Sunday, October 27, 2013

Trying to plug a security risk in checking accounts

Isn't it strange that, in order to pay a bill online from your checking account, all you need to do is provide your account number and routing number and confirm the amount to be billed? I've always wondered why the bank didn't require me to approve the payment on the bank's website. Isn't that a major security risk - if someone gets my account number and routing number, they can basically extract however much they want, right?

I decided to ask someone at my new bank, Cardinal Bank, about this.

Routing and account numbers are all you need to steal funds, but there are safeguards...

I went in and asked about this, and it turns out that not only can someone take your funds with just your account number and routing number, if the 'merchant' promises that you authorized the transaction, the bank isn't allowed to block the transfer!

However, the manager assured me that I (the checking account holder) am protected by Federal law, and if I see a checking account expense I didn't authorize, I can file a claim. If someone (the bank? I'm unsure) agrees I didn't authorize the payment, the bank is legally required to give me my money back.

I still have a few problems with this:
  • The bank adjudicates the claim: The bank adjudicates the claim, but it's the bank that would have to pay out if they agree that I didn't make the payment. I would hope the bank is insured for this, but still - the incentives aren't exactly aligned properly.
  • When I file the claim, the money's already gone: When someone defrauds my credit card, they're stealing from the credit card company, not me (and generally, the credit card company forces the merchant selling the fraudulently purchased goods to pay). It's WAY easier to keep money than to fight to get it back.
  • The 'secret' is your checking account number: The manager said don't worry, just don't hand out my checking account number. What? It's on every check I write, along with the routing number! I hand that so-called 'secret' information to people all the time! So, the 'secret' information ain't so secret.
So ok, how can I protect myself? Normally, I'd just get a savings account with no online bank or ATM access, but Cardinal offers a checking account with 1% interest rates (higher than any CDs < 3 years long that I've seen), so I wanted that. I asked if I could disable online transactions and they said they could only do an all-or-nothing 'block' on the account, just as if the gov't told them to completely halt all activity on it. I wouldn't be able to use my ATM card, checks, or even go in person to get cash.

Since I intend to park a chunk of savings into this account and not touch it for months/years, I asked if they would put a hold on the account, but they said they needed a reason to do it. I said, 'How about because I asked you to?' (that's actually pretty close to what I said).

Long story short, the manager said it wasn't possible, and just to rely on the technical and legal safeguards like everyone else. I said ok. In addition though, I'm taking extra precautions:
  • I'm not activating my ATM card.
  • I'm not writing any checks.
  • I'm not setting up my online bank account here.
Hopefully this will at least make adjudication a little easier if anything ever happens...