Business accounts are even worse - they're governed by the Uniform Commercial Code rather than consumer law, and you only get 24 hours to report fraud. If someone sucks $200k out of your account and you don't catch it in 24 hours, there's a possibility you'll never see that money again.
What a lot of people do is set up an 'incoming payments' account, an 'outgoing payments' account, and a 'storage' account. Have your bank block all external withdrawals from the incoming account, block all external deposits to the outgoing account, and automatically move money once-a-day from the incoming account to storage and from storage to outgoing(keep say $10,000 in there at all times). Never write checks against the storage account, or give the number out in any way.
On one hand, ACH is technically insecure. On the other hand, if a scammer can get away with the money a terrorist could get funded with the money, so money laundering and anti-terrorism laws have the side effect of making it hard for people to get away with it. And then you just throw the scammer in jail.
The article mentions handing a check to your landlord. Personally, as a landlord I set up an incoming rent checking account, hand out the checking account information to tenants, and let the tenant deposit the money electronically or by driving to the bank. I've asked my bank to reject withdrawals but accept deposits from that account, and use a debit card to pay for maintenance and utilities. I'm considering using SaaS software to collect this, mainly to ease accounting; I'm not worried about security here.
As a fellow landlord, I agree that checks are a giant pain. I'm actually working on making a mini-SaaS just for myself to use, using Stripe to handle ACH payments.
> The physical check itself – the piece of paper – has to be genuine,
This is wrong, right? There is no such thing as a genuine check outside of conventions for repudiation(out of order check numbers, not on my check paper). Whether it came from the checkbook my bank sent, or out of my printer, it is just as good. Legally, writing it on a napkin would probably work, but draw lots of scrutiny becuase it looks suspicious and can't be processed automatically.
That's correct. I worked at a bank for years and once a month I would get a check written from the same older gentleman on half a sheet of yellow legal pad.
He apparently thought buy checks were a scam and he saw no reason to buy them when he could just use a sheet of paper.
Also, business used to have have counter checks available for customers (if they took checks). Basically a standard blank form, sort of like what banks have for withdrawals but were less formal. Sometimes mentioned in 70's TV shows/movies like Columbo.
The first couple of times I called and confirmed that he did write the check. Also the banking systems keep copies of signatures so I checked the signatures as well.
Once it became a regular thing, we made a note on his account.
But it depends. A lot on jurisdiction and local law.
Most banking systems I've worked with have a field 'cheque book issued' which is sometimes linked to a rule 'cheques outstanding'.
If the 'cheque book issued' field is false, no kind of cheque will be cleared. I'm not familiar with the US, but if an account was named a 'chequeing accound' would imply this is always set to true. Various red flags also exist, as a cheque book has cheques numbered, so the same number being used would result in payment denied. In the UK, payee blank cheques were disallowed in the 1990s, etc.
A long list of red flags, because banks hate cheques. The industry term is 'Manually Initiated Fund Transfer' which means, at some part of the transaction (any transaction - could be updating an interest rate, or an authorised signer), a manual step was involved. This creates huge risk of fraud, banks dislike fraud, and legal punishments are large, especially for the bank which has a procedure with holes to let it happen.
Cheques are manual, the responsibility is on the bank. An online initiated transfer, the responsibility is on the customer to ensure their password is safe (and the bank to also do automated checks - unusual IPs, 2nd factor confirmation, but much easier to automate). So a bank refusing to authorise payment from a cheque written on a napkin can be expected, as long as the process is documented as fraud control. Printing on company-headed document would probably work - the first small payment would raise many red flags, but if that cleared, future similar payments would be OK'd.
A single cheque to empty an account? Some kind of 2nd factor authentication would be employed by any sane bank, such as an old-fashioned call to the number the account is registered with.
I don't know about the legal effect of this, and I don't know about the situation in the US, but here in Australia the requirement that you must use a cheque form supplied by the bank is generally listed in the account's terms and conditions which are contractually binding.
Now this has got me wondering, how far off do you have to be from a standard bank-formatted check before one of those "deposit with your phone" banking apps will reject the check? I do bet that at the very least, someone with good penmanship could manage to "draw" a check that one of those apps would deposit. But could you go further?
Anyone coming to the US from most of the world is painfully aware of how antiquated the whole system is. For a business accepting relatively few large payments, a major issue is the cost of payment.
For all their absurdity, paper checks are the only universally accepted almost-costless way to transfer money. ACH, wire transfer, card payments all come with an added cost of up to 3%, and every single proposed replacement system we've seen comes with new fees attached. For a payment of $10,000, payment by check costs perhaps $1. Payment by a 1% fee wire transfer system (most of them cost more) would be $100. Flat fee wire transfers range from $30 / transfer up.
Given how big and archaic ACH is now, and how expensive replacing it would be, I can't see a way out of this unless banks are required by regulation to provide an aggressively low-cost transfer mechanism.
Banking regulations in Europe require electronic transfers within Europe* to be processed for free within one business day. I've ordered computer hardware, international flights, and paid lawyer fees this way.
I believe such a system is Safer to use for the average customer because the law is on his side. A routing number is (as far as I know) not considered a secret and very judge will rule that it's the banks fault for authorizing the transaction, not the user's.
If the user were to use any kind of authentication (such as typing a pin in a card reader), the bank can claim that it's the user's fault because he used his code carelessly and they are often right, people write the code on cards directly or use their birthdates but even if the pins are random, they can still be easily "cracked" (some people are super skilled in reading them from a distance while others have implemented key loggers in those readers). So you can't really use a password/pin for authentication either (because it is not that secure after all).
In my country, debit cards are quite common and debit cards never use a signature – they use a 4 digit pin instead. If your debit card was stolen, and somebody went shopping with it, you have to pay the bills because you did not protect your pin enough and it's not the bank's fault — they had enough proof for authentication. (I know quite a few people who had bills from $300-2000 after their debit cards were stolen and I can tell you for sure that some protected their PIN properly).
If you have to authenticate a withdraw in any way, the bank will have a better chance to win a fraud case because they had enough reason to believe the transaction was authentic and it is your fault not for protecting your pin or password enough.
The bank might voluntarily rebook the transaction but why even bother if they had to do that anyways (even without a pin). The consumer is not the victim here, the bank who has to get the money back is. So why would you want to fix a system that works in your favor.
This is an interesting point. The article complains about checks being zero-factor authentication. Well, in practice, traditional chip-less credit cards are also zero-factor authenticated. The notion that our card numbers are supposed to be "secret" is plain stupid, since we give it to every single vendor we interact with.
PIN-based cards are authenticated, but the practical security around those PINs is laughable.
So would you rather have obviously insecure but resilient system, or unobviously insecure and fragile system?
...
Making checks secure is relatively "easy". Simply have a mechanism for the person to review and authorize every credit/withdrawal via SMS or email. The problem, however, becomes keeping that mechanism secure, especially in the age of easily stealable and hackable mobile phones.
I want to have a system which protects me from money loss (through my own fault, a malicious third party, or my bank's fault). I don't care how as long as I'm protected. With Chip-and-PIn cards, I'm not protected because I have to proof that it was not my fault (which can be incredible difficult to do). So, I personal prefer cards that require a signature.
It doesn't matter to me if it has a chip or not (the chip has nothing to do with the pin, there are also chip-and-signature cards and cards that support both. The chip makes it hard to physically clone the card).
So, if zero authentication means that I am not liable for financial damages, I'm happy with it but I wouldn't bother to use a pin if I had the same liability. Unfortunately, the pin adds laughable authentication which makes me liable for many types of fraud (see the video).
Wow, from a German perspective that sounds absurd. Bank transfers in the Euro zone are free (SEPA). Within Germany they've been free as long as I can remember. I've never written a cheque in my life.
Even in the UK they're finally being aggressively phased out. When I moved here in 2000 was the first time I'd had a cheque book - in Norway where I'm from, I believe my parents last used cheques in the 80's.
Like Germany, Norway have/had giros in widespread use, though. The UK technically had a giro system, but actual giros are rarely used here. The big difference between a giro and a cheque is that with a giro it is the payer rather than the payee that instigates the transaction - either directly to the recipients bank account, or by effectively registering an approval with the bank and sending something similar to a cheque to the recipient (but with the difference that the sender has first directly confirmed the transaction to the bank).
So to me cheques have always seemed backwards from the logical flow.
- Only some banks have the ability to initiate an arbitrary ACH transfer online (transfer between accounts that you own at other banks is a little bit more common).
- Even fewer of those banks make this feature free.
- Sometimes it is very well hidden inside the "Online Bill-Pay" feature (which wants you to search for an institutional payee by name), and no indication is given that you might use it to pay someone who is not a large corporate biller.
- Credit card companies and utilities usually provide a feature to give them your account number so that they do ACH withdrawals from their side automatically. They like it because you can't forget to pay. You should be wary of it because money just disappears from your account with no action taken on your part, and that's scary. A push-based option is much rarer - they will never just give you an account/routing number to push money to.
- There is never under any circumstances any kind of fee to write or deposit a check (provided it doesn't bounce).
- Usually your first couple of checkbooks are free (or pennies per check). If your banking relationship is large enough, then depending on your bank subsequent checkbook orders may be free as well.
- Far and away the easiest, least risky, most comfortable way to pay someone you are sitting next to is for you to write a check, and for them to take a picture of it with their mobile banking app.
Ya, I sometimes feel like Canada is the only developed country with a more insane banking system than the US. But in reality I think we're both about equally insane, in different ways.
Canada is about 15 years behind the US in terms of banking. (But about 3 years ahead in terms of credit cards, interestingly enough.)
We avoided the mortgage securitization nightmare literally because Canadian banks hadn't gotten around to it yet. If the market crash had taken a year longer before happening, Canadian banks would have been along for the ride.
Although Canadian banks, at least 2 years ago, were unable to issue a VISA debit card linked to my business account. They wanted me to get credit, and appeared to be totally confused as to what a VISA debit card was. When I asked how I could go about registering, say, domain names, or purchasing stuff overseas, they said "Interac". It's almost adorable.
I really don't blame them for being confused about VISA debit cards. They hardly exist in Canada; they were originally a scheme to allow credit card transaction processing fees on debit transactions, and Canada quite reasonably didn't buy in.
The problem is really that Canada's interac system -- which was very advanced for its time -- never reached outside of the country or online, and market share means that you really want your payments to go through the major international card networks. But that's a matter of getting unlucky in backing the wrong horse more than anything else.
In many other countries with domestic card schemes, EMV cards are often co-branded with other domestic schemes to allow the same card to be used internationally. Domestically, low fees are maintained, but internationally the card would still function. This was more or less forbidden in Canada (see item 6):
According to some of my colleagues, these regulations were explicitly made to protect Interac against Visa debit and Maestro which were characterized as domestic schemes from the Visa and MasterCard network.
Because there are no co-branded cards, it also means that Maestro is not really accepted at many POS devices in Canada.
I'm counting credit cards as part of "banking". Financial services would maybe be a better name.
As far as insanity, I mean more little things. I can't speak for most US banks, as I only have accounts at BMO Harris. But for one thing, the statements I get from them are nuts. They list deposits, and withdrawals - the amounts, but not the dates, and not the resulting balance. And then separately they list a record of the balance throughout the month - not the amounts of the changes, but the new balance after each change, along with the date.
So in order to determine wtf actually happened, you have to compare the (potentially long!) list of undated transactions with the changes in balance throughout the month (which you have to calculate yourself) to find out what happened when. I mean... it's seriously like it's intentionally as convoluted as possible.
My statements from BMO Canada on the other hand show a sane account listing with transactions, dates, amounts, and resulting balance.
On the other hand, BMO Harris will mail a physical check (not a cheque! :P ) to anyone in the US for me, for free. Coming from Canadian banking, I was shocked that such a service existed, let alone on regular accounts with no usage fee. It's hilarious that you can do that but you can't send electronic transfers, but it's still extremely convenient, especially when doing business remotely from Canada!
Huh, I didn't know that BMO Harris would mail checks. It could have been useful to me... is that the 'business bill pay' feature I've never figured out on their website?
I agree that the printed statements are weird. I'm guessing this is an American thing? I don't have experience with any other US banks to compare against.
Business bill pay, yes. If you make a payment to an entity that is set up to accept electronic payments they'll do that, but otherwise they'll cut a check.
I'm actually really curious whether other American banks have equally terrible statements, or if it's just them. Anyone?
At my first startup, checks were the industry standard and we naively thought that we could change behavior by introducing modern payment tools to our customers.
It turned out that our customers used checks because it helped with their cash flow. They could tell us they "cut a check" on Friday, mail it on Monday, we'd receive it on Wednesday, and the money would be in our bank account Thursday. They basically were able to hold onto that cash for an extra 5 days, compared to a wire transfer.
It would seem this is only helpful if you have more outflow of payments than inflow. If other customers/suppliers are using the same tactic, all it does is slow down delivering products and services.
Generally, for services provided, Accounts Payable aim for 60 days after service provided, and Accounts Receivable aim for 30 days since service provided.
I dislike it, and have a far nicer relationship with companies that pay on-the-spot. Indeed, I bend over backwards for such clients.
Most American small businesses would be out of business if they had to pay even 1 day earlier than 30 days (or whatever the industry standard is). Most pay well past the due date. They need to wait the industry standard to get paid themselves. Business runs on credit, and even big businesses operate paycheck to paycheck.
It's a scale thing, I think. In NZ if you are a bank wanting to introduce new technology for payments then you have exactly 5 other banks that you need to get on board. In the US there's many thousands.
e.g. The NZ banks jointly own the company that processes EFTPOS payments. A system like that could never emerge in the US. Instead, people have debit cards, which are manageable because they go through the credit card companies and there are only a handful of those.
But yeah, it's all incredibly primitive and fraud-prone compared to NZ or Europe (I've lived in all three).
But it still has introduced SEPA over its whole area. If anything, a country should have less of a problem than a still somewhat disjoint union of 28 countries.
You're right there. NZ introduced a new interbank transfer system about 5 years back I think, and by the end of this year, all the banks are going to be on it, ANZ is the only bank that isn't right now. It means that instead of inter-bank transfers being processed once a day at closing, they're now processed hourly.
US banks, through their American Bankers Association, already collectively own the Corporation for American Banking, which provides services to all banks. The average voter might have misgivings about collective ownership, but banks will hardly let it get in the way of their business.
Always when it is about payments in the US I understand more and more why fintech startups are so successful in the US. In Germany I don't really see the point. Wire transfers and deposit entries are cheap, reliable and they work with every bank.
So fintech startups here have a much harder time to explain, what is different about them.
BTW. The case what is describe in the article sounds for me like some kind of deposit entry fraud. Something I feared for a while in Germany, because deposit entries are very common for e.g. phone bills. But they seem to be one difference, in Germany you can simply cancel it and get your money back, usually 6 weeks but courts already ruled that this is just the minimum time.
A computer generated check is absolutely as valid as a paper check from your checkbook. I routinely generate images of checks which I then snap a picture of right off the monitor in order to remote deposit. Of course this is always done with the written and signed consent of the account holder.
Since you can't ACH outside of the US (I think) and any bank in the US has pretty strict "Know Your Customer" requirements, you will know for sure at least the first hop of where the money went.
I've heard of "work from home" schemes to include people acting as a middle-man for funds like this. They receive the ACH funds, and then they wire them overseas or send them via Western Union. These people, whether they were honestly duped or not, have committed a felony.
So when people worry about checks containing all the data you need for someone to empty your account, the first thing to consider is deterrence is very strong in this area because the penalty is massive, and tracking where the money was sent via ACH is easy.
That said, it would be nice if they could phase in a new standard which used one-time codes and provided real-time validation for this sort of thing. ACH transfer fees are extremely low compared to credit cards after all.
Relying entirely on KYC to identify abusers is very fragile. Not only does the USA not have a modern banking system but it also lacks robust ID verification procedures.
Sort of. There are "International ACH Transfers", but they're not exactly like domestic ACH transfers; I believe they need extra AML information added, for one thing. Being able to make domestic ACH transfers does not imply being able to make international ACH transfers.
>>>I routinely generate images of checks which I then snap a picture of right off the monitor in order to remote deposit. Of course this is always done with the written and signed consent of the account holder.
This is clever on your part, but holy cow there should be a better system than this.
Donald Knuth was saying this how many years ago? It's got to be something like 10 years now. This is why he stopped sending out checks for people finding bugs in his books.
Most of Retail stopped accepting checks about 15-20 years ago, iirc. It was about the time laser printers and copiers came about that everyone realized how insecure they were. Now, banks are one of the few places that accept that form of currency.
Edit: Judging from the replies, my personal memories are incorrect.
Not in the US they haven't. I've certainly watched it enough to know the hoops they can jump through, the long method: Check is scanned by a machine at the register and a modem or network check happens to make sure the account is in good standing, they get the person's id and write things down on the check from it and then ask for a phone number. Makes me appreciate self checkout a lot. Some times they just scan the check and give it back which typically confused the heck out of the person who just wasted 2 minutes filling it out.
The security of checks have never depended on difficulty of duplication. Most places checks at least used to be valid if you simply wrote the right information down on an arbitrary piece of paper.
The percentage based fees for electronic transactions are absurd. We're talking about moving a number from one database to another. The effort doesn't scale with the size of the number. It's not like we have to move a truckload of gold. There's absolutely no reason it should be based on a percentage of the money being moved.
I remember reading about Patrick Combs [1] depositing a "sample check" from some junk mail and it ended up clearing, despite it saying "not negotiable" on it. I wish his original story was still on the web because it included a ton of detail about what happened, but alas ...
> By using a debit card, you’re moving money over the relatively secure Visa or Mastercard rails, rather than over the ACH rails.
Well... Someone who has your Debit card number and expiration date can remove money directly from your checking account just as someone who has your routing number and account number can. I never use ANYTHING connected directly to my checking account to pay, unless it's the only option. There are a few things I need to pay with a check, but I see literally zero reason to use my debit card. My credit cards are accepted in all the same places and they provide me with more protection (in the sense that there's a buffer between them and my cash - even if I get reimbursed for fraudulent debit usage, the money is gone from my account for some period of time, allowing checks to bounce and other bad things to happen).
This is more an issue with your bank being too lazy to do 2-factor authentication properly than the network itself, which supports authentication mode for almost all channels. My company provides tools for testing payment terminals/networks and I always make sure I use my actual debit card when I demonstrate our tools. My bank will not authorize transactions without proper authentication, so it really doesn't matter if people see my PAN/expiry date. Even using my credit card online requires proper authentication when the site supports 3D Secure.
I would love to move away from checks, but (ironically) they're the cheapest, quickest, most robust way for me to transfer money digitally between family and friends. Write a check, endorse the back, take a photo with a banking app, and money is moved from one account to another without any additional fees.
Wow, what a massively convoluted process. So you don't have the concept of bank account numbers in the US?
Speaking as a Scandinavian expat, in Norway, a bank account number is all that's required for an IB transaction - whether to a private individual or an institution for paying bills etc (which will also require a reference, typically). The account number incorporates all required processing information.
In Australia it's slightly more complex by the availability of options; the routing info is split out into a BSB (bank branch identifier) so you need that as well as account number - and account name - for a payment to an individual.
For bills you have BPay through your Internet Banking (very similar to a BSB+Account No payment yet a different method, and it doesn't require you to enter a name as the BPay number will resolve to a named organisation). There are typically no transaction fees.
Outside of Internet Banking there is also a similar Australia Post system, as well as credit card payment methods.
Anyway I thought the Australian system was a bit hard or confusing at first, but the concept of creating digital images of cheques sounds outdated and painful.
> So you don't have the concept of bank account numbers in the US?
Was that really called for? Checks have account numbers on them. And checks aren't the only way to pay for things.
The signature is a security measure. Not a very good one, but in terms of the process is the same as your password or whatever authentication you use. You do authenticate, right? You do need more than a single bank account number to complete your transaction, no?
By comparing the security procedure of US checks to the information needed without security elsewhere, you're exaggerating the difference. It is easier like you say, and checks should die as fast a death as possible, but the process you replied to takes 30 seconds to perform, not massively longer or more difficult than authenticating with your bank and doing it online.
Sorry by "account numbers" I meant a standardised system of these, serving as foundation for electronic banking.
In Norway: That single account number is all that's required to send someone money, with amount mandatory and an optional reference. From what I know, they've tightened security down a fair bit and require TFA devices etc, so it may not be as easy as in Australia.
In Australia: On my Android device I use biometric authentication (fingerprint) as a shortcut to the username password that is required on first time login; the username is different to my account number.
When transferring to a new recipient, an SMS confirmation code must be entered. I already explained what destination information was required, but omitted that for BPAY, we require our customer number reference.
Once entered it is saved, which means a manual bill payment is easy as: Log in, select payments, select recipient, dollar amount, submit then confirm => done. (Including login I can pay say my ISP bill in less than 30 seconds). Of course these can be made recurring.
I would say this electronic, biometric model sounds significantly easier, but then I've never lived in a place where banking is so paper based so that's just my world view.
(I received a bank cheque some time ago and honestly had no clue on how to cash it, so rare is this. I learned that our ATMs now feature scanners for depositing, but it took nearly a week to clear).
Yep, it's pretty antiquated. Wells Fargo only added the ability to transfer money to an account number online a couple years ago and I think it still only works with some banks.
Ditto. I have two bank accounts with the same bank, and the easiest way for me to make a transfer is to write myself a check and snap a picture with the app. It's ridiculous.
Yes. In the US, I write one to my housekeeper every few weeks. I just made an estimated tax payment to my state today. I regularly use them for payments on weekend trips I lead--although Paypal is increasingly used.
So, yes, I don't use paper checks as commonly as I used to, but they're still pretty common.
In the US, there are plenty of stores and restaurants that do not take any form of electronic payment. It's cash or check. Ask the business owner and it's always because of the fees.
And all the major credit card brands all have "most favored nation" clauses in their terms of service, so if Discover gives you lower fees, you can't charge less for Discover than for Visa.
Exactly. Amex has become almost worthless in the US for me because most retailers don't accept it. (When I've asked them why, they say the fees are too high and Amex takes too long to pay them.) Amex still works for airlines and hotels, but not much else.
Heh. Here in .au Amex acceptance is pretty limited in most smaller businesses, but it's universally accepted at supermarkets and department stores, upmarket restaurants, etc. Smaller businesses, as well as hotels, tend to charge surcharges of 1-4%, if they accept Amex at all.
They're still very useful in the US. If I want to give someone money and I know their name and address, often the easiest way to do this is by writing a check and mailing it to them.
I'm in the US. Almost all of my work as a musician is paid by check, i.e., 3 - 4 checks per month.
This has changed over time. When I first started working as a freelance musician, clients such as bars and restaurants paid cash. That came to an abrupt halt around the same time as Sarbanes-Oxley, don't know if it's a coincidence or not. Today, the bandleader receives a check, and writes checks to the band members.
We use them to pay our gardener and housekeepers, because neither accepts credit cards. I suppose I could pay the gardener with online billpay, but he gives us an invoice that he wants us to mail back with the payment. And we pay the housekeepers when they're here, so online billpay wouldn't work. Only other option I see would be to go to the bank every week to withdraw the cash...
About the only holdouts here in Australia is the real estate industry. When you buy a house at auction you have to write a cheque for the deposit (5% or 10%) on the spot. You normally can tell the agent to not bank the cheque and then pay by electronic transfer on the Monday.
My rental company charges a 3% fee for online payments, so I mail them a check every month. Looking at my checkbook I've written about 175 checks since opening my account in 2002, mostly (but not all) for rent.
23, Australian, have written maybe a dozen personal cheques and a couple of bank cheques, and received maybe 3 or 4. Last time was depositing $20 from my grandmother as a birthday present a couple of months ago...
I've never owned a checkbook, and the only checks I've ever received were from my grandparents (on my birthday) or a Tax refund. And tax refunds switched to direct deposits around 10 years back.
Yes, although they usually demand a bank cheque (which I think is what is called a "cashier's check" in the US), not a personal cheque. You go to the bank teller, you pay them the amount plus a fee (usually out of your bank account), and the teller issues a cheque in the bank's name not yours.
I also occasionally get bank cheques in the mail from companies. If you have a utility account, and you close it, and it is in credit, they'll mail you a bank cheque for the credit amount.
Actual personal cheques - my grandparents used to give me those for my birthday. That's probably the last time I can ever remember encountering one.
No actual news, just ACH as it has been for many years. The author was annoyed that credit card companies allow users to pay by "eCheck" without prenote or deposit confirmations.
> The good news is that online ACH fraud is relatively uncommon, just because it’s rare to find an online vendor who will allow you to pay using ACH rails instead of your debit card. The case of paying off a credit-card bill is a unique one, because you can’t use a credit card to pay off a credit card.
I don't understand why people set up automatic payments on the payee's site. If you initiate the payment from the bank, you have more control over when it goes it out, can review the bill before authorizing the withdrawal, can see all of your pending payments and their effect on your balance, etc. I don't like giving anyone access to one of my accounts. Credit cards are a decent buffer against this, as you get time to review the bill before paying.
I used to work for the largest provider of bank bill pay in the US (contracted with ~80% of banks, IIRC). I would say that 95% of customers using the service had no clue how it actually works.
In fact, the default payment method of bank bill pay is to mail a paper check. Sometimes they cut a check with your account information, sometimes they will go ahead and pull the money from your account, but send a check drawn from their corporate account. Sometimes they mail the check 2-3 days before your payment date, so that (in theory) it has time to get there, sometimes not. The only time they send electronic payments is of the payee has set up electronic payments with them, and even then they may decide to switch your payment to a check at any time for any reason.
What makes it even worse is that they try very hard to make sure customers have no way to tell how their payments will be processed, and there's never any kind of warning that something has gone wrong until you get a call about a late bill. For example, even your payment should be sent electronically, something as simple as a typo in the account number so it doesn't match the expected length or format might result in them sending a check to your payee (with the wrong account number), meaning that your payment sort of vanishes...
Personally I always set up payments through the payee's site, using a credit card whenever possible. If they screw up the payment then it's their problem to fix.
Yes, this is what I mean. I know it's often a paper check. Much like some of the other comments, sending a paper check gives me several advantages.
I've had really bad luck with using a credit card and automatic payments. In particular, it led to my insurance being cancelled. I seem to have my card number marked bad by the bank at least once per year, and either get a new number, new expiration date, or just have all transactions blocked.
Having a scan of a cancelled check in my online banking account has worked a lot better in proving those sort of payment disputes than anything else.
I'm not sure ACH is so much less secure than debit. You hand your card out to far more people than you ever send a check to and it has the info they need to use it online unless avs restrictions are enforced by the merchant, which is less secure than a merchant enforcing ACH micro-deposits imho. With both of these authentication methods it is up to the merchant to enforce and they are liable in the end for the most part when they don't. American express doesn't feel the need to enforce micro-deposits because they've already lent you the money so if a payment fails they're not at more risk than they were before the payment was made. In the end, it's easy to obtain the information for both and both have systems for reversing.
Checks can be forged, but passwords can be cracked, and data can be stolen. At the end of the day, it's the responsibility of the company to ensure sensitive information is safeguarded and to minimize fraud. Customers still need to understand and practice good habits, but ultimately this ends up in the hands of one or multiple companies that need to be responsible.
I used to work in bank fraud detection/prevention. In general, adding a small barrier is often enough to cut crime rate drastically. This is why people lock their doors even though a robber can break a window, or why people hide their phones in their shoes at the beach even though a thief can just check under everyone's shoes. These small barriers are actually very effective because they increase effort and the risk of being caught. Checks are by far the most frauded financial instrument and at the highest dollar amounts. It's basically the financial equivalent of keeping your door unlocked or your phone laying around unattended. http://www.stopcheckfraud.com/statistics.html
No one should use checks, and no one should accept them.
I work in a business that provides ACH services. This article over dramatizes the risk of fraud.
First, for a business to even use ACH, they need a bank account to receive payments. This involves an underwriting process and a cash reserve for any returns.
Second, businesses have daily limits they can process. This is usually well below their cash reserve.
Finally, any hint of fraud will cause the bank to drop them like a hot potato and seize their reserves for a period of time to ensure sufficient funds to process any returns. One example of fraud indication is a high return rate
The only time I write paper checks anymore is for larger charitable contributions, where I assume the organization would prefer the handling burden over processing fees.
I like how both the use of ACH by Stripe and Plaid and this story are on the front page at the same time. ACH transactions are interesting but as the article points out reversable as well. All financial organizations agree to reverse them on demand AFAICT. That is why scammers really want you to send them cash via western union or something.
We already have good alternatives to these things. My financial life runs entirely in bitcoin, except for the shrinking list of payees who are still allowed to request payment in fiat money. Of course, I had to move out, live elsewhere, and continue trading from there, to make it happen. But then again, everything is so much cheaper here ...
What a lot of people do is set up an 'incoming payments' account, an 'outgoing payments' account, and a 'storage' account. Have your bank block all external withdrawals from the incoming account, block all external deposits to the outgoing account, and automatically move money once-a-day from the incoming account to storage and from storage to outgoing(keep say $10,000 in there at all times). Never write checks against the storage account, or give the number out in any way.
On one hand, ACH is technically insecure. On the other hand, if a scammer can get away with the money a terrorist could get funded with the money, so money laundering and anti-terrorism laws have the side effect of making it hard for people to get away with it. And then you just throw the scammer in jail.
The article mentions handing a check to your landlord. Personally, as a landlord I set up an incoming rent checking account, hand out the checking account information to tenants, and let the tenant deposit the money electronically or by driving to the bank. I've asked my bank to reject withdrawals but accept deposits from that account, and use a debit card to pay for maintenance and utilities. I'm considering using SaaS software to collect this, mainly to ease accounting; I'm not worried about security here.