Ask HN: Why hasn't the ACH system been more abused?
https://en.wikipedia.org/wiki/Automated_clearing_house
Is utterly insecure. Anyone with your routing number and account number, 2 numbers printed on every check, can ask your bank for all of your money and the bank will not confirm anything with you.
My first experience with this was Apple's credit card that can only be paid via ACH and I was shocked when I typed in my info into the apple wallet app and then it took my money without the bank confirming anything with me.
Why hasn't this been more of a problem? Are their mitigations? These numbers can be stolen from data breaches even easier than passwords as they won't be salted and hashed, they'll be the actual numbers right? The entire payment regime in the USA seems to be switching over to ACH. Should I be worried?
277 comments
[ 0.27 ms ] story [ 259 ms ] threadSo, the legal system is the prevention mechanism for abuse here.
dafuq?
So I went to my local bank branch during lunch and explained the situation. The bank manager told me that she could stop it immediately, and reverse all the transactions to date, but since it was recurring, the only way she could block future transactions (outside a 6-month window) would be to close my account and open another one.
We agreed to do that.
Literally as she was going through the process, another of these phantom debits showed up. Got all my money back, had to change checking account #'s and never found out how it happened. I can only assume that the next time PayChex tried to debit my account and it bounced, they figured out their mistake.
But hey, thanks for the absolutely useless customer support! I guess it only works if you're actually a customer.
If they have access to a very quick and efficient cash out system, they might offload the costs onto some chump (see various "cashback" scams) but it's not trivial to make this scheme work. It can work, so shredding your voided checks is highly recommended, but it's not as trivial as finding the check, coming to a bank and saying "I'm that guy it says here, give me all my money now, in small bills please".
You would call your bank and they would reverse it. You would have your money back in a business day or two. That's why ACH isn't "abused".
What would be more worrying if some multinational company accidentally debited your account. That would be harder because your bank would likely just side with the multinational who inadvertently stole your money. However, I don't think that is a weakness that exists solely with ACH.
Within that time, the bank(s) are required to reverse the transaction, no questions asked.
I believe you can even get your money back at a later time, but if you don't make the deadline there are more hoops to jump through.
But that's certainly not hard and fast, I think I've seen roughly twice that time frame for extraordinary cases.
https://stripe.com/legal/ACH
Well, sort of. A very broad set of people can do ACH deposits into your account. A much smaller set of people (though still lots of them) can do ACH withdrawals.
Also, some banks offer a way to have a whitelist for entities allowed to do ACH debits/withdrawals. Chase calls it "ACH Debit Block" for business accounts.
https://www.chase.com/business/online-banking/ach-collection...
In essence, it's just equivalent to any other customer risk management by the bank, since allowing you a certain amount of ACH withdrawals is in some sense similar to credit risk.
If ACH was different and you could just, say, walk up to an ATM and punch in a routing/account number and withdraw cash, it'd be a very different situation. You can only interact with the ACH system through a regular bank, and regular banks have KYC regulations that mean the recipient of those funds has a name, address, and SSN. Doing theft via ACH means the funds end up in account clearly tied to your identity, and you go to jail.
We have passwords and two factor to prevent this stuff for lots of situations but in this ACH case we seem to have nothing. What's special about ACH vs all other situations? Why do I need a password and two factor on other accounts but not ACH? It's just as illegal to break into those other accounts is it not?
But then you have to get the money out of that account, and into cash in your hands without leaving a trail that leads to you. It's possible, but complicated. And if you could do it, there was probably already significant money in the account you hacked into in the first place. No need to pad it with ACH debits that might set off alarm bells.
You have to be a bank or otherwise registered with the clearing house.
So you can ask your bank to pull money from my account, and if I object my bank will claw back the money from your bank and they will know who you are.
And if it wasn't all a misunderstanding or a typo, then they know where to find you.
Off the top of my head, the only ones I can think of are utilities, other banks (so you can make loan payments), and consumer payment processors like PayPal. In the first two, they'll have your ID. In the latter, they do the "make two deposits" thing to verify you own (or at least have access to) the account.
I can't go to Wal-mart and pay via ACH. Do they even take personal checks anymore?
And it certainly used to be common for e-commerce sites to accept "electronic checks" by having you type in the routing and account numbers, with no additional verification. These days, there usually is additional verification.
It is still commonly accepted with no verification for payment for things like utility bills. This appears to be on the assumption that if there is check fraud they probably know the guilty party, because who else would be trying to pay your power bill?
Pretty much anyone with a Stripe account can accept payments via ACH.
https://stripe.com/docs/payments/ach-debit
I worked at an ISP and we definitely appreciated it when our customers paid via ACH instead of credit card. (Less fees.) We were tiny, too; you don't have to be a giant company to get this going.
https://www.law.cornell.edu/uscode/text/18/1343
ACH fraud is wire fraud
https://www.justia.com/criminal/offenses/white-collar-crimes...
How do you explain the widespread availability of "drop" accounts in the US? Cybercrime forums are full of people offering services to "cash out" illicit bank transfers into cryptocurrency.
If you don't believe that deterrence is a real thing, there is a lot more human behavior that needs explanation than just the relative lack of ACH fraud.
https://www.ice.gov/news/releases/russian-man-pleads-guilty-...
They do this, at giant scale. When you're earning tens of thousands of dollars per account, it's worth it to train people to go open bank accounts using fake passports.
The answer is, it is illegal, and easy to catch, so people don't abuse it as much as they would if it wasn't illegal.
Why is it easy to catch? The OPs premise that you have to provide identification to open bank accounts is obviously false.
Integrating over all of the possible outcomes of wire-fraud, being put in prison is more likely than making millions of dollars and using them as you please.
Or, at least, enough people believe this, and also prefer not to be in prison, that they do not commit wire fraud. It might also be because it's difficult. (I don't personally know how I'd take up wire fraud, if I wanted to start.)
"Being put in prison" is a likely outcome because of complex and overlapping human constructs that have lead to power structures where other people can force you into a prison. This is why it's relevant that it's "illegal". Briefly, "we live in a society".
The kind of "shape" wire-fraud has (in terms of the likelihood of its outcomes, i.e. very high risk, low chance of reward) is found in many things. A lot of illegal things have this shape.
The above commenter probably assumed all this to be 'background'. With that "because you go to jail if you do that," is a succinct and basically correct statement, even if it is not prefaced with every possible exception.
Every Eastern European craigslist scammer has access to US business bank accounts to accept payments for their nonexistent cars and boats.
This is what happens with fiat money anyways, it is just so intimately mixed by now (credit cards, ACH, etc.) that you figure it's the only kind of transaction that exist or should exist.
Crypto is providing an alternative to this point of view, if you don't think you need it, don't use it, pretty straightforward... and if you want to stop it because you want people to think like you, try to stop it, let's have fun.
also perhaps consider taking a less passive aggressive tone. throwaway accounts are not an excuse to be rude
If stating the factual matter of what you can do with or against crypto is "rude" to you, feel free to not answer next time, as your whining/concern trolling won't change much to these facts... especially when they don't relate to what was debated: reversability of transactions.
The same banks that caused 2008 and got bailed out can unanimously control transactions. The same banks that cause endless global conflict, that fix elections, that manipulate politicians, that rig the fabric of capitalism and democracy all around the world, that enable socialism for the rich and rugged individualism for the poor…those same banks are the ones you trust to “reverse transactions without permission”.
This is the problem crypto fixes. It removes the banks power. It has reversibility; it just needs to be integrated with the/a identity mechanism and legal system. The main purpose is to cut out the bankers.
It works the same way. You can introduce voluntary trusted market intermediaries and utilize things like escrow. Big enough markets can provide liquidity such that all transactions appear realtime, but sellers can provide a deposit to the market to cover problems.
That is one method among a gazillion.
We do not need banks. All bank functions need to be mathematically automated with no trusted parties.
The people involved in money transfer scams are never, ever going to jail, ever.
It is true that the system is insecure and terrible for consumers, but this is not an issue for the banks. They have insurance.
Confused. The companies that give me the option of ACH vs Credit Card always charge 2-3% to pay via credit card and nothing to pay via ACH. Why wouldn't they pass on ACH charges to me if they are a "great fee"?
update: I see from another link that Chase charges $0.25 per transaction so not such a great fee. But maybe across tons of charges it adds up.
The 2-3% credit cards charge as fees are largely used to deal with fraud.
There were 30 billion ACH transactions in 2021, and this number has been growing by 8%+ YoY for a while now. $0.25 a transaction is solid revenue when you consider that it's almost pure profits because fraud isn't a big issue and the computational power to manage ~100 million transactions a day is pretty modest.
Medium and large ACH customers pay much less than $0.25 per entry, which reflects the security and low-risk nature of the network.
People do abuse this all the time, look for the bad check writer program in your county. It's not switching over to ACH, that's how it has worked all along. I recommend Catch Me if you Can by Frank Abagnale.
There's also Check21, which is much more likely to be what they're doing. That takes a front/back image, and is essentially electronic settlement of checks, using check settling rules. For true fun, the electronic image can later be printed out on a larger piece of paper with it's own MICR, and now it's an IRD (image replacement document) and it can go back into the legacy paper settlement system.
Second item - these transfers take a few days to settle, so I've "stolen" your money, but I can't withdraw or transfer it to my EvilBank offshore account for a couple of days.
And finally, if you don't notice and tell your bank about this, and I can wait past the settlement period and withdraw the money, now I've got federal law enforcement after me for wire fraud, and they know who I am due to #1, so I'm in a world of hurt.
Correction: strongly tied to some identity. For online banks, for example, there's not much they can do to check if it's not a stolen identity. You'd need a lot of data - SSN, addresses, driver's license, etc. - but it's not out of the question to obtain such data from dark markets. Of course, withdrawal still be a problem, and this identity package will likely be burned once the first fraud notice will happen, so it may not be worth it to waste it this way.
That's why you have to freeze your credit, btw. They won't open an account on SSN with frozen credit - you'd have to unfreeze first, and that's usually harder to do for a crook.
You can't do this. Only a bank officer can.
A bank officer gets tracked doing it.
If it's fraudulent, it gets reversed out of the bank's pocket, so they go look at who did it, and act accordingly.
And if it's more than $500, you need a second signature.
Now, as a criminal, all you need to do to fake a wire is to hold a five year career.
It's the common sense answer.
"it wouldn't work."
My opinion is that HN is losing this rapidly.
This is the key part. If they're originating the ACH (i.e. pulling funds from your account) and a return is issued then apartments.com are liable for sending those funds back.
The bank is not wiring your money instantly. As I understand it, it takes 2-3 days for your bank to do the actual security confirmation. What Apple is probably doing is effectively floating you a line of credit assuming that the ACH goes through. And your bank is probably passing you along the transaction in a "pending" state.
There are a lot of security checks just to be in the ACH system. Ask someone who does payroll what it takes to set up direct deposit. Just having the numbers ain't enough even to put money into an account.
It's a bit analogous of how TLS/SSL work. Yes, you can just issue your own self-signed certificate. But that doesn't mean anyone will trust it.
Not sure what you mean by that - having the numbers would seem to be the only thing needed to add money into an account.
When I put my ACH details into my Cash app, or Apple pay, or whatever - I am not actually directly creating an ACH transaction. The two organizations are still going to do the transaction on my behalf.
There's no 'pending' state on ACH. It's done in one shot, in as little as 94 characters.
But most of them depend on the customer reviewing their transactions and reporting fraud. Otherwise, it can and will go undetected.
I personally don't care to review my transactions, it's a hassle, simple 2FA would do away with it.
I live in Denmark, we have similar systems for automatic payment, but at-least it now let's me see who has a mandate to withdraw money from me on a monthly basis. That said, it still a sorry state of affairs. The EU mandated 2FA on all internet shopping, this works, it got done, it's ugly and some of the 2FA systems look sketchy, but online shopping frequently involves an app or a text message for authentication.
ACH being public information is a bit like nameservers being public.
People have been doing all forms of check fraud. One popular one is where they'll send a check, you cash it, money shows up, and it reverses later because it's fraudulent.
https://www.cfo.com/corporate-finance/2019/04/scammers-targe...
If a scammer knows you own stocks, and can impersonate you, they can set up an account at another brokerage and pull your stocks away with ACATS. YOUR brokerage is required to send them, and does no verification. You probably won't even get a notification.
https://www.bogleheads.org/forum/viewtopic.php?p=6756853
Fidelity seems to be the only brokerage at the moment that lets you "lock down" your account and prohibit outbound transfers.
So, it is not a fertile ground for fraud.
Everyone implements these processes, and if you get a money transmitter that doesn't, generally, every other money transmitter in the space will mark transactions from that actor as high-risk, either rejecting tx's from them, or sibjecting them to longer holds, or just straight out rejecting them.
If you don't have a license of your own, your on ramp is through someone who does. They can underwrite the risk of your membership in the financial system as a whole, but if they find out (and they will, because their business contracts come with audit, FWA, and due diligence clauses) you will find your access cut off, and if it's brazen enough, lawsuits getting served.
Now, what does this mean?
If you hand someone a blank check, they can absolutely take you the cleaners. However, if someone crafts a malicious ACH payload, the origin of that can be traced from your bank, back to the clearinghouse, from the clearinghouse, back to the originator, who will have their processes scrutinized/investigated.
Generally Accepted Accounting Principles and double-entry accounting is the magic glue that ties everything together. If you follow the rules, you will have a transparent trail to follow.
If you don't, you've entered suspected money laundering land.
As a customer...
If you're deposited somewhere that is FDIC insured... You're golden up to $100,000ish.
If they aren't FDIC insured, if there's a dispute department, you should be good. You should still treat it as higher risk though in that if they get bank run'd, they do not guarantee at all you can get any money back. These are regulatorally speaking, not banks. They can take deposits, do transactions, dispense/administer interst bearing accounts (and do often pay higher interest due to the higher risk involved with depositing funds there), and do bank like things, but they are not banks.
If you can't get in contact with a human being, good luck, and godspeed. You are braver than I.
Not sure what GAAP and double entry accounting has to do with this.
The fraud here is not from end users "crafting a malicious ACH payload". End users don't interact with NACHA in that way. The more common case is when users, via their bank, are doing ACH Pulls from accounts that they shouldn't be. Most banks that offer direct ACH Pulls to their customers use a third party like Plaid Identity or microdeposits to prove ownership of an external account prior to initiating the ACH Pull. This is not 100% effective always - disclosure: I work at a neobank and I am directly involved in building systems to prevent/mitigate ACH fraud.
Only banks and financial institutions can directly send ACH transfers.
Unlike wires, ACH transfers take time to settle.
Banks are tasked with only allowing authorized transfers. Any bank that does not take adequate precautions will be kicked out of the system.
The profit banks can draw from participating in the financial system is much higher than the amount they can steal once before they get banned.
That's why most banks ask for verification (logins via plaid, micro deposits, etc), before allowing ACH withdrawal requests from other accounts.
But the most important reason why people don't do this, is that it's very easy to get caught. To actually submit an ACH request to a random account, you have to appear somewhere in person (unless you do small checks up to your daily bank limit via picture, which will quickly have you caught since your phone and account is linked to a real person).
Some CCTV tapes later, and you'll be put in jail for a very long time.
60 days hold is legal because that's for how long ACH transactions are reversible. Such long holds only happen if you have zero prior relationship with bank. I work in FinTech now and such things finally started to make sense to me.
Its all perception. The potential for reversibility improves the customer experience, but often times nobody is being prosecuted, the thieves often get the money for themselves, and the banks/insurance eats the loss.
The originating bank will then do the same to the merchant who debited your account, with feeling and 4 part harmony. If they do this too much (>1% unauthed, or >5% overall), then they get cut off. (Exact thresholds depend on the bank and their risk tolerance and what they've underwritten the merchant for. But those are about the highest numbers you'll see, though sometimes NSF returns can be higher. )
ACH never settles. There's no security as such. An ACH transaction happens overnight, on trust, and may come back (by agreement) 60days later, and longer in cases of extreme fraud. So any time you're seeing a 2-3 day hold on ACH, it's the bank doing risk management decisions, not something in the underlying transfer. (note, that may not be strictly true for some correspondent small banks in alaska or other odd time zones, where there really is a day+ delay on things)
The only thing that's keeping fraud under control is the banks doing underwriting on the merchants who can do debits. They're on the hook (ultimately) if there's fraud, so it's in their interests to keep it clean. They're also not likely to cut and run, because banking connections to the ACH network are not cheap/easy to come by.
(source, I've worked in this space for 18 years)
The key is that there is a process for reconciliation. It IS NOT ENOUGH to simply have a ledger - you also need a mechanism for enforcing that the ledger matches reality. And reality is complicated, filled with reasonable disputes over terms and deals (in the best case) and outright fraud and theft (in the worst case).
A given party may be able to temporarily pull money from you with two numbers, but the process around reconciliation makes it so that you, the customer, are protected from the actions of the mediary (because at the end of the day, they're selling this service, and are responsible for their actions in relation to providing credit). This incentivizes those institutions to be careful, protect their reputation, and avoid taking on obvious risks.
Essentially - the system is structured in a way where incentives align to prevent abuse. And entry into the playing field is expensive and limited enough that institutional reputation matters.
The difference is that while crypto can do both, the legacy finance system cannot.
Most don't do because convenience wins for the user and increases the value.
The user knows if something is wrong (like stolen funds, accounts etc) they will get their money back, and trusts the system so spends more.
İf you don't provide this trust system, they won't spend as much as they do.
You will get less volume.
There is an asymmetry here because anyone can be a customer but not everyone can be a vendor- that requires a certain level of reputation and upfront investment. So it is more risky for a vendor to scam a customer than the other way around.
Cryptocurrency transactions require high trust in the sense that they cannot be refunded, but they also require low trust in the sense that the vendor cannot possibly steal any more money than what you sign them.
With an open season of friendly / chargeback fraud, customer lies, refund tricks, etc which customers keep doing every day and so on which too many of that and Amazon will ban your account and they should.
My guess is that if I had no option to do a chargeback, it would have been harder to get a refund then.
There is a narrow sense in which the merchant "always prefers finality" but it isn't the relevant sense.
There are, for instance, no longer many mainstream online merchants who accept only irreversible transactions. There once was a time when online transactions were primarily paid via money order, but PayPal and credit card processing has made that obsolete.
This was also normal for eBay payments at the time.
There were, of course, a few that did accept credit cards, but many people were weary about using those features because very little of the web used HTTPS at the time. Even Amazon accepted money orders (and personal checks!) for this reason.
I think most customers pay with credit cards more because of convenience (or rewards, where applicable).
There's a myriad of QR payment systems popping up around the world (e.g. WeChat, UPI, PayNow) that are getting considerable adoption — and those aren't reversible. They're popular because customers don't have to worry about carrying enough cash with them.
> if customers demand
Rather than
> customers demand
The landscape of trust online is varied. Someone is likely to have lower trust for random website you’ve never heard of (which was most stuff in the early days) than an established business or one with a physical presence.
Now that online retail is mature and trust is high, credit cards are more for convenience, but this wasn’t the case in the early days… and still isn’t the case for lesser established sellers or marketplaces.
A physical merchant usually has a storefront in a public place that they can't abandon on a whim, a reputation to lose etc, whereas the customer is usually anonymous and mobile. This is why customers are generally ok with paying using a (to them) irreversible/final payment method, and merchants will insist on it.
In e-commerce, the risk lies almost exclusively with the customer: An online store's reputation is not easy to judge (and brand impersonation is its own risk), and even at reputable merchants, the time between order and delivery is much longer, goods can usually not be inspected ahead of time etc.
Not coincidentally, the various card schemes' rules reflect this circumstance by assigning default liability for online payments to the merchant (or their acquiring bank, in case of a fraudulent or bankrupt merchant), whereas for in-person payments it lies with the cardholder (or in case of fraud with their issuer, in some circumstances).
In the early days of eBay, it wasn’t unheard of to send out a money order in the mail, wait a month, and never get the item.
But in all seriousness, if you are a vendor then any purchase by a customer that is not associated with a legally accountable entity must be settled with finality, because you have no way of preventing charge-back fraud yourself.
In cryptocurrency marketplaces, the customers vet the vendors, not the other way around. This is because the vendors have a higher upfront investment in their business and reputation. The customers are not expected to maintain a reputation (for sake of their privacy) or an investment (outside of an multisig escrow) so any attempt to vet them is prone to sybil attack.
The process of vetting customers is usually assumed by some monopolistic intermediary like PayPal. These companies are able to vet customers by implementing a mass surveillance system.
Both parties to this kind of transaction understand why finality is required, and don't have a problem with it. It's a second hand "sold as seen" transaction. The buyer knows where the seller likely lives. The seller doesn't know anything about the buyer. Neither party typically carry that kind of cash around, so there are two trips to the bank (with their own risks) that could be saved if there were some sort of easier digital equivalent.
Maybe, but since I also wouldn't be too happy if they reversed the transaction after taking the car, we both agree in advance that the sale will not be reversible. For the payment, that's done by using cash (and the possession of it), and for the car, also just possession. I give the buyer the opportunity to inspect the car before committing to the sale, and then it is "sold as seen". Unless I committed fraud, the engine falling out from underneath the car will be the buyer's problem, including in law.
It is always possible to seek redress through the courts whether the financial transaction itself was reversible or not, so that's not relevant here. Neither is the fact that to do that knowledge of identity and evidence is required; those concerns also exist regardless of transaction reversibility.
Which is exactly the point of the finality of the transaction. Private party car sales in the US typically are not warranted. The risk of maintenance on a used car is non-zero, and the buyer accepts this risk when buying a vehicle with no warranty.
If you want to have a third party mediate the exchange, you can use a multi-signature transaction (https://monerodocs.org/multisignature/). For example you send the cryptocurrency to a 2-of-3 address where the mediator, the vendor, and the customer each hold a key and two of them are needed to move the funds (the mediator sides with either vendor or customer, or the vendor and customer both side against the mediator). Or you can send the cryptocurrency to a 2-of-2 address, which allows the customer to permanently withhold the funds from the vendor at the cost of withholding some funds from themself that they put down ahead of time, like an escrow that is locked in case of dispute.
If you wanted something more like that, you could pay via a smart contract that holds the funds in escrow for a while, with the arbitrator key able to refund the money to you.
Nothing in banking is un-undoable. Some just require more effort to undo.
As opposed to ACH which could bounce or you could issue a stop payment.
And for fraudulent transfers, Zelle’s trying to pin them on the customer is them hoping you’d give up rather than remind them that regulation E governs it as well, and they used to acknowledge that on their web site.
Yep, and also methods to bring forward and rectify those disputes, as in the courts. I always wonder how many court orders each day need to go through the banks for enforcement, through wage garnishment, sheriff's auctions, power of attorney, etc.
"Overseas ACH" isn't a thing; anything which looks like it is fronted by a US institution
>There are various ACH systems around the world. The World Bank identified 87 systems in their 2010 Survey
Seems to me like there are many different ACH systems, but perhaps the one referred to colloquially as ACH is specifically FedACH, the American system.
https://en.wikipedia.org/wiki/Automated_clearing_house
Giro might be the other, possibly broader term for something similar:
https://en.wikipedia.org/wiki/Giro_(banking)
There are many national and international equivalents, but the linked Wikipedia page gets many of the examples pretty wrong, listing e.g. card acquirers/processors and central banks as examples for other such networks.
Direct equivalents would e.g. be SEPA Credit Transfer (but not SEPA Instant) and SEPA Direct Debit in the Eurozone or FPS (credit push only) in the UK.
https://www.nacha.org/content/international-ach-transactions...
It still Nacha which is a US institution as you mention. However, I don't see how that protects in the case of a fraudulent overseas transaction. What recourse do you have if an overseas bad actor tricks you into sending money to his overseas account via international ACH?
1) settle the transaction in the next few days (3 usually).
2) ask for additional information on the next few days.
3) deny (return) the transaction if it looks too suspicious according to the bank.
[1] https://www.nacha.org/system/files/2019-07/IAT-Specific-Data...
Others have covered the overseas part, but for the bank claims they didn't receive you're transfer part, I would expect that to show up on the settlement process. If there is a disagreement between banks, when they later check how much each bank owes each other, there should be a discrepancy the banks need to work out.
Note: not an expert in how ACH works or how settlement is done.
If it surpass the 3 day window a "late return" will be sent to notify the origination that the transaction failed, however, the money may already have been transferred to the receiver.
[1]: https://www.moderntreasury.com/learn/ach-return-code-referen...
https://en.wikipedia.org/wiki/SWIFT
what you say is true, but system-wide, this gate-guarding by reputable parties costs unimaginable numbers of dollars in fees and delay. Everything you list is obviously desirable except.. it has gone far in the other direction -- disproportionally expensive, too much gatekeeping.
For the two billion new customers in global trade that have emerged in the last twenty years, for commodity transactions.. why pay? For those that want to tie together dubious foreign agenda with market regulation (oil & gas markets), keep your own credit records and regulators.. but dont hold the rest of the world hostage.
crypto is inevitable with these networks, so make some interesting and useful ones. Of course the old system will object.
There are some projects which are attempting to fill in the "TradFi" gaps and support clawback at the protocol level.
I am aware of at least this project but I believe there are others.
https://developers.stellar.org/docs/glossary/clawback
(disclosure: I have like $10 of XLM).
So the regular outcry about “crypto is still completely non-viable as a real medium of exchange” is just complete nonsense; parroted here once again.
Problems that have been solved in a "Traditional Finance" setting (eg. clawback, chargeback, dispute resolution) are either solved or being worked on by many different cryptocurrency projects.
The question which remains to be answered is whether or not cryptocurrency can solve problems that TradFi can't solve or can it solve them in a better way, or more efficiently, etc.
The Stellar Network (and to some extent Algorand) seems to be more efficient than the current system and they aim to work with it as their solution(s) works faster, globally and cheaply, hence why Moneygram chose Stellar for its new product and why Stripe removed Bitcoin payments and re-entered again until regulations were clearer and more cryptocurrencies were available.
Not all cryptocurrency technologies are the same.
I understand HN is a shit-on-crypto echo chamber but it's naive to think crypto is just settlement.
Settlement is simply a low-level primitive. With smart contracts, you can build whatever mechanism you want before making something final. Multisig, clawbacks, timed-delays, time-locks, escrow, recovery wallets, etc.
The way I see it, the reversibility of ACH is mostly a 'workaround' of ACH's security flaws. If a crypto does not have security flaws, then it does not require such workarounds. The only drawback is that it cannot correct for human error. But IMO, I don't see human error as a major issue since it's a reality of life that people should be responsible for their mistakes. There are an infinite number of ways in which a person can ruin their lives within the space of a minute, sending money to the wrong address is just one more of them.
Society has absolutely zero sympathy for this point of view.
Eventually society will give genuine, serious consideration to crypto.
"No ability for the legal system to reverse transactions in the case of fraud you say?"
And that will be that.
No-one in the majority of the populace actually wants an ungovernable financial system.
You do realize crypto can be wrapped up in a settlement layer, right?
Cash has the same problems until you introduce a settlement system.
It’s a very intrusive data-mining service that should not be trusted with bank account credentials, at-least if you care about data privacy.
Change your bank account password, and you may even see Yodlee (like Plaid) trying to login to your bank account every night to scrape daily transaction data based on some ’bank verification’ you previously gave to some app or 3rd party.
I was curious if I could track them down by giving them real info but wasn’t convinced enough about the reversibility of it to risk basically my entire checking account.
Is there any particular reason to believe that the number the scammers said they were going to take was the actual number they were going to take?
Interestingly enough the amount the scammers “quoted” continually increased as I was on their “recorded line” - it started at $250 or so and kept increasing.
I pretended to be incensed at their lack of integrity, but they just shouted back and eventually resorted to their master insult - calling me a mother fucker. I wish they would come up with some better insults as I’ve been called that exact thing hundreds of times now. Do they teach that at school or something?
https://krebsonsecurity.com/2010/01/top-10-ways-to-get-fired...
> with feeling and 4 part harmony
What do you mean by this in this context? I tried googling it, but only found results on musical theory. I guess you mean this as a (funny) metaphore?
"Once more, with feeling," is a cliche that a conductor might say to an orchestra during rehearsal. Presumably professional orchestras usually play with feeling, even on the first attempt. So the conductor means, somewhat condescendingly, more feeling. It has been said so many times by so many conductors that it has become a running joke. If you were doing a comedic impression of a conductor, you might insert that phrase.
Four-part harmony is the performance of a song by four singers (or four groups of singers): soprano, alto, tenor, bass. You could have just one person sing a song, but if you have a whole chorus sing it, it will sound fuller (though not always better).
It was a funny way to say that the bank not only will require the money from the person who began the transaction but also will impose severe fees.
As if. Ask the tens of thousands of people who have been scammed sending ACH payments if the bank has ever fucking reversed jack shit for them.
What if, in this order:
1. they take $10k from my account to their account
2. they take the $10k out of their account immediately
3. I call my bank and ask them to reverse the transaction (aka the funds are no longer there to yank back)
Most likely, the originating bank will release the money to the account that requested it a day or two later. 3 business days is pretty typical. More if they're high risk.
You complain, make a statement under penalty of perjury that it's Unauthorized. Your bank sends a return (R10 or one of the other shades) to the Fed. The fed debits the originating bank, and sends them the return message. You've got your money back, and it's the originating bank's problem.
The originating bank then has a potential problem. They go after the company that initiated the debit. Depending on things, that might be a company or a 3rd party payment processor. If it's a 3pp, then they probably still have money from that originator or another, and now it's their problem. They may have a reserve or rolling settlement against such things.
But generally, it's the fact that there's a trusted third party (The Fed) that makes sure that banks pay up on returns that makes it not your problem.
I have a weird, occasional fear that some of the companies I do business with might eventually enter a Chapter 7/11 bankruptcy of some sort, and that my ACH push payment could be clawed back.
A push puts the financial responsibility for fraud on the originating bank. Imagine account X pushes to account Y, and then account owner Y walks into the bank looking to withdraw cash. From Bank Y's perspective, everything looks fine. Later on, bank X finds out the push was fraudulent, but bank Y has relied on the transaction to dispense actual cash. Bank Y may help investigate, but they surely aren't going to be out the cash due to relying on X's false transaction.
Whereas the pull transaction (with Y as the originator), bank Y will put a withdrawal hold, scrutinize the cash withdrawal and ask if this is really their customer, etc, since there is no other party they can blame.
I also personally tend towards using pulls because that's the way the system expects to work since it grew out of checks. If one pushes money and it never shows up, then the blame is ambiguous. From the originator's perspective they've completed what you've asked them to do, and from the receiver's perspective they know nothing. Whereas with a pull, the main thing you're doing is asking the originator to credit your account. If the transaction gets lost without your other account getting debited, then the discrepancy doesn't really affect you.
- Their account will be negative - Bank wouldn't allow them to withdraw 10k due to a hold - Bank wouldn't allow them to spend money due to a hold
Anyway, in the end, victim's bank will get money back. A lot depends on the relationship of the scammer with their bank:
- On my fresh account, I once did an ACH transfer around 15k, the bank placed a 60-day hold on those funds, it was a saving account, so I literally couldn't do anything with it for 60 days.
- Some time later, the same bank got a 500k ACH transfer, bank placed a hold on half of it, but allowed me to withdraw the rest.
- Another time I had 15k ACH transfer on "well established" checking account, bank still placed a hold on 10k.
If it's a "fresh" bank account - you're not getting money out, specially if it's a transfer between two random consumer accounts until bank feels safe.
Banks and payment service providers generally mitigate this risk by e.g. demanding a security deposit and/or delaying funds availability for new customers.
I'm not sure if this is what you meant to begin with, but the institution is probably not doing anything at all. They're just waiting to see if the name gets flagged and to give you time to cancel your credit card or whatever it is. The fishiest transactions start to smell immediately and all you have to do is wait a second for the smell to waft in.
Definitely lol’d at that, thanks
Mostly because this is not true. Anyone can’t do it. It’s relatively easy to get permission to get deposit access. Getting withdrawal access is not especially easy. And it’s capped at an amount relative to your credit rating.
And the people who do have withdrawal access need to have a good business reason to do withdrawal, and don’t want to lose their access.
Always check your bank statements.