Hacker News new | comments | show | ask | jobs | submit login

And no security. That's not so great.

EDIT: What I mean by this is that if you give me your account number so that I can deposit into it, then I can also withdraw out of it (not through the Dwolla API, but trivially by other means -- see http://perimetergrid.com/wp/2008/01/01/checks-the-most-dange...)

It's a problem with ACH in general. However, debits from consumer accounts (or, more accurately, those initiated with a "PPD" code) can be refuted for something like two years.

By submitting a file straight to the networks, I could also debit a nonexistent account for $20m and have it show up in my account the next morning. Wouldn't hang around for long though.

You can always refute it. Whether you'll get your money back or not is an entirely different matter. The consumer protections on ACH are much weaker than credit cards, so it's pretty much up to the discretion of your bank.

It's not that their that much weaker. You have 60 days as an individual to dispute a debit, but it's seriously painful. You will likely have to go into a branch and fill out a physical document. In comparison, Amex has a link that says "dispute" next to each transaction.

This is an inherent flaw in the system though, right? Not anything new.

Not quite. This makes ACH more accessible than it was before, which makes it that much easier to commit ACH fraud. Also, it is possible to layer a secure layer on top of ACH, but Dwolla didn't do that. They either chose not to, or they don't know how. They just exposed the ACH functionality directly.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact