Aaron, a lawyer who blogs at The Shekel, warns us about a new threat from criminals to our financial security.
Well, my business accounts at Chase got hacked at around 5:30 last night and they had a lot of money taken out via ACH and no one at Chase is telling me how it happened. Good thing I happened to check the account as I was finishing work at 6 and saw it – aside from the heart attack from seeing it that is.
. . .
The scumbags somehow managed to do online transfers to take money out of my account and send it to Discover and to Voyager (apparently some kind of crypto-currency thing) incredibly quickly and without so much as a by your leave.
Chase security last night was decidedly unhelpful. It appears their call center is off-shore and while they were a bit hard to understand and times it seemed they didn’t understand much either. You would think the security division would be a bit more competent. Over three hours on the phone and I ended up feeling worse rather than better and now believe the bank’s security for its customers from such acts is somewhere from inadequate to non-existent.
The person on the phone stated that if someone has the routing number and account number they can wire money out of the account no problem.
. . .
So I’m rather hosed as it will be at least 15 days to process the claim and return the money at the earliest. My account numbers, and username and password have all been changed so I have no checks to pay the bills that are coming up and need to order new ones and it’s a rather problematic mess having to change all sorts of things including everything that is linked to those accounts.
There’s more at the link.
In a follow-up blog post, Aaron notes:
According to at least one person at Chase security, the ACH pulls were not a result of a breach in my online banking. Now since I’m still not getting a straight answer as to what exactly happened, I’m taking this with a big grain of salt.
Instead, apparently all it takes to pull money from your account via an ACH or online bill pay pull is someone knowing your routing and account [numbers] and perhaps the name on the account and that’s all it takes.
This seems rather nuts that someone can drain your account with just that information and without any authorization from the account itself. As you might imagine, I had no idea this was even possible.
. . .
So in short, your bank accounts are just one check away from some ne’er-do-well (that’s putting it politely) taking one of your checks and using the routing and account info on it to illegally pull money from your accounts without your permission.
Again, more at the link.
The comments below the two articles are worth reading as well. It appears to be a good idea to have a second bank account to hold the bulk of one’s money, possibly even with a different bank. One transfers into one’s checking account only enough money to cover the checks or direct debits one expects to pay, and no more, keeping the bulk of one’s money in a bank account for which nobody else knows the details. I’m going to look into that.
Fraud like that is one reason I never give out my bank account details to any company that doesn’t have a very good reason for needing them. In particular, with overseas transactions I buy a pre-paid credit card for the amount needed for the transaction, use it to make the payment, then discard it. If a criminal gets hold of the card number and tries to withdraw more, he’ll get nowhere. (That’s happened to me twice before, once from South Africa and once from China.) Since the card will never be used more than once, by definition it’s as secure as it can be. If I’d sent a check, with my bank account and routing numbers visible on it, who knows what might have happened?
Nevertheless, I’m going to visit my bank today, show them printouts of Aaron’s articles, and ask them what security measures are in place to prevent something similar happening to me. I understand there are certain “stops” one can put in place to prevent some kinds of payment like that, but not all banks offer them. If mine doesn’t, I may have to reconsider where I bank.
Aaron, I’m sorry to hear about your misfortune. I hope the bank gets your money back to you in time to avoid any embarrassment with your creditors.
Peter
A lot of financial institutions are replacing online and phone customer service and security operations in the States with third world subsidiaries offshore in West Asia and the Southern Hemisphere. You don't have to pay first world salaries and benefits but you don't get first world work ethic either. Since graft is the way to do business in the Third World, I wouldn't be surprised if account information was being shared with scammers in the family.
It happens with U.S. tellers and CSRs too but they usually get a visit from the friendly neighborhood FBI agent when there are no Republicans nor Parents to chase down as Domestic Terrorists.
I spent 17 years doing security for a company providing Internet Banking to ~2k banks and credit unions. It's terrifying how insecure the banking system is, it's based on the idea that the entities that are connected to it and able to send ACH transfers to the network are all trusted. Any 'security' that you see about setting up ACH transactions is strictly implemented between you and the entity that you are setting up the transaction on, once that financial institution submits the ACH transaction to the network, there is no security besides validating that the FI is who they say they are, NOTHING checks or validates individual transactions.
David Lang
The mattress is looking better and better…
I *just* talked to my Credit Union about the issue and the phone rep parroted the line about needing the routing and account numbers. She didn't have much of an answer when I said that is exposed to every person who handles a check if I mail one out. They don't have the ability to block ACH transfers but she did say they have an ACH dispute process if you activate it quickly enough.
Sounds more and more like you need keep only enough money in a checking account to handle open checks or bills but no more than that.
The vast majority of people at banks and credit unions don't have a clue how insecure the underlying processes are.
This is why I don't have my tax refunds auto-deposited, I'm not having them enter my account into into their system (not due to fearing legit government action, they can already seize accounts, but the more places that data is residing, the more chances of hackers getting hold of it)
If you give an entity the ability to deposit directly into your account, that same information/authorization lets them remove money from the account.
David Lang
I've been doing a little of that for years – I withdraw in cash what I don't need to pay bills and leave the required $100 + $1 in the account to avoid fees. I do worry, however, about the time period – usually no more than 4-9 days – during which there is enough money in the account to cover multiple payments.
I've thought about having another account as a "funds reservoir" from which I can transfer funds to the "payout" account but the more I've thought about it the more I realize such an account would need to be at a different bank, and that account fully isolated from external access. Which, of course, would make it impossible to transfer funds from it. It's a PITA to have to deposit greenbacks rather than do an electronic transfer, but such may be the price for financial security.
One thing came to mind reading Aaron's description – everyone at his bank instantly became a potential victim because they all have the same routing number. The only differentiating criteria is the account number, and I'm guessing that most of them are sequential even between completely different people (and, I think routing and account numbers are electronically transmitted when one e-pays through their checking account, so not even avoiding paper checks can prevent this).
This portends a true national security issue if Joe and Jane Citizen cannot count on having money in their account; what happens if a large enough cohort suddenly finds themselves unable to pay creditors?
I like the idea of using a pre-paid card for certain payments; that does require, however, the receiving party accept credit cards.
I use a debit card account, and transfer money in only as I need it. I always thought that was the best defense.
Then one day I checked online banking and my debit card account showed a negative $7000 balance!
Someone had done the ACH transfer route, sending money to some E-Trade account. I quickly got my bank to cancel it (which cost me $35). The bank ignored the fact that I had about $40 dollars in the account, and sent the money off.
My bank was entirely uninterested in explaining to me how this could happen.
I note that this is a purely US banking problem. In other countries account details like this are one way so you can share your bank details far and wide and not worry that people will make negative deposits into (from) your account.
In other countries (I've done this in the UK, France and Japan) you have to specifically authorize particular entities (e.g. your electricity utility) to make withdrawals. It's true that occasionally said electricity utility ends up screwing up and billing you for the local factory's power usage but this is extremely rare.
Oh and this is NOT a new problem. It's been a problem for decades. I know that because someone I knew lost a ton of money through it back in the 1990s. In that case the crooks were tracked down and included someone in the bank as informant who told the rest of the gang which accounts were good for looting.
Francis Turner is right, The ACH system is one of the oldest parts of electronic banking, from the early days where banks dialed in to the network to submit the transfers and retrieve transfers from other banks. Everything about it shows this legacy.
David Lang
I've been working with IT security in financial institutions in Germany for over 20 years and what baffles my is the fact that although the US imposes a huge amount of regulations for institutions outside US for even a $33 transaction outside US, not concerning US companies or citizens (see OFAC), the way US banks perform transactions processing is still at stone-age level and information security for US banks seems to follow the "security by obscurity" paradigm. They don't use individual transaction authorization, multi-factor authentication, layered entitlement management or any other modern security mechanism – not that you'll get 100% security even with those in place, but still…
Peter: Thanks.
Chase made a temporary credit to my accounts restoring the money as they investigate. Not great as they reserve the right to pull it back out, but things are stabilizing which is good.
Lessons learned: I had no idea this kind of theft could happen like this, nor how blase everyone at Chase is about it and, yes, initial security line was indeed offshore and made a mess of the initial response.
I'm now segregating operating funds in different accounts so it's harder to pull them out, adding to complexity of doing things, but even with that there's apparently no way to fully stop this kind of attack. Good thing my personal accounts were not with Chase, so I still could cover things. I'd highly suggest not putting all your money in any one institution due to this problem.
I'd suggest people use credit cards rather than debit cards (this wasn't a debit card based attack but the idea is similar) as at least with a credit card you don't lose access to the funds if there's a false charge and they seem a lot more responsive to blocking/reversing fraudulent charges on a credit card.
Not an enjoyable experience at all.
We have been keeping cash in our safe and only depositing enough to cover current bills. Well over 10 years now.
Also ask your bank their policy on ACF overdraws. We were told by Chase retail banker, in person, that since you gave the routing/account number out you're responsible to cover the overdraw. With overdraw penalties of course.