Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

It is implemented in most of the world outside of the US.

It is scary that the info you need to deposit funds into an account in the US also allows you to withdraw funds from it.



With approval (eg - PIN or password) you might be able to withdrawal funds.

But, can't you say the same thing about a credit card? Heck, you don't even need a password for that; everything you need is right on the card.

Or, your mobile device (if you pay through near-field tech)?


>With approval (eg - PIN or password) you might be able to withdrawal funds.

Not to sound like someone who wants to get your bank details, but which bank allows you to delay ACH payments until you approve them? All someone needs to get money from my account is the (publicly available) routing number for my bank and my account number. Boom. Now I'm paying someone else's Verizon bill and have to call my bank and say "I can't believe you think I'm someone who would waste money with Verizon!". What I really want is access control for all ACH transactions. They said it wasn't possible for me to do an allowlist for ACH. I basically just have to call any time a fraudulent transaction comes through to stop payment. OTOH, with certain card issuers (AmEx I think?), I can simply press a button to declare a transaction fraudulent.

>But, can't you say the same thing about a credit card? Heck, you don't even need a password for that; everything you need is right on the card.

Checks have that too. Except there are hundreds of copies of them. Someone just needs to see one check to get all the information they need to withdraw from your account.

OTOH, I turn my debit card off, so having that information is useless unless someone knows when it's on. I can actually do this with most of my cards, debit and credit. Coupled with virtual credit cards, it's a really effective way to secure money. Or at least have stricter control than a classic bank account.


> But, can't you say the same thing about a credit card? Heck, you don't even need a password for that; everything you need is right on the card.

It being replicated widely (see also: SSNs) doesn't make the "account number as a bearer authentication token" approach any less insane!

I believe that the only way to get some momentum in getting away from this unfortunate situation would be regulatory intervention – using market forces alone, convenience and inertia will just inevitably punish whoever moves first by introducing even the slightest amount of friction.

Otherwise, the US would already have PINs for POS payments and 3DS challenges for online payments using credit and debit cards.


If you need PIN or password, why are people so scared of giving out account numbers?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: