The UI makes it seem push-based, but it’s actually pull based. There is no technical barrier from pulling from someone’s account. Any malicious entity can do this if they present the bank with a forged hand signature. Or, of course, a malicious bank. Or, of course, a malicious employee at a bank.
Worse, banks won’t let you create a whitelist of accounts that are explicitly permitted pull from your account (called “positive pay” for ACH)
Yes, they can.
The UI makes it seem push-based, but it’s actually pull based. There is no technical barrier from pulling from someone’s account. Any malicious entity can do this if they present the bank with a forged hand signature. Or, of course, a malicious bank. Or, of course, a malicious employee at a bank.
Worse, banks won’t let you create a whitelist of accounts that are explicitly permitted pull from your account (called “positive pay” for ACH)