2

Venmo wants the login credentials to my bank to link to my bank account. Giving my bank password to another party feels very wrong and is not something I am inclined to do.

However, after thinking about it, I'm not sure that the more traditional approach of giving routing and account numbers is necessarily any better. At least I can change my bank password. (Although I then wonder: do sites that link to bank accounts in this manner actually store the password? Or do they obtain some other form of authorization token that survives password changes?)

Is one riskier than the other?

jamesdlin
  • 2,085
  • 1
  • 14
  • 13
  • Closely related: https://security.stackexchange.com/questions/198005/is-plaid-a-service-which-collects-user-s-banking-login-information-safe-to-use?rq=1 – Jon Schneider Aug 23 '23 at 14:46

2 Answers2

1

I'm not a financial person and have wondered this as well. So, I think the best way to answer this question is by starting with which services a bank can provide and then what information is required to use those services. I investigated this by actually using the below services. There are two services that I know of to transfer money:

  • ACH: Your bank will require you to validate the foreign institution transaction before you can send money. There are also daily limits. This is largely the one security barrier between your account being drained by ACH.
  • Wire: Your bank sends your funds to wherever you tell them to (details below). There are no limits on this transfer and the bank will most likely assume zero responsibility in the event of loss of funds (at least mine did). The institution also does not verify the endpoint like they would with ACH; if you or the financial advisor fat finger the routing number or account number you are potentially at a loss. I asked both institutions before sending a wire transfer what happens if I miss a number and they both advised me not to do that and to triple check the numbers.

Both ACH and Wire require the same numbers to transfer: Routing number and account number (they did in my case, maybe not your institution, again you have to check). Wire transfers almost can never be reversed (I cannot back this up; but it seems like its in every liability). ACH however seems to have that capability. ACH again has limits; one institution I knew of it was $3,000 a day. This makes it next to impossible to drain your account via ACH, and since most ACH can be reversed it makes it less worth while to even try. Its also worth mentioning that ACH are limited to within the USA only. The only way to drain your funds to a foreign institution would be via an international wire transfer which has even more strict policies/regulations than a domestic wire. Also worth mentioning is that you usually need to know the account details of the foreign account to conduct the wire (such as the full name and address of the account holder).

So, with that being said. If you give your password to your bank account whomever it is will have access to your account numbers. This means they could setup an ACH transfer and disable any alerts you have and then setup a recurring ACH transfer that you may never notice. Doing a wire transfer is harder; most if not all banks require you to be physically present to conduct a wire transfer. Some do not; some allow you to fax in forms and your ID... So, let that sink in.

Another perspective for you is if you don't give them any information except your banks routing number and account number. They can then use ACH to request and take funds from your account (think eCheck or reverse Direct Deposit).

With that being said, you should never give your bank password or account numbers out. I find it disturbing that people will give these numbers out willy-nilly for gym membership (yes I'm pointing at you Planet Fitness!).

I should also mention that the routing number for the bank/institution is public information. You can often see it on the front page of the website; this means its one less number sequence for an attacker to find. The number the attacker wants is your bank account number.

You should read over the Security section for wires. Also worth mentioning is that the USA uses SWIFT to conduct wire transfers; this seems to be the target for malware and other types of attacks.

  • 2
    My account number is printed on every single check. How is providing the same information in a different form any less secure? I still wouldn't do it, and I'd never let a 3rd party suck money out of my account. But I don't understand why the account number is so sensitive when it's printed on checks. – Steve Sether Aug 05 '18 at 06:00
  • It is the case that routing and account are all that are needed for a transaction to be performed that removes money from that account, but that is not the same as saying that if someone steals your checkbook they have access to your account. The transaction moving money from one routing+account to another routing+account has to go through a party/merchant authorized to interact with the ACH system. That party has some liability for fraud. The thief could also write and sign your checks- anti-fraud has improved dramatically here since Catch Me If You Can. – Jonah Benton Aug 05 '18 at 16:08
1

If for whatever reason you have to receive payments over Venmo- assuming you have given this decision deep consideration, and explored alternatives- I would argue in favor of:

  • setting up a distinct pair of checking + non-checking accounts for this purpose that are linked but that do not have any automated transfer rules
  • keeping as low a balance in checking as possible, with the bulk of cash in non-checking
  • providing Venmo with routing and account number to the checking account
  • not providing Venmo with account credentials

In the abstract, the question of credentials vs routing/account is hard to answer, because there is a high degree of variability in the relevant security practices across the population of merchants, providers, and banks.

In this particular circumstance, I would argue that providing routing + account number to Venmo is less risky than providing them with account credentials, for two reasons:

  1. the ACH system significantly lags the consumer credit card system in technical maturity, but it has still been dealing with fraud for decades. There are safeguards, and by managing balances, you limit exposure.
  2. credentials are fundamentally more powerful than account+routing, and governance and security around the use of credentials at banks is still (still!) new and in many cases, poor. Just note how many banks still don't do 2FA.

Finally, generally speaking, there is no OAuth-like infrastructure in place at banks. If you provide a third party with credentials, and you change credentials, that third party should no longer have access to your account.

Jonah Benton
  • 3,507
  • 14
  • 21