Re: Encrypted bank account info

[Luke <..hidden..>]

On Sat, 6 Mar 2010, David Godfrey wrote:

> From IRC #ledgersmb
> < sbts> metatrontech: just reading through the
>         Encrypted bank account info thread
> < sbts> I am wondering how nessecary(sp?) this is.
> < sbts> most businesses I know around here, don't worry much about
>         keeping account detiails secret, you even see them put
>         documents with there own details on straight in the rubbish,
>         not even shredded.

That's probably more common than anyone would like to believe.

> < sbts> metatrontech: certainly here, most companies print their bank
>         details on every invoice they issue,
>         direct deposits are a common way for payments to be made,
>         even for one off customers

Any company which publishes wire info is also basically doing this.

> < agittins> sbts: totally agree re account details (i'm in qld) -
>             in oz the only thing you can do,
>             armed with a bsb and account number,
>             is give that person money
> < agittins> i'd posit that any country that allows otherwise
>             has a financial system which is very seriously broken

Chris said earlier that in the US, an account and routing number is enough 
to initiate an ACH transfer out.

It got away from me, but I was going to comment, that while this is true, 
you need the cooperation of a bank.  I do not know of a bank which will 
allow this without evidence of some sort of business relationship, or 
customer permission.  It could probably be circumvented with deliberate 
effort and the right circumstances, but it would be quite clear where the 
money went, and unless you're playing serious account hacking games, the 
Feds would be on you with a reasonable degree of speed.

So even if possible, I do not think it is considered much of a problem.

The account and ABA number appear on every check.  That information could 
be used to forge an ECheck (or even a print one in certain cases), but I 
never hear of that information being used in an ACH context, and check 
fraud is an old problem.

I see no real value to encrypting this information.

 > < agittins> the real question perhaps should be
>             "should lsmb offer to store credit card details,
>               and if so, how do we do it?"

Credit card numbers, maybe, but I reference my other message as the way to 
deal with that.
I suppose they should be storable--leave compliance to the user.

> < agittins> as actual banking details are about as sensitive as
>             addresses -

It's in the eye of the beholder.  I don't give out bank info to just 
anyone who might want it--there are good reasons for that (in the legally 
confirmable realm)--but as an order of security issue, credit card info 
has a much higher priority.
If I was providing public wiring/deposit info, you may be sure that it 
would be for an account which was maintained empty or at minimum, and was 
daily drained of deposits.  Public data is still public, and one must act 
with a certain assumption of "what ever might inconceivably go wrong, 
could some day become conceivable to someone".

Luke