Knowledge of the account number is not surprising, because the recipient of the cheque needs to give those numbers to his bank in order to complete the transaction.
But it is quite surprising that there hasn’t been massive check fraud, given that it is secured only by two signatures (the sender on the front and the recipient on the back). There are also many anti-forgery techniques used in printing the checks themselves, but most of that goes out the window when people can deposit them using cell phone photos.
And, of course, ACH transactions only require the numbers printed on the check.
I assume the banks employ anti-fraud technologies that don’t involve knowledge of account numbers, but I don’t know what they might be.
As I understand it, ACH transactions are protected by the ability to revoke them when you can, for example, show the signature was forged. Credit cards work similarly if your card is hacked. This may cost the bank/credit card money, but it seems to work well enough for them.
Checks have account information printed on them because they are remmants of a legacy money transfer method that was designed decades ago. There isn’t much motivation for banks to modernize paper checks because checks are used less and less and less every year plus, perhaps most importantly, the risk of fraud is entirely borne by the acceptor of a check.
Another, mercenary, reason banks don’t change paper checks is that many generate fee income from bad checks.
ACH transfers can be reversed, but the conditions vary by bank and type of transaction. Also, requests must be made in a very short time frame (often hours, not weeks as is the case with credit card disputes).
Wire transfers are pretty much irreversible.
Credit card disputes in the US are governed by very specific federal regulations. This means banks can and do handle disputed ACH and other money transfer transactions differently from disputed credit card transactions.
Functionally, checks are becoming a fallback when other methods of exchange fail, as I was reminded today when setting up a Zelle payment failed. Writing a check and dropping it in the postbox across the street (before the day’s mail delivery) was the quickest way to get the payment out when the bank’s security verification did not cooperate.
I’ll just add that at least at my bank, nobody needs to issue a check with their account details printed anymore. Instead I tell the bank (through their internet banking site) the address of the payee, the amount, and the date. They issue a check on that date and mail it to the address I supplied. On that check is, instead of account and routing no., a one-time sequence of numbers that the recipient’s bank can use to get in touch with my bank to route the funds from my account to theirs. The advantage is that neither I see the recipients bank details nor do they see mine. And, more importantly, the jerk intercepting the check along the way (yes, this has actually happened to us, for a $10k check actually) cannot use check details to attempt any other fraudulent activity. That system is absolutely free BTW. I don’t even pay for the postage. And so far it has worked great for us.
That’s not to say checks in 2025 are somehow still a good thing. I’d prefer we in the US would switch to something like the Swiss’ PC/Einzahlungsschein or the Swede’s Postgiro/Bankgiro system. But as long as we’re sticking with 1850s style banking, my bank’s service offers a serious improvement to security.
If the bank is providing this service through its online bill pay feature, it actually is a lot more traditional behind the scenes.The recipient receives a check that is drawn upon an account owned by the bill pay service through the mail. Essentially, it is the same as if the bank mailed a cashier’s check, purchased by the sender, to the recipient.
For anybody interested in knowing more, most banks and credit unions use a third party provider for bill pay. A big player in this space is Fiserv. So when a bank customer uses the paper check option to send a payment, the sender’s bank takes the money out of the sender’s account, the money is transmitted to (very likely) Fiserv, and Fiserv cuts a check and mails it to the recipient.
And as noted above, this process does shield the sender’s bank details from the recipient—and others. That’s a good thing.
Something to keep in mind is that ACH transactions require an ongoing linkage between the sending and receiving accounts to be set up and verified before any funds can be transmitted. In most cases, simply knowing an account number and a bank’s routing number is more of an identity theft risk than a fraudulent-ACH transfer risk.
The setup and verification process has spawned a number of companies, including Plaid, which was set to be acquired by Visa until antitrust regulators intervened, and Finicity, which was bought by MasterCard.
What’s weird about this, though? Presumably all you can do with those numbers is send money to the person’s account. You can’t withdraw money with just an account and routing number, you’d need some sort of verification. I don’t see the security risk in allowing any random person to send money to my bank account?
I understand the system allows that, but surely you can’t pay bills from someone else’s account with just their account and routing numbers? As in, if I have your account and routing numbers, I couldn’t set up bills to be paid from your account. I assume I would first have to authenticate somehow to show I have ownership/control of the account. My point is that if all someone can do with only account/routing numbers is pay money into an account, I don’t see what the security issue is.
Just as a “for example”, on the Internal Revenue Service web site I can pay my estimated taxes from my checking account using my routing number and checking account number. I enter the numbers in myself. As far as I remember, the IRS did no account verification.
That said, I do have banks that allow ACH transfers from other banks but they require that you verify two small deposit amount that they make (usually something like $0.03 and $0.05, then a withdrawal of $0.08) before they will verify adding the account - that takes a day or two, as ACH transfers happen overnight.
There are indeed services that allow you to pay for something by simply entering account and routing. Even if it’s somebody else’s. There’s a reason I refer to this as 1850s banking.
When our $10k check was cashed by a fraudulent 3rd party, our bank made us change the associated account. The account was closed by the bank and we had to open an entirely new account. Their reason: when the fraudster took that check they acquired our names, address, and account/routing numbers. With that information they could deduct funds from our checking account (plus use the personal details for further fraud, eg. identity theft). The bank closed that account the moment it became clear the check had been obtained by a third party. They claimed that in cases such as these, accounts usually see fraudulent charges within hours or days. We did not, in spite of the fraud only becoming evident several weeks after the check had been fraudulently cashed. So weigh that against the bank’s claims as you wish.
Edit: In case anybody’s curious about that fraudulent check, we were eventually refunded the full $10k, but it was a real hassle and involved meeting with several higher ups at our regional branch. The problem is that everybody points to somebody else. Our bank says verifying the proper recipient cashes the check, lies with the receiving bank. The receiving bank claimed they had no idea who we had given that check to, as if that mattered, but they weren’t going to refund us or our bank. It was clear the person who cashed it had signed with a name that did not match the payee as indicated. The actual payee had never seen our check (and it was their complaint about the “outstanding” check that set off the whole investigation), but the bank that cashed the check claimed they had no way of verifying that. In spite of how clear the facts appeared to me, I was surprised what a runaround the whole thing turned into. Even more so when our bank told us that this kind of fraud was very common and they had to deal with it “all the time”. Now I’m sure we could have just let an attorney figure out the whole thing for us, but even if they had secured the refund and in a shorter amount of time too, I suspect we’d have just ended up putting those $10k into the attorney instead. Damned if you do, damned if you don’t.
If merely knowing someone’s check account and routing numbers is sufficient to drain their account, then why is it that when the scammers steal mail, they do check washing instead of ACH transfers?
My assumption would be that (a) there is significant vetting of what institutions are allowed to receive ACH transfers and (b) an ACH agreement puts the liability onto the recipient.
That is – my power company or my kids’ school’s financial management company have established the ability to do ACH transfers, but I can’t go out make an ACH transfer to myself without significant effort and paperwork. And if someone else’s routing/account numbers are used to pay my electric bill, I suspect the power company is required to send the money back and pursue me using the same means they would if I simply hadn’t paid in the first place. (The paperwork to establish ACH likely includes documenting the ability to pay refunds and certainly includes an agreement to refund any fraudulent payments.)
True…but the other side can’t withdraw money, the ACH needs to start from your end.You can setup autopay events with utilities or whatever…but you have to login to their site and authorize those every time (at least for my utility that is paid directly from a checking account). I suppose someone with my account and routine numbers could setup to pay their electric bill from my account…but I would figure that out and they would be found.
The system in the UK seems rather more 21st-century. I’ve written one cheque in the past five years (and was moved to comment “how quaint” when told it had to be done in that way). All other transfers are made electronically.
If I want to pay via a web site, I enter my cash card details (the card I’d use to withdraw cash at an ATM). The site contacts my bank, which gives me ten minutes to open its app and verify the transaction (which it does using its own face recognition, not the iPhone’s). It tells the site that all is OK and the transaction goes ahead. I don’t do it often because I prefer to use a credit card; their systems work in pretty much the same way (AmEx uses a one-time PIN rather than facial recognition).
Single payments can be done either by setting up a payee to be remembered by the app/bank site (verified at each step) or by using “pay your contacts” on the phone.
If I want to allow a company (such as a utility company) to take variable amounts from my account each month, I set up a direct debit; that has to be done from my bank’s site or from within the app and requires the same level of security. It also verifies the payee’s name and bank details with their bank during the setup.
I don’t use cash much either: I doubt I’ve spent more than £50 in cash since the start of 2020.
Paying via ApplePay is even smoother. It brings to mind Clarke’s comment that any sufficiently advanced technology is indistinguishable from magic.