Wil Shipley is getting screwed by E-trade. I'd like to think that this sort of think couldn't happen at my financial institution, but that would probably be naive. :-)
However:
Let me say that again. ANYONE can call the bank and say, "Hi, I'd like to make an ACH transfer from this account to this other account at a different financial institution of ill-repute, and I swear I'm really Wil Shipley," and they'll do it. Just like that. There's no password, no signature, no record.
This part doesn't sound right to me. We have do a lot of work to verify that an external account is actually owned by the person on the other end. We're online only in my world, so maybe the rigor is higher, but we use small deposits first which form a 4 digit code essentially that the person must then provide to prove they own the account (reasoning that if they can see the statement of the external account, that's close enough to ownership). So just snarfing a check + the SSN wouldn't be enough.
It's all about being able to show the company did due diligence. If they are just taking people's word for it on account ownership and transferring money, they are likely going to be open to some severe liability.
This is Rob Meyer's weblog, a weblog focused on software development and system administration based on 10 years of experience. Want to explore further? You can find out more me or see the rest of my website.
Wondering if I've written on something in particular? Try searching:
You might want to take a look at some of the more requested postings (as judged by incoming traffic):
Want more? Subscribe to this site 
or contact me at rob at big dis dot com.
See my writings on: