Aaron, a lawyer who blogs at The Shekel, warns us about a new threat from criminals to our financial security.
Well, my business accounts at Chase got hacked at around 5:30 last night and they had a lot of money taken out via ACH and no one at Chase is telling me how it happened. Good thing I happened to check the account as I was finishing work at 6 and saw it - aside from the heart attack from seeing it that is.
. . .
The scumbags somehow managed to do online transfers to take money out of my account and send it to Discover and to Voyager (apparently some kind of crypto-currency thing) incredibly quickly and without so much as a by your leave.
Chase security last night was decidedly unhelpful. It appears their call center is off-shore and while they were a bit hard to understand and times it seemed they didn't understand much either. You would think the security division would be a bit more competent. Over three hours on the phone and I ended up feeling worse rather than better and now believe the bank's security for its customers from such acts is somewhere from inadequate to non-existent.
The person on the phone stated that if someone has the routing number and account number they can wire money out of the account no problem.
. . .
So I'm rather hosed as it will be at least 15 days to process the claim and return the money at the earliest. My account numbers, and username and password have all been changed so I have no checks to pay the bills that are coming up and need to order new ones and it's a rather problematic mess having to change all sorts of things including everything that is linked to those accounts.
There's more at the link.
In a follow-up blog post, Aaron notes:
According to at least one person at Chase security, the ACH pulls were not a result of a breach in my online banking. Now since I'm still not getting a straight answer as to what exactly happened, I’m taking this with a big grain of salt.
Instead, apparently all it takes to pull money from your account via an ACH or online bill pay pull is someone knowing your routing and account [numbers] and perhaps the name on the account and that's all it takes.
This seems rather nuts that someone can drain your account with just that information and without any authorization from the account itself. As you might imagine, I had no idea this was even possible.
. . .
So in short, your bank accounts are just one check away from some ne'er-do-well (that's putting it politely) taking one of your checks and using the routing and account info on it to illegally pull money from your accounts without your permission.
Again, more at the link.
The comments below the two articles are worth reading as well. It appears to be a good idea to have a second bank account to hold the bulk of one's money, possibly even with a different bank. One transfers into one's checking account only enough money to cover the checks or direct debits one expects to pay, and no more, keeping the bulk of one's money in a bank account for which nobody else knows the details. I'm going to look into that.
Fraud like that is one reason I never give out my bank account details to any company that doesn't have a very good reason for needing them. In particular, with overseas transactions I buy a pre-paid credit card for the amount needed for the transaction, use it to make the payment, then discard it. If a criminal gets hold of the card number and tries to withdraw more, he'll get nowhere. (That's happened to me twice before, once from South Africa and once from China.) Since the card will never be used more than once, by definition it's as secure as it can be. If I'd sent a check, with my bank account and routing numbers visible on it, who knows what might have happened?
Nevertheless, I'm going to visit my bank today, show them printouts of Aaron's articles, and ask them what security measures are in place to prevent something similar happening to me. I understand there are certain "stops" one can put in place to prevent some kinds of payment like that, but not all banks offer them. If mine doesn't, I may have to reconsider where I bank.
Aaron, I'm sorry to hear about your misfortune. I hope the bank gets your money back to you in time to avoid any embarrassment with your creditors.