Wednesday, November 03, 2021

That's One Heckuva Security Hole In The Banking System


According to at least one person at Chase security, the ACH pulls were not a result of a breach in my online banking. Now since I;m still not getting a straight answer as to what exactly happened, I’m taking this with a big grain of salt.

Instead, apparently all it takes to pull money from your account via an ACH or online bill pay pull is someone knowing your routing and account and perhaos the name on the account and that's all it takes.

This seems rather nuts that someone can drain your account with just that information and without any authorization from the account itself. As you might imagine, I had no idea this was even possible.

Even better, I try to arrange for an ACH block on withdrawals from the IOLTA account to ensure such a thing never happens again. After all, funds never should leave an IOLTA by ACH - it's either payment for services and thus moved to the operating account once earned, or returned to the client via a check when the representation is over so every cent in that account can be tracked.

Chase has an ACH withdrawal blocking ability, but, well, apparently the IOLTA account isn't one of the preferred types of accounts eligible for such an ACH blocking service. No kidding. One would think a trust account holding other people's money would be given the highest level of security. Not so much. I think finding and then switching to a bank that offers such a service - as a default no less- would be the prudent way to go.

So in short, your bank accounts are just one check away from some neer-do -well (that's putting it politely) taking one of your checks and using the routing and account info on it to illegally pull money form your accounts without your permission.

That seems like one hellacious security hole big enough to drive a wheelbarrow of money through. Oh wait, yes it is indeed one hellacious security hole big enough to drive a wheelbarrow of money through. Dammit.

As Borepatch often says: "Security isn't an afterthought; it isn't thought of at all."

5 comments:

Well Seasoned Fool said...

I stopped using banks many years ago and do my banking with credit unions. So far, knock on wood, I've had no problems. When I used banks I did have problems. I didn't lose money but several days of back and forth was time I didn't want to waste.

Old NFO said...

That...sucks.

Aaron said...

WSF: Yes, I need to find a Credit Union on the State Bar Approved list for an IOLTA accounts. So far its been days worth of time working on this problem.

Old NFO: That it does. Hopefully it gets worked out.

Francis Turner said...

I'm not entirely convinced that a credit union will be any better, though you should check by talking to a person at said CU.

The fact that you can't put a withdrawal block on a specific type of account sounds to me like a lawsuit waiting to happen. Because this is practically an invitation to fraud

Rick T said...

I talked to my credit union today and the agent just parroted back the transferrer only needs routing and account information to do deed. My response was that that information was exposed to EVERY person who handles a paper check if I choose to pay that way.. No useful response.

I think the only answer is to keep zero dollars it and ACH-enabled account and only transfer money to it when debit or check is expected.