## The US banking system is insecure

#### April 2013

I never really understood why banks encouraged a separation between checking and savings accounts. I still don’t, but at least I now have a theory.

It turns out that the American banking system is intrinsically insecure. It might be that foreign banking systems are the same way, but I’m not 100% sure how they work so I’ll limit this post to the US. The problem is simple: if you have an account number and a routing number, you can pull money. Neither are supposed to be secret, and the routing number is usually easy to guess. Indeed, both are written on the bottom of every check!

The upshot of this is that unless everyone you ever write a check to, or whoever sees a picture of a check of yours, or whoever handles said checks is trusted, then potentially malicious actors have the ability to pull money from your account. Amazingly, there is no ability to reverse such transactions once complete.

I use a three account system for Transcriptic:

• A savings account whose account number I treat as secret.
• A checking account that holds only a few weeks of cash at any given time. (The “operating account”.) I treat this account number as sensitive; I’ll only rarely write checks.
• A checking account that I use for receiving inbound transfers whose account number is not sensitive. This is set up to automatically funnel the money to the savings account upon receipt, without ever exposing the savings account number.

This system is far from perfect. If an attacker gets the checking account number, they can still steal an average of {refresh rate}/2 weeks of cash. Further, the savings account number is still discoverable if an attacker gets account statements, either through the mail or accessing an online banking interface (remember those coffee shop browser session attacks from a while ago? The session should be protected via SSL, but very few banks I’ve seen are comprehensive about not loading off-domain resources). Most banks don’t offer two-factor authentication. The really paranoid can leave a standing hold on the savings account, so that you’ll need to show up in person with a drivers license to transfer money out, but it turns out that’s mostly just an annotation for the bankers to ask to do this, and barely enforced technically.

If someone steals money from your account, you’re insured up to $250,000.1 Beyond that you have no guarantees, and while that’s a lot for an individual, isn’t not very much for a business. Maybe your bank will include further insurance, but they probably don’t. At the very least, it can take 8 months or more to see anything restored. Organized crime is a huge issue for small business. The entire system is ridiculous. Credit cards solved this problem through aggressive fraud detection, because fraud was made the banks’ problem. There are many fewer protections with bank accounts. 1 This is actually not quite true. The$250k insurance usually refers to FDIC insurance if the bank itself fails. Theft is a different matter entirely and many banks insure deposits to around this amount but getting made whole by the bank is difficult from what I’ve heard; they treat it as your fault that you didn’t adequately protect your account information, which is obviously absurd.