH Pull. This is not 100% effective always - disclosure: I work at a neobank and I am directly involved in building systems to prevent/mitigate ACH fraud.


> Are their mitigations?

My approach to this is to use services like e-trade where my checking/debit account is linked to a brokerage account, and keep most of the funds isolated in the brokerage side. Then transfer small amounts as needed for daily life into the checking/debit side. It's trivial and instantaneous to move money back and forth so it's not terribly inconvenient.

This way the only account people ever get ACH information for generally has too small a balance to matter much. Also my debit card was skimmed at a gas station once and this approach limited what they stole to just a few hundred bucks. After dealing with e-trade's fraud department to report the theft they eventually made me whole and replaced the skimmed card, still took some time and frustration though.

I find it delivers significant peace of mind. But one still needs to pay attention in case something happens, such things have time limits for reporting and expecting the money back. By keeping the balance small it somewhat forces having a current awareness of its status, assuming regular use.

Another bonus for e-trade is they offer air-gapped hardware token based 2FA.


Shhhh, this has been going on for years and is known as wire fraud and carries one of the most severe punishments by law. On top of that most banks will reverse a payment when someone does it without your permission although the time and pain it takes to reverse it may vary.


Not ACH, but the ACATS system (transfer securities between brokerages) has recently seen a number of thefts. It seems like a horribly insecure system.

If a scammer knows you own stocks, and can impersonate you, they can set up an account at another brokerage and pull your stocks away with ACATS. YOUR brokerage is required to send them, and does no verification. You probably won't even get a notification.

https://www.bogleheads.org/forum/viewtopic.php?p=6756853

Fidelity seems to be the only brokerage at the moment that lets you "lock down" your account and prohibit outbound transfers.


I believe the main mitigation is the settlement time and reversibility. You have appx t+2 days to notice the issue and report it.


Not 2, at least 60 days. The reason you are seeing those funds debuted after 2 days is that your bank decides to hold the credit risk after a couple of days.


I don't get any notices from my bank so I certainly would not notice with in 2 days that someone took my money.


It's 60 days (or 2 days, if you are a business) from the date you receive the statement with the fraudulent transaction, not from the date the transaction occurs.

Within that time, the bank(s) are required to reverse the transaction, no questions asked.

I believe you can even get your money back at a later time, but if you don't make the deadline there are more hoops to jump through.


I'm pretty sure that it's 60 days from origination (+ a few days for potential holidays and weekends, like if it hits on the 23rd of December as a Saturday and the 24th and 25th are holidays), but it's been a few years and I don't have my NACHA books any more.

But that's certainly not hard and fast, I think I've seen roughly twice that time frame for extraordinary cases.


Stripe's FAQ says that it's 60 days from when you receive the statement.

https://stripe.com/legal/ACH


They do, but they also don't mention dishonored returns. My source was the NACHA rules, which I was coding to at the time. Point stands though, it's a long time.


Also every account needs KYC so the authorities will know who you are if you try to steal money this way.


For consumer accounts, it's 60 days.


It's simple, really

You can't do this. Only a bank officer can.

A bank officer gets tracked doing it.

If it's fraudulent, it gets reversed out of the bank's pocket, so they go look at who did it, and act accordingly.

And if it's more than $500, you need a second signature.

Now, as a criminal, all you need to do to fake a wire is to hold a five year career.

It's the common sense answer.

"it wouldn't work."


I not sure I understand. I recently signed up for apartments.com to pay my rent which way more than $500. Where does a bank officer fit into this? Are you saying the millions of transactions go through these services are all hand checked and signed by 2 bank officers? Can I view these signatures to find out who approved the transfer?


A core cultural competency of programmers is to be willing to just go look things up.

My opinion is that HN is losing this rapidly.


It's a fair question to ask for clarity on the "bank officer" part. I was confused too.


They're well legally defined words.


aprtments.com had to do the paperwork to establish ability to initiate ACH (most likely, they hired some third-party to make the actual ACH for them). That's where it gets checked. If the provider screws up, and passes bad ACH, they'd likely to lose substantial money, and maybe the whole business if they get cut off. So the provider will likely verify what apartments.com is a legit business with legit people behind it, and will eagerly cooperate with law enforcement if anything shady happens. In turn, aparments.com probably has some protocol to verify the numbers you put in actually yours. Because if they screw up on this, they are left holding the bag for the stolen money and likely lose access to ACH themselves, which would hurt their business.


Apartments partners with a bank. Bank creates files every night following the standards and rules of NACHA. They submit those files which are processed. ACH is bank to bank. You can’t access the network if you aren’t a bank. End of the day it is moving at the fed level since every bank has an account with the fed. Banks enforce the rule because they are on the hook on claw backs.


> they are left holding the bag for the stolen money and likely lose access to ACH themselves, which would hurt their business.

This is the key part. If they're originating the ACH (i.e. pulling funds from your account) and a return is issued then apartments.com are liable for sending those funds back.


You have 30 days after you receive your statement from the bank to challenge any transactions.

Always check your bank statements.


It's why Donald Knuth only issues fantasy checks nowadays. I was happy to get mine before he started it.


ACH fraud is hard to do because it’s reversible over long periods and you can’t do ACH without being well identified.

Banks do plenty of identification of you (say you’re opening a credit card or bank account) that you don’t necessarily see in order to cover their risks.


The real reason seems to be that getting onto the ACH system is actually work.

Once you're in it's an open field, but getting there requires a lot of vetting.

There have been exploits that I've read about, but they tend to be hushed up because people don't particularly want people to know how insecure the system actually is. The exploit I read about had someone pulling a couple of dollars from a few million accounts. In aggregate they made a lot, and most people aren't going to necessarily notice a few missing dollars.

Of course, everything is traceable. But I never did hear of a resolution of this particular issue.

As an aside, eChecks have a different issues, mainly because they're sort of a hacked-in solution. For example, you can't stop payment on an eCheck, since there's no check number; banks just can't do it.


What people seem to miss in this conversation is that fraudulent ACH TRANSACTIONS can be reversed for up to 60 days if I recall. This is different from WIRE TRANSFERS that can't be reversed.

So, it is not a fertile ground for fraud.


The problem here, for banks at least, is that even if they can be reversed, the fraudster is long gone by then and the funds have been withdrawn.


That's basically correct, though wire transfers aren't completely immutable, it's just _really_ hard to back them out.


Wire transfers can be reversed. It just requires more effort to get the involved banks to do so.


Money goes from your (Bank) account to verified entity(merchant/business, Org etc)'s bank account and they have legalities/agreements in place.


If there was a headline syndicated internationally every single time there was an ACH fraud, you would think crypto was a godsend. But right now its the opposite, only headlines when a fraud occurs in crypto.

Its all perception. The potential for reversibility improves the customer experience, but often times nobody is being prosecuted, the thieves often get the money for themselves, and the banks/insurance eats the loss.


Regulation E limits liability for fraud. ACH isn't an anonymous system either.


How does Reg E limit the liability for fraud?


The bank's responsible if you report it within a timely manner: https://www.consumerfinance.gov/rules-policy/regulations/100...


I'd like to know too.


It does sometimes get abused, but such abuses fall under wire fraud laws, which carry heavy punishments.

So, the legal system is the prevention mechanism for abuse here.


That is kind of scary. If some dug through my trash and found a torn up voided check they could withdraw my whole account. I don't really have enough money to hire lawyers and I'm not sure what police could do and besides I'd be broke.


>I don't really have enough money to hire lawyers and I'm not sure what police could do and besides I'd be broke.

You would call your bank and they would reverse it. You would have your money back in a business day or two. That's why ACH isn't "abused".

What would be more worrying if some multinational company accidentally debited your account. That would be harder because your bank would likely just side with the multinational who inadvertently stole your money. However, I don't think that is a weakness that exists solely with ACH.


About 15 years ago a company kept taking money out of my checking account via ACH every two weeks. It was a large, well-known company, but I had never done business with them. I contacted them and the only answer I could get was "well, if we have your information, you must have authorized it, so I can't help you. Besides, you don't have an account with us, so I can't stop it."

dafuq?

So I went to my local bank branch during lunch and explained the situation. The bank manager told me that she could stop it immediately, and reverse all the transactions to date, but since it was recurring, the only way she could block future transactions (outside a 6-month window) would be to close my account and open another one.

We agreed to do that.

Literally as she was going through the process, another of these phantom debits showed up. Got all my money back, had to change checking account #'s and never found out how it happened. I can only assume that the next time PayChex tried to debit my account and it bounced, they figured out their mistake.

But hey, thanks for the absolutely useless customer support! I guess it only works if you're actually a customer.


IIRC your bank could've returned the ACH with an R07 return code which would've told the Paychex to suspend any recurring transactions.


Not really, they couldn't if you pay attention to what happens to your account. First of all, they'd have to gain access to ACH initiator - for which criminals do have some, but it's not likely those will be easy to access to a random trash digger. Those have non-trivial costs to establish and easy to burn and get prosecuted. And, ACH transactions are reversible for a long time, so unless you're in a coma, you keep your money at the cost of some inconvenience and some waste of time. You won't need any lawyers for that, unless a) you have an extremely shitty bank that's not afraid to lose their banking license, or b) you want to do more than getting your money back for some reason.

If they have access to a very quick and efficient cash out system, they might offload the costs onto some chump (see various "cashback" scams) but it's not trivial to make this scheme work. It can work, so shredding your voided checks is highly recommended, but it's not as trivial as finding the check, coming to a bank and saying "I'm that guy it says here, give me all my money now, in small bills please".


It's wire fraud - the feds would go after the perp, and your bank would reverse the transaction.


Also, the accounts that you withdraw from are tied to very real identity verification. You'd have to launder the money reallllll fast to make off with it




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: