Can't the account information on my checks be easily used for fraud?

Question

My Bank of America checks contain my routing & account number, which I've used in the past to make purchases online, among other things. Anyone whom I pay with a check has this information. It seems like this account info is even more sensitive than my credit card #, since with Visa I am protected with a Zero Liability policy, but I do not know that to be the case for my checking account.

I may be naive, but there's a lot of people I've paid with checks whom I would never give my credit card (e.g. people I've bought from on Craigslist). I'm now wondering if it's irrational to do this.

I thought that your checking/routing number can be used freely to deposit money, but to withdraw money, it requires confirmation from the account holder. Only thing I can think of is that they forge a check with the numbers? — Corey, Nov 02 '10 at 15:50
Not true. You can deposit OR withdraw money with that number. Ever seen those infomercials where you can just read that number off to them over the phone? Worse yet, they don't even have to confirm that you approved the withdrawal before they process it. — JohnFx, Nov 02 '10 at 20:31
That's terrible, and new information to me. I'll have to keep this in mind, but I don't write many checks as it is so I'm not too concerned. — Corey, Nov 02 '10 at 21:26
I send cashiers checks or money orders to avoid giving anyone my bank account numbers for this reason; including mortgage and car payments. — ChuckCottrill, Dec 31 '13 at 20:31
I am particularly wary with this situation. How is it that when we go to the store they inquire balance right there but when we deposit a false check the system cashes it instead of using that routing and account number to check for balance? — , Dec 07 '14 at 13:33
I too was worried about this (obviously, or I wouldn't be on this page) but it also occurred to me that if someone is using your account to purchase things or pay their bills, that you could find out easily who they are by contacting the merchant/business that was paid using your account numbers. Am I wrong about this? I check my bank accounts on line every day, sometimes multiple times a day, and my major credit card accounts too. Vigilance is a wonderful thing. Waiting for monthly statements to arrive before you spot a problem is not wise. It takes very little effort to keep on top of things — , Mar 29 '16 at 15:34
@user40414, "I check my bank accounts on line every day" -- you seem to have a lot of spare time :). — Alexey, May 28 '18 at 08:10
Note that this question and answers seem to be specific to the US. In the UK and Germany, a cheque number is useless, and all you can do with an account number is set up a direct debit (Lastschriftmandat) to a third party like a utility or an insurance company. One of the conditions of being allowed to receive direct debits is that the company has to promise to return any disputed amounts immediately. — Martin Bonner supports Monica, Nov 21 '18 at 20:16

score 35 · Accepted Answer · edited May 23 '18 at 19:31

35

Yes, and there are almost no checks (no pun intended) on people pulling money from your account using a routing number. It is an EXTREMELY insecure system. If you want a real Halloween scare, read this article: Easy Check Fraud Technique Draws Scrutiny.

Unfortunately you just have to live with it.

If you are curious why this loophole is allowed to continue, consider how hard it is to close it without undermining the convenience of checks. Short of you going to the bank with each person you write a check to and showing ID to validate the transaction, I don't see how you could continue to use a negotiable instrument like this without such a security hole.

The ultimate answer is going to have to be replacing checks with other means of payment.

edited May 23 '18 at 19:31

Community

1

answered Nov 02 '10 at 20:29

JohnFx

52,979
12
134
245

3

How long can check numbers be? What technical problems would exist with appending a few arbitrary secret digits to each check number, so that instead of the first three checks being 101, 102, 103, they'd be something like 10178342, 10231889, etc. with the bank knowing what the digit sequence should be but recipients of individual checks not? I would think that should be compatible with the existing banking infrastructure, would it not? – supercat Mar 07 '11 at 00:18
I don't see how that would provide any security. Who cares what check number a criminal uses to rob you? – JohnFx Mar 07 '11 at 01:47
2

@JohnFx: I think supercat's idea is that the bank receiving the check would verify the check-number-checksum before cashing/depositing the check. This could work, except that it would require cooperatin between competing institutions. – smokris Nov 16 '11 at 17:33
Still doesn't solve the problem that anyone you write a check to can re-use the info on the check to draft fraudulently. – JohnFx Nov 16 '11 at 19:21
2

@JohnFx You could easily make it so the check numbers can only be used once (see: nonce), are not sequential, and the number is large enough it can't be guessed statistically without trying millions of checks. – Bryan Anderson Nov 18 '11 at 16:38
1

@JohnFx: If it's so easy how do you actually withdraw money from someone's account given their account information? I feel like everyone says it's a piece of cake, but no one describes how, which is ironic given that it's supposed to be so easy and legal (assuming you have their permission). – user541686 Aug 09 '14 at 00:05
There are companies that let you pay by check over the phone just by giving them the numbers on the check. They create an electronic check and send you the merchandise. – JohnFx Aug 09 '14 at 00:48
I know how to close it. 1) Require original check to be returned to bank holding account. This permits strong anti-dupe to be embedded in the check blank. 2) Bounce duplicate check numbers even as holder in due course (powerful enough force to drive #1). – Joshua Feb 28 '15 at 19:07
1

@Joshua - When a withdrawal is made using the ACH system, there is no check number involved. All that's necessary is the routing number and the account number. Even the account holders name is not required. – Kevin Fegan Jun 21 '15 at 09:26
@KevinFegan: I'm talking about securing CHECKS, not the completely broken ACH mechanism. – Joshua Jun 28 '15 at 00:33
1

@KevinFegan The ACH system could be changed to require a pass code that can only be used once. The account owner could than be given a list of pass codes. For cases where you authorize repeated transactions -- like monthly automatic billing -- there could be pass codes that can be re-used, but only for transfer to the same account as the first one. Yes, this would be an extra hassle. Whether people would be willing to do it for the sake of the added security, I don't know. – Jay Oct 13 '15 at 13:33
@Joshua - I understand you're talking about paper checks. But any paper check can be converted to EFT/ACH by most businesses, or by any bank that handles the check. Also, paper check can be converted to a electronic image "substitute" and sent electronically. In either case, an image of the original check is retained and the original check is destroyed. Any anti-dupe or other security features on the original check are lost if the check is converted. http://www.occ.gov/topics/consumer-protection/depository-services/writing-check.html – Kevin Fegan Nov 05 '15 at 04:38
@Jay - Say I send my friend, or my insurance company a paper check. They deposit it and their bank converts the paper check to ACH and destroys the original check. 1) How would I convey to that bank (not MY bank) what the "passcode" is?, 2) How would I even know they would need me to send them the "passcode"?, and 3) How would I know that the person requesting the "passcode" is trustable? – Kevin Fegan Nov 05 '15 at 04:53
1

@KevinFegan My idea was that the bank would give the account holder a set of pass codes, each of which could only be used once. 1) At the same time that you gave the vendor your routing and account numbers, you'd also give them a pass code. They would presumably know you need to give them a pass code and would ask for it, just like they know to ask for your account number. 2) Because that would be the agreed system and vendors would know what to ask for. How do you know that you need to give them your routing code? 3) Sure, my suggestion would do nothing to protect you from willingly ... – Jay Nov 05 '15 at 14:18
... giving your account information to a scammer. The idea is that it would protect you from forgers and identity thieves. If someone intercepts a transmission or hacks the vendor's records or whatever and gets your account number et al, it wouldn't do them any good because the pass code is not re-usable. – Jay Nov 05 '15 at 14:21
@KevinFegan: You touch on the problem. The problem is in fact that ACH is horrendously insecure. My plan calls for the anti-dupe operation to be something that works with a check image. No check image -- no payout. – Joshua Nov 05 '15 at 16:14
@Jay - In the scenario I was presenting, I sent someone a Paper Check, and I assume there would not be a need for a passcode with a paper check. The business can convert the Paper Check to ACH, or they can deposit the Paper Check. If they deposit the Paper Check, their bank can convert it to ACH. In either case, particularly the second, how would I communicate the passcode, or even know I need to communicate the passcode to someone else's bank? – Kevin Fegan Nov 06 '15 at 01:14
1

@KevinFegan Sorry, I didn't read your post carefully enough. You were responding to my post about ACH, and I didn't catch that you had shifted to talking about paper. But that's the easy case: The pass code could be printed on paper checks, like supercat said. Each check would have a different pass code. If your bank prints the checks, they know what pass codes they printed. I guess if you go to a third-party check printer there'd be an extra layer, either you or the bank have to send pass codes to the printer or your or the printer have to send the pass codes to the bank. Either way, it's ... – Jay Nov 06 '15 at 05:37
1

... printed on the check, so it's not like you'd have to contact the vendor's bank. – Jay Nov 06 '15 at 05:37
This is scary. Is there no fraud protection for this, like with credit / debit cards? If someone has my numbers and takes all of my savings (which for example may be the default cover for an overdraft on checking), am I out of luck? If they go way over whatever I have in my checking + savings, am I obligated to pay it back to the bank? – Ken - Enough about Monica May 23 '18 at 21:16
1

If we want a secure payment system, we should never need to use checks for anything these days. The underlying problem is using an archaic, dated system in a modernized economy. Does anyone actually think checks are still convenient as a method of payment? – Shorlan Dec 17 '18 at 21:26

score 17 · Answer 2 · answered Nov 02 '10 at 20:34

17

Yes, those numbers are all that is needed to withdraw funds, or at least set online payment of bills which you don't owe.

Donald Knuth also faced this problem, leading him to cease sending checks as payment for finding errors in his writings.

answered Nov 02 '10 at 20:34

Michael Ekstrand

271
1
4

1

Look at the wikipedia page, there is the routing number right there. http://en.wikipedia.org/wiki/Knuth_reward_check. Yup, it is easy to steal from checks with just those digits. – MrChrister Nov 02 '10 at 23:00
2

Actually, the description of the check image itself (http://en.wikipedia.org/wiki/File:Knuth-check2.png) reads: "Note that the machine-readable numbers at the bottom of the check have been randomly swapped or modified, so that no personal information about Don Knuth's personal bank account is leaked through this image." – mskfisher Nov 03 '10 at 11:51

score 6 · Answer 3 · answered Nov 18 '11 at 05:47

That's accurate. Here is another risk with the current checking system, which many people are not aware of:

Anyone who knows your checking account number can learn what your balance in that account is. (This is bank-specific, but it is possible at the major banks I've checked.)

How does that work? Many banks have a phone line where you can dial up and interact with an automated voice response system, for various customer service tasks. One of the options is something like "merchant check verification". That option is intended to help a merchant who receives a check to verify whether the person writing the check has enough money in their account for the check to clear. If you select that option in the phone tree, it will prompt you to enter in the account number on the check and the amount of the check, and then it will respond by telling you either "there are currently sufficient funds in the account to cash this check" or "there are not sufficient funds; this check would bounce".

Here's how you can abuse this system to learn how much someone has in their bank account, if you know their account number. You call up and check whether they've enough money to cash a $10,000 check (note that you don't actually have to have a check for $10,000 in your hands; you just need to know the account number). If the system says "nope, it'd bounce", then you call again and try $5,000. If the system says "yup, sufficient funds for a $5,000 check", then you try $7,500. If it says "nope, not enough for that", you try $6,250. Etcetera. At each step, you narrow the range of possible account balances by a factor of two. Consequently, after about a dozen or so steps, you will likely know their balance to within a few dollars. (Computer scientists know this procedure by the name "binary search". The rest of us may recognize it as akin to a game of "20 questions".)

If this bothers you, you may be able to protect your self by calling up your bank and asking them how to prevent it. When I talked to my bank (Bank of America), they told me they could put a fraud alert flag on your account, which would disable the merchant check verification service for my account. It does mean that I have to provide a 3-digit PIN any time I phone up my bank, but that's fine with me.

I realize many folks may terribly not be concerned about revealing their bank account balance, so in the grand scheme of things, this risk may be relatively minor. However, I thought I'd document it here for others to be aware of.

score 5 · Answer 4 · answered Nov 02 '10 at 20:35

5

The bottom line is to keep most of your money in accounts with no check privileges and to not give the account numbers for these accounts to anyone. Keep just enough in your checking account for the checks you are going to write.

answered Nov 02 '10 at 20:35

Michael Goldshteyn

301
1
4

This is also a good idea (of course) when you have to give someone your account number so that they can send you money. – poolie Dec 30 '10 at 23:23
@poolie There are several 3rd party payment sites that would suffice to fill in this gap: Venmo, Zilla, etc.
This can sufficiently, and freely transfer money to/from your checking account, and act as an intermediary step between you and untrusted parties.
– Shorlan Dec 17 '18 at 21:28

score 4 · Answer 5 · answered Dec 30 '10 at 22:46

When an someone as esteemed and smart as Donald Knuth tells you the chequing system is busted it's time to close your cheque account, or I guess live with the associated risk.

Answer to question, yes your account information can be used to commit fraud on you via your bank.

score 3 · Answer 6 · answered Nov 02 '10 at 18:48

I was a victim of this. I'm not sure who got my routing and account number off my check, but someone subscribed to Playboy.com using my bank account information. Luckily it was only for about $30 and the bank refunded my money. However, it was a mess in that I had to open a new checking account and keep the other one open until all checks cleared. The bank was extremely helpful and monitored the account to make sure only the checks I told them about were processed. I then had to close the old account.

This is why I believe checks are much less secure than credit cards or debit cards. A paper check can lay on someone's desk for anyone to pick up or write the information down off of it. I avoid checks if at all possible. For things like Craig's list, I would try to use PayPal or some other intermediate processing service.

score -2 · Answer 7 · answered Jul 15 '15 at 19:18

Yes this is a huge security loophole and many banks will do nothing to refund if you are scammed. For example for business accounts some Wells Fargo branches say you must notify within 24 hours of any check withdrawal or the loss is yours. Basically banks don't care - they are a monopoly system and you are stuck with them. When the losses and complaints get too great they will eventually implement the European system of electronic transfers - but the banks don't want to be bothered with that expense yet.

Sure you can use paypal - another overpriced monopoly - or much better try Dwolla or bitcoin.

PayPal is it is often linked to draw from your checking account. I know PayPal can draw from your checking account. Can your checking account (if insufficient funds, but sufficient in PayPal) draw from your PayPal account? — TARKUS, May 23 '17 at 15:18

Can't the account information on my checks be easily used for fraud?

7 Answers7

Linked

Related