This is just bananas. I always thought the routing/acct would just authorize deposits. I assumed this, because every time I need this info, I look at my checks. (When people wire money to me).
When you write a check, the signature is the authorization to withdraw funds, and the amount and recipient is specified.
I’m shocked that banks would permit a withdrawal without some kind of “anolog” to this authorization pattern.
It makes all these worries about passwords and online credentials seem quaint. These numbers are all over the place, online and off. Why aren’t halfway clever hackers draining accounts right now?
It’s a huge risk mitigated by the banks being a mostly-trusted network. If someone abused ACH they’d lose access to the network quickly, and your bank can build checks in on their side so if a transaction arrives from a foreign bank they might call you to confirm (when I bought my house the down payment was large enough to trigger a confirmation visit).
