56

My Bank of America checks contain my routing & account number, which I've used in the past to make purchases online, among other things. Anyone whom I pay with a check has this information. It seems like this account info is even more sensitive than my credit card #, since with Visa I am protected with a Zero Liability policy, but I do not know that to be the case for my checking account.

I may be naive, but there's a lot of people I've paid with checks whom I would never give my credit card (e.g. people I've bought from on Craigslist). I'm now wondering if it's irrational to do this.

RexE
  • 745
  • 1
  • 6
  • 7

7 Answers7

37

Yes, and there are almost no checks (no pun intended) on people pulling money from your account using a routing number. It is an EXTREMELY insecure system. If you want a real Halloween scare, read this article: Easy Check Fraud Technique Draws Scrutiny.

Unfortunately you just have to live with it.

If you are curious why this loophole is allowed to continue, consider how hard it is to close it without undermining the convenience of checks. Short of you going to the bank with each person you write a check to and showing ID to validate the transaction, I don't see how you could continue to use a negotiable instrument like this without such a security hole.

The ultimate answer is going to have to be replacing checks with other means of payment.

Community
  • 1
JohnFx
  • 53,876
  • 13
  • 137
  • 250
18

Yes, those numbers are all that is needed to withdraw funds, or at least set online payment of bills which you don't owe.

Donald Knuth also faced this problem, leading him to cease sending checks as payment for finding errors in his writings.

Michael Ekstrand
  • 281
  • 1
  • 4
6

That's accurate. Here is another risk with the current checking system, which many people are not aware of:

Anyone who knows your checking account number can learn what your balance in that account is. (This is bank-specific, but it is possible at the major banks I've checked.)

How does that work? Many banks have a phone line where you can dial up and interact with an automated voice response system, for various customer service tasks. One of the options is something like "merchant check verification". That option is intended to help a merchant who receives a check to verify whether the person writing the check has enough money in their account for the check to clear. If you select that option in the phone tree, it will prompt you to enter in the account number on the check and the amount of the check, and then it will respond by telling you either "there are currently sufficient funds in the account to cash this check" or "there are not sufficient funds; this check would bounce".

Here's how you can abuse this system to learn how much someone has in their bank account, if you know their account number. You call up and check whether they've enough money to cash a $10,000 check (note that you don't actually have to have a check for $10,000 in your hands; you just need to know the account number). If the system says "nope, it'd bounce", then you call again and try $5,000. If the system says "yup, sufficient funds for a $5,000 check", then you try $7,500. If it says "nope, not enough for that", you try $6,250. Etcetera. At each step, you narrow the range of possible account balances by a factor of two. Consequently, after about a dozen or so steps, you will likely know their balance to within a few dollars. (Computer scientists know this procedure by the name "binary search". The rest of us may recognize it as akin to a game of "20 questions".)

If this bothers you, you may be able to protect your self by calling up your bank and asking them how to prevent it. When I talked to my bank (Bank of America), they told me they could put a fraud alert flag on your account, which would disable the merchant check verification service for my account. It does mean that I have to provide a 3-digit PIN any time I phone up my bank, but that's fine with me.

I realize many folks may terribly not be concerned about revealing their bank account balance, so in the grand scheme of things, this risk may be relatively minor. However, I thought I'd document it here for others to be aware of.

D.W.
  • 217
  • 3
  • 7
5

The bottom line is to keep most of your money in accounts with no check privileges and to not give the account numbers for these accounts to anyone. Keep just enough in your checking account for the checks you are going to write.

Michael Goldshteyn
  • 301
  • 1
  • 4
4

When an someone as esteemed and smart as Donald Knuth tells you the chequing system is busted it's time to close your cheque account, or I guess live with the associated risk.

Answer to question, yes your account information can be used to commit fraud on you via your bank.

Anonymous Type
  • 225
  • 2
  • 9
3

I was a victim of this. I'm not sure who got my routing and account number off my check, but someone subscribed to Playboy.com using my bank account information. Luckily it was only for about $30 and the bank refunded my money. However, it was a mess in that I had to open a new checking account and keep the other one open until all checks cleared. The bank was extremely helpful and monitored the account to make sure only the checks I told them about were processed. I then had to close the old account.

This is why I believe checks are much less secure than credit cards or debit cards. A paper check can lay on someone's desk for anyone to pick up or write the information down off of it. I avoid checks if at all possible. For things like Craig's list, I would try to use PayPal or some other intermediate processing service.

SchwartzE
  • 698
  • 5
  • 10
-2

Yes this is a huge security loophole and many banks will do nothing to refund if you are scammed. For example for business accounts some Wells Fargo branches say you must notify within 24 hours of any check withdrawal or the loss is yours. Basically banks don't care - they are a monopoly system and you are stuck with them. When the losses and complaints get too great they will eventually implement the European system of electronic transfers - but the banks don't want to be bothered with that expense yet.

Sure you can use paypal - another overpriced monopoly - or much better try Dwolla or bitcoin.

blabla
  • 9