That is the case in most of Europe as well (under SEPA Direct Debit), and has been for many years now.

I've not had to dispute an ACH debit yet, but at least at most German banks, it's literally a single click and the money is back in your account – up to 8 weeks after the payment (any reason, no questions asked), and up to 13 months in case of fraud ("no mandate").

> In the US your public bank account number is effectively a password to debit your account! There’s literally no authorisation at all!

Don't you also need the routing number? How does this differ in other countries or anywhere that checks are used?

Yes the public account number and routing number. Which are printed on my card, statements, might be read out loud, etc.

My bank in the UK would not let you debit my account with just the numbers. I’d need to authorise it.

How do you stop people debiting your account with whatever they want?

> How do you stop people debiting your account with whatever they want?

Short answer: you don't. Long answer: robust "fraud" controls. It's a shit-show.

Part fraud controls (which don't necessarily work), part being able to undo transactions.

Being able to undo mistakes means far more than anything else; it means it's permanently superior to all ""web3"" tech no matter how much fancier they may make that look.

The routing number of each bank is public :-)

Yes but banks can have several routing numbers.

A check needs a signature and has some security feature built-in. You might argue that it's not sufficient, but it's the same deal as paper money for example. The cost/benefit ratio is too low for counterfeiting checks to be useful, most of the time.

The routing and account numbers are printed on every paper check in the US. Those are all that you need to process an ACH. The onus is on the ACH originator to make sure the numbers are not stolen.

Can you elaborate?

I believe you need a specific bank authorization to do ACH withdrawal using only routing and Account#. Plus, your beneficiary bank does screen for such services given out to clients very closely. No random joe schmo can do auto ach debit

Unless you are referring to passing forged checks, I'm not sure what you mean by this.

My understanding is that in the US to pay your rent you either send a literal paper check, which had no serious authorisation at all, or your land lord reaches into your account using your bank account number and debits it, without you having to approve.

If not - why do people protect their bank account numbers in the US? In the UK mine is printed on my bank card - anyone can read it off.

It’s like social security numbers in the US - they became passwords when they weren’t supposed to be.

> your land lord reaches into your account using your bank account number and debits it, without you having to approve.

This is how many people pay for rent in Germany (and I strongly suspect elsewhere) as well.

If they take too much, you can get it back with a single click in your bank account.

Quite interesting. In Poland a lot of places have their bank number just on their website if you want to donate something, I don't think you can place a debit like that.

Bank accounts like that often have outgoing direct debits blocked to prevent fraud, as far as I know.

(I don't think there is a registry – this would simply be a bank-side setting to auto-decline all requested direct debits.)

My bank account number is also sometimes freely shared, so I think this is applied at national level (at least in case of Poland)

"I believe you need a specific bank authorization to do ACH withdrawal using only routing and Account#"

No. All you need is an account number and routing number (which are printed on paper checks). The ACH originator is responsible for ensuring the numbers are owned by the payer.