Scammers apparently generate random routing and account numbers, into which they try to deposit one cent ... Once the one-cent deposit clears, the perpetrators know the account is active and begin to withdraw funds from the account.
... Because the transfers clear electronically, people are not asked to verify the transactions. However, they may dispute the transactions once they notice what's happening.
"For Automated Clearing House or ACH transactions, the customer can fill out a dispute form, and we can reverse the transaction," ...
mnsweeps said: Routing numbers of banks are public...
yep ... and a good reason never to link your checking to any bozo outfit's monthly payment plan
xerty
Senior Member - 2K
posted: May. 5, 2007 @ 2:07a
I'm not sure how smart a scam this is... the cops/banks will be able to see the account the money got ACH'ed into as well. Seems like an easy money trail to follow.
codename47
Senior Member - 3K
posted: May. 5, 2007 @ 2:42a
but what if the cops don't care...
ScootyPuffSr
Senior Member - 2K
posted: May. 5, 2007 @ 2:46a
I don't get it. If all it took was a routing number and account number then all a thief would have to do is work in a place that takes a lot of checks.
If they are "randomly generating" both the routing number and checking account they aren't even going to know the name(s) associated with the account that you would know from a check. If it was a trial deposit they wouldn't know the amount.
Kanosh
Senior Member - 1K
posted: May. 5, 2007 @ 2:46a
xerty said: I'm not sure how smart a scam this is... the cops/banks will be able to see the account the money got ACH'ed into as well. Seems like an easy money trail to follow.
I agree. However I also think we're just seeing the start of it. I think the only solution is to be vigilant with your bank account, checking the balance every day.
ifyouhavetoask
Senior Member - 1K
posted: May. 5, 2007 @ 5:55a
xerty said: I'm not sure how smart a scam this is... the cops/banks will be able to see the account the money got ACH'ed into as well. Seems like an easy money trail to follow.
1) The crooks are using stolen identities to open bank accounts. They use those accounts to pull the scams.
2) They dupe idiots into doing the dirty work for them. For example, they get a sucker to "accept payments" for their business, in return for a cut of the payment. You would be amazed at how many people fall for scams like this. They think they are processing payments for a legitimate business, and forwarding that money to the legitimate business... until the cops come. You may have seen a varation of this on Dateline a few months ago, where scammers were using people to receive and forward goods that were purchased with stolen credit cards. Same idea, but with money.
CrazyRus
Ancient Member
posted: May. 5, 2007 @ 7:18a
Call BS. This info is on ANY check written/printed in the USA.
ScootyPuffSr said: I don't get it. If all it took was a routing number and account number then all a thief would have to do is work in a place that takes a lot of checks.
If they are "randomly generating" both the routing number and checking account they aren't even going to know the name(s) associated with the account that you would know from a check.I don't think the thieves need to know the name of the account owner. In the course of a routine ACH transfer, I don't think the account owner's names are validated in order for a successful transaction to occur.
For example, if I went to my credit card or cable or utility company's web site to make a payment from a checking account, and I accidentally or deliberately typed in a stranger's valid account number, I have a feeling it would go through.
I'm no expert on this matter, but I've often thought about this subject and based on what I've read and observed, I am inclined to believe that the ACH system is very insecure and is protected only by the vigilance of account owners to catch and report fraudulent transactions.
Anyone wanna test my theory and try to pay their credit card or utility bill from a a stranger's valid routing and account number?
CrazyRus
Ancient Member
posted: May. 5, 2007 @ 7:49a
Sure. PM me your bank account info and I'll test it
OK, I'll leave some change in my soon to be empty HSBC Direct account after I transfer the rest to FNBO. I'll give you the routing+account number and you can pay one of your bills. I bet it will work
Auream
Senior Member - 1K
posted: May. 5, 2007 @ 9:31a
At least in some cases, the name is validated. I tried to ACH money from a TDAmeritrade account into a friend's account, and it rejected it. Going into my account worked just fine.
kingfrugal
Member
posted: May. 5, 2007 @ 10:57a
At least in some cases, the name is validated. I tried to ACH money from a TDAmeritrade account into a friend's account, and it rejected it.
It may not be true for all cases. My son has a paypal account, and recently I started using it for kiva. I was able to link my bank account and Paypal.
kingfrugal
Member
posted: May. 5, 2007 @ 8:36p
Scammers apparently generate random routing and account numbers, into which they try to deposit one cent
Random number thingy does not sound reasonable. The scammer's ACH processor would charge a fee. Typically 29-59 cents/transection.
However, if they can got hold of your check they can verify the account.
This would become more important in future. Banks are pushing the technology which will allow a merchant to generate an ACH pull from your paper check. I think WalMart does it and they even return your check back to you. However, many other merchants may not return the check
On the other note, do the banks allow retail customers to put an ACH debit block? (They do allow large customers that ability). That way one can specify the authorized institutions that can generate a 'pull' from your account.
I have asked my bank that question and will post their answer.
SimpleMoney
Senior Member
posted: May. 5, 2007 @ 9:42p
I wish there were more scammers doing this. I'd be a millionare!! if a few hundred thousand people deposited a penny that is
gerardkw2015
Member
posted: May. 5, 2007 @ 9:56p
well you would only be a millionaire if a 100 million people participated...
Dracolith
Senior Member
posted: May. 5, 2007 @ 10:17p
It may not be true for all cases. My son has a paypal account, and recently I started using it for kiva. I was able to link my bank account and Paypal.
I think that is an example of Paypal's lax security practices.
I suspect many CC companies have similar treatment, they might not even do the trial deposits verification, I suspect security is sacrificed for "customer convenience".
The problem is there's no guarantee of uniformity -- you might find one CC company verifies the account name is the same, and the next one across the street just processes the transaction, no questions asked, after receiving routing, accounting number, and dollar amount.
Some online banks/brokers will require approval of the link, even manual approval, or confirmation of the information with your bank matching the name of your account, before establishing the external account link, others will establish it automatically just based on your ability to view trial-deposits.
There is also the matter of whether the drawee bank or the bank initiating the transfer does any manual verification, and what information exactly is provided.
I suspect most likely if the dollar value is large, say $50,000, there will be some sort of manual review.
nosatalian
Senior Member
posted: May. 5, 2007 @ 10:46p
The whole ACH system is retarded. The concept of an ACH "Pull" doesn't make any sense from a security standpoint. All transfers should be "push" only, and that would eliminate all of these types of attacks.
They should replace the ACH Pull with something like an ACH Request. This is for when you want to automatically pay something, but you don't know how much it will be in advance, so you can't have your bank automatically transfer the same amount every month. So your credit card company's bank sends an ACH Request for $XX.XX, and your local bank verifies the request (by checking to see if you have previously granted permission to the bank and account generating the request) then an ACH Push is initiated from your account. Any ACH Request for which there does exist pre-approval on your side can be either dropped and dealt with out of band.. i.e. other bank calls you to ask you to allow them to make the request OR your bank can call you and ask if you want to approve the request (and perhaps also take note of whether you want to allow future requests).
The point being that even if ACH did verify the name on the account (which it seems like they currently don't), that does not imply any approval of their ACH Pull. Approval of ACH Pulls must be made explicit via some mechanism like that described above.
Dracolith
Senior Member
posted: May. 6, 2007 @ 12:54a
nosatalian said: The whole ACH system is retarded. The concept of an ACH "Pull" doesn't make any sense from a security standpoint. All transfers should be "push" only, and that would eliminate all of these types of attacks.
An ACH pull is merely a check converted into an electronic format, and your signature (either a written signature or an electronic signature) is supposed to be required to execute it, just as is required of a check.
If you extended this philosophy to written checks, the recipient of your check could not go to your bank and get cash, they would go to your bank and submitting the check would be submitting a "request"; they would then have to wait for your bank to deposit the funds into an account in their name from which they could withdraw cash.
It would be more secure, in the sense that withdraws without additional confirmation from you would be impossible, but people would be inclined to not accept bank accoutn information as payment, as they could not be assured of getting the money from your electronic check, if your signature wasn't sufficient to make the amount payable by your bank.
I suspect most you do business with would start demanding you pay by cash or debit card, and refuse ACH transfers if you providing the information only allowed a "request" for funds, eliminating much of the usefulness of EFT.
nosatalian
Senior Member
posted: May. 6, 2007 @ 1:27a
An ACH pull is merely a check converted into an electronic format, and your signature (either a written signature or an electronic signature) is supposed to be required to execute it, just as is required of a check.
Thats the point- the bank doing the pull ought to verify a signature, but they don't - they take their account holder's word for it and do whatever they want. A better system would use crypto, with the requirement that you perform an independently verifiable cryptographic signature to authorize transactions. This could be done with your credit card (smartcard). ACH/Checks are a relic of the past and ought to be properly dispensed with.
MoreMonies
Happy Member
posted: May. 6, 2007 @ 2:40a
That's why it's the banks taking on the liability by not verifying the pre-authorized transfer forms. They probablyh consider it a cost of doing business until it becomes bad enough to make some changes.
s0ssos
Senior Member - 1K
posted: May. 6, 2007 @ 3:10a
nosatalian said: An ACH pull is merely a check converted into an electronic format, and your signature (either a written signature or an electronic signature) is supposed to be required to execute it, just as is required of a check.
Thats the point- the bank doing the pull ought to verify a signature, but they don't - they take their account holder's word for it and do whatever they want. A better system would use crypto, with the requirement that you perform an independently verifiable cryptographic signature to authorize transactions. This could be done with your credit card (smartcard). ACH/Checks are a relic of the past and ought to be properly dispensed with.
but the banks don't take the account holder's word. if the check turns out to not be valid, they just ask the person for the money back. they don't eat the loss.
RS3RS
New Member
posted: May. 6, 2007 @ 6:55a
Let's use some logic people. You guys aren't stupid.
OK, so they can sit there and randomly generate account numbers.
Or, they can go get a retail job (not hard to do) and copy down tons of 100% guaranteed first try legit account numbers, every single day.
Your information is thrown out into the world every time you write a check. Every time. I wouldn't worry about someone randomly generating it and that being more of a threat.
ifyouhavetoask
Senior Member - 1K
posted: May. 6, 2007 @ 7:48a
RS3RS said: Let's use some logic people. You guys aren't stupid.
OK, so they can sit there and randomly generate account numbers.
Or, they can go get a retail job (not hard to do) and copy down tons of 100% guaranteed first try legit account numbers, every single day.
Your information is thrown out into the world every time you write a check. Every time. I wouldn't worry about someone randomly generating it and that being more of a threat.
I don't think it's anything to worry about, either.
Even if your bank account is completely drained of all the money you have on deposit, you're going to get it back.
Bankers love to scare consumers about credit card and bank fraud, so that the consumer does the bank's job of protecting accounts. It all boils down to one thing: If your CC or bank account # is stolen, YOU aren't going to be the one who pays for the criminal's theft. Well, unless you let the bank intimidate you.
Any money that comes out of your account, that you didn't authorize, is money that's going to be returned to you.
Of course, the above doesn't apply to a business account. If someone steals your business account money, you're out of luck.
allegro54
Member
posted: May. 6, 2007 @ 8:25a
We recently had a credit card problem. Two one cent purchases were made (as it turned out, from Germany...)
The following day, two purchases were made at an online florist in a state about 600 miles away from us--purchases totaled $750.
Luckily it was resolved in a few days--we got a new credit card #, the charges were removed. The florist said they had caught it as fraud and never processed the orders.
Then, of course, we wondered how they got the info. But at a business conference last week, my hubby learned that 100,000 of this particular bank's cards had been compromised, so obviously the leak came through the bank.
But yes, we all need to check our accounts regularly.
gungrom
Thrifty Member
posted: May. 6, 2007 @ 9:24a
I believe Bof A allows you to set up an email alert when any money is ACH pulled from your account. If it can be set to a one penny threshold than you don't have to log in every day.
EugeneV
Ancient Member
posted: May. 6, 2007 @ 12:22p
Many banks allow only ACH push and block the pulls.
HSBC Business Checking allows unlimited ACH Push and does not ask for anything other than the account number and routing number. They charge 25c per transfer, IIRC.
Usually you are required to confirm two small deposits before enabling ACH pulls - that's because anyone to whom you gave your check has your account number and routing number. Sometimes that account number on your check does not correspond to the internal account number that is used for ACH. At least one credit union where I have an account is set up this way. Unfortunately, their internal account numbers are based on SS#.
Names of the account holders typically are not required. They are checked occasionally. I had my HSBC Bank-to-Bank transfer suspended when I linked an account that was joint with my wife (and her name appeared first). I had other similar accounts linked without any problems though - even a business account at BofA.
codename47 said: but what if the cops don't care...
Cops don't need to even get involved. I'm willing to bet that since the money crosses state borders or country borders, the FBI will run after them.
Jaydeedub
Member
posted: May. 6, 2007 @ 2:16p
Kanosh said: xerty said: I'm not sure how smart a scam this is... the cops/banks will be able to see the account the money got ACH'ed into as well. Seems like an easy money trail to follow.
I agree. However I also think we're just seeing the start of it. I think the only solution is to be vigilant with your bank account, checking the balance every day.
So, the average fatwalleter should check her/his 10+ accounts everyday?
kingfrugal
Member
posted: May. 6, 2007 @ 2:44p
So, the average fatwalleter should check her/his 10+ accounts everyday?
If not every day then every few days. That is the best defence.
mokquinoa
New Member
posted: May. 6, 2007 @ 3:55p
kingfrugal said: It may not be true for all cases. My son has a paypal account, and recently I started using it for kiva. I was able to link my bank account and Paypal. In the case of PayPal, they send 2 verification deposits. Therefore, one needs to have access to the bank account to know the exact deposited amounts. However, most credit card issuers' online bill payment system only requires routing and account numbers. I haven't encountered any problem using my checking account to pay my brother's BofA and Chase credit cards; even with large balance (over 10K).
J.Mok
ifyouhavetoask
Senior Member - 1K
posted: May. 6, 2007 @ 4:00p
hdpq said: codename47 said: but what if the cops don't care...
Cops don't need to even get involved. I'm willing to bet that since the money crosses state borders or country borders, the FBI will run after them.
Other than taking a report over the phone (which they probably won't do, and will instead refer you to your local police), the FBI isn't going to get involved in any sort of financial crime that involves such small amounts of money.
If your report leads them to uncover a pattern of small crimes that amount to $50,000+, then they'll get involved.
There are so many scammers out there these days, that the FBI doesn't have the resources to go after the small change.
aeiouy
Senior Member - 1K
posted: May. 6, 2007 @ 4:05p
I suspect there will eventually be some kind of pin or code required to initiate ach transactions in the future.
ifyouhavetoask
Senior Member - 1K
posted: May. 6, 2007 @ 4:29p
aeiouy said: I suspect there will eventually be some kind of pin or code required to initiate ach transactions in the future.
As soon as the banks start to lose more money than it costs to fix the system...
cfeifei
Senior Member
posted: May. 6, 2007 @ 9:28p
Yeah, this seems a really easy scam, since it's just too easy for them to obtain routine numbers, account numbers and names from checks. I really doubt the "randomly generating" is necessary or what really happened.
But is it really that easy, when they have those information? If it is, then I think I'm just too lucky it hasn't happened to me by now. Can someone clarify how an ACH pull is done?
The "source" of the story, a woman at an institution whose name has been improperly used in connection with the withdrawals, is hardly credible. How on earth would she know that deposits of one penny were made to randomly generated accounts and routing numbers before withdrawals were made when she does not work for any of the institutions from where the deposits and withdrawals were made.
One is not liable for electronic transactions made from their account so long as they notify their bank of unauthorized activity. Basically one has 60 days to advise of an unauthorized transaction, and then you are only liable for losses that take place AFTER the 60th day if the bank can prove they could have stopped someone from taking the money if they can prove that they could have stopped someone from taking the money if you had told them in time. So yeah, monitor your accounts. But you don't have to do so every single day for fear of someone depositing a penny into the account or withdrawing money without your permission.
Jaydeedub said: So, the average fatwalleter should check her/his 10+ accounts everyday?
Look in threads for Yodlee, you can check all of your account activities at a glance. Although having all your information in one spot is also a security risk.9102128882300897809
2weeks
Senior Member
posted: May. 8, 2007 @ 4:10a
When I did my CW push to HSBC, CW rejected it because they suspected fraud. I complained that I verified the trial deposits, and set up the transfer a few days in advance. The fraud guy told me that they didn't have any way to verify the name on the HSBC acct, and that also invalidates the trial deposit verification. This ACH thing is pretty scary.
Disclaimer: By providing links to other sites, FatWallet.com does not guarantee, approve or endorse the information or products available at these sites, nor does a link indicate any association with or endorsement by the linked site to FatWallet.com.
Members of our community may attach files to a post in accordance with the User Agreement. FatWallet is not responsible for the content, accuracy, completeness or validity of any information contained in any attached file. Files have *not* been scanned for viruses. Be especially wary of Excel files which may contain malicious content.
