In Part 1, we discussed the economics of fraud. In Part 2, I want to expose the main pain point of the US banking system: ACH (Automated Clearing House).

The system itself is ancient, simple, and theoretically secure. However, its integration into modern e-commerce — specifically how financial providers like Finicity, Trustly, or Yodlee use it — turns this impregnable fortress into a colander.

Let’s break this down step-by-step with a real-world example.

The Illusion of Safety

Imagine you are a customer of a solid, reliable bank — for example, Fifth Third Bank (53.com). It has robust security: complex passwords and mandatory Two-Factor Authentication (2FA) for both web and mobile login.

Theoretically, even if hackers compromise your login and password (from logs or stealer malware), you shouldn't worry. Without the SMS code or Push notification, they can't get in. Or so you think.

The Trojan Horse: Budgeting Apps

Enter the world of "financial wellness." There are dozens of apps for tracking expenses and planning budgets: PocketGuard, Monarch, Quicken, etc.

These apps do not connect directly to your bank. They use "financial bridges" — intermediaries like Trustly, Plaid, Yodlee, or Finicity.

Here is the exploit: Due to specific architectural decisions (and legacy protocols), these fintech aggregators often establish a connection between the bank and the app without triggering the standard 2FA check, or by using cached tokens that bypass the user's active device.

The Attack Vector:

Attacker takes valid credentials (Login/Pass).

Attacker goes to a third-party app (e.g., PocketGuard).

Attacker selects "Connect Bank" via a provider (e.g., Finicity).

Bypass: The provider logs in. The victim receives no notification, or the 2FA is bypassed due to the "trusted" nature of the aggregator.

Result: The attacker now sees everything: current balance, transaction history, and spending habits.

From "Read-Only" to "Full Control"

You might say: "Okay, it's unpleasant that a hacker sees my transactions. But these are budgeting apps! They are read-only. You can't send money from Monarch."

You are right. You cannot initiate a transfer from the budgeting app. But this access allows an attacker to execute the Micro-deposit Exploit.

To drain an account via ACH, an attacker needs two things:

Routing Number (RN)

Account Number (AN)

This is where payment processors like Trustly come to the rescue again. If an attacker registers on a service that uses Trustly (or similar processors) and links the compromised bank account:

Trustly often reveals the Account Number and Routing Number in the settings menu (plain text).

It also parses and displays the owner's Full Name and Billing Address.

The Carte Blanche

Now the attacker has the "Holy Grail" of US banking:

Full Name & Address

Live Login/Pass

Account Number & Routing Number

Real-time view of transactions (via the budgeting app)

The Kill Chain: The attacker links this bank account to an external wallet (Crypto exchange, PayPal, Neo-bank) to pull money out. The external wallet sends two micro-deposits (e.g., $0.12 and $0.05) to verify ownership. Since the attacker has connected the budgeting app, they see these amounts in real-time. They confirm the amounts. The link is established.

The "impregnable" 2FA fortress was bypassed without a single SMS ever reaching the victim.

The Aftermath: Who Pays the Bill?

I suspect many reading this have experienced that sinking feeling: logging into your bank account and finding a gap of $1,000 to $10,000. It’s not just unpleasant; it’s a violation.

Active Defense: Can we stop it? Just like with Identity Theft, the solution lies in Active Defense. When a compromised bank account is sold on the black market, the listing typically includes the owner's Full Name and State. Is it harder to find a bank account owner via OSINT than a "Fullz" owner? Sometimes. But the stakes are higher.

Identity Leak: Damages your credit score over time.

Bank Credential Leak: Direct, immediate financial loss.

Global Solution: Kill the Micro-Deposit We need a massive educational campaign. Users must understand: Two tiny deposits appearing on your account are not a "glitch." They are a precursor to robbery.

My Proposal: Banks must implement "Aggressive Profiling" for micro-transactions. If a bridge like Plaid or Trustly requests a micro-deposit on an account that has never used fintech apps before, block it and call the customer. Prevention is cheaper than the refund.

In the upcoming parts, we will continue our deep dive into banking vulnerabilities and Active Defense strategies.

For any questions, feel free to reach out at scottcarrigg@aol.com (yes, really, it’s AOL. No Protons or anonymous burner emails here). I’d be happy to chat.

Thank you for your time. Stay safe.

In Part 1, we discussed the economics of fraud. In Part 2, I want to expose the main pain point of the US banking system: ACH (Automated Clearing House).

The system itself is ancient, simple, and theoretically secure. However, its integration into modern e-commerce — specifically how financial providers like Finicity, Trustly, or Yodlee use it — turns this impregnable fortress into a colander.

Let’s break this down step-by-step with a real-world example.

The Illusion of Safety

Imagine you are a customer of a solid, reliable bank — for example, Fifth Third Bank (53.com). It has robust security: complex passwords and mandatory Two-Factor Authentication (2FA) for both web and mobile login.

Theoretically, even if hackers compromise your login and password (from logs or stealer malware), you shouldn't worry. Without the SMS code or Push notification, they can't get in. Or so you think.

The Trojan Horse: Budgeting Apps

Enter the world of "financial wellness." There are dozens of apps for tracking expenses and planning budgets: PocketGuard, Monarch, Quicken, etc.

These apps do not connect directly to your bank. They use "financial bridges" — intermediaries like Trustly, Plaid, Yodlee, or Finicity.

Here is the exploit: Due to specific architectural decisions (and legacy protocols), these fintech aggregators often establish a connection between the bank and the app without triggering the standard 2FA check, or by using cached tokens that bypass the user's active device.

The Attack Vector:

Attacker takes valid credentials (Login/Pass).

Attacker goes to a third-party app (e.g., PocketGuard).

Attacker selects "Connect Bank" via a provider (e.g., Finicity).

Bypass: The provider logs in. The victim receives no notification, or the 2FA is bypassed due to the "trusted" nature of the aggregator.

Result: The attacker now sees everything: current balance, transaction history, and spending habits.

From "Read-Only" to "Full Control"

You might say: "Okay, it's unpleasant that a hacker sees my transactions. But these are budgeting apps! They are read-only. You can't send money from Monarch."

You are right. You cannot initiate a transfer from the budgeting app. But this access allows an attacker to execute the Micro-deposit Exploit.

To drain an account via ACH, an attacker needs two things:

Routing Number (RN)

Account Number (AN)

This is where payment processors like Trustly come to the rescue again. If an attacker registers on a service that uses Trustly (or similar processors) and links the compromised bank account:

Trustly often reveals the Account Number and Routing Number in the settings menu (plain text).

It also parses and displays the owner's Full Name and Billing Address.

The Carte Blanche

Now the attacker has the "Holy Grail" of US banking:

Full Name & Address

Live Login/Pass

Account Number & Routing Number

Real-time view of transactions (via the budgeting app)

The Kill Chain: The attacker links this bank account to an external wallet (Crypto exchange, PayPal, Neo-bank) to pull money out. The external wallet sends two micro-deposits (e.g., $0.12 and $0.05) to verify ownership. Since the attacker has connected the budgeting app, they see these amounts in real-time. They confirm the amounts. The link is established.

The "impregnable" 2FA fortress was bypassed without a single SMS ever reaching the victim.

The Aftermath: Who Pays the Bill?

I suspect many reading this have experienced that sinking feeling: logging into your bank account and finding a gap of $1,000 to $10,000. It’s not just unpleasant; it’s a violation.

Active Defense: Can we stop it? Just like with Identity Theft, the solution lies in Active Defense. When a compromised bank account is sold on the black market, the listing typically includes the owner's Full Name and State. Is it harder to find a bank account owner via OSINT than a "Fullz" owner? Sometimes. But the stakes are higher.

Identity Leak: Damages your credit score over time.

Bank Credential Leak: Direct, immediate financial loss.

Global Solution: Kill the Micro-Deposit We need a massive educational campaign. Users must understand: Two tiny deposits appearing on your account are not a "glitch." They are a precursor to robbery.

My Proposal: Banks must implement "Aggressive Profiling" for micro-transactions. If a bridge like Plaid or Trustly requests a micro-deposit on an account that has never used fintech apps before, block it and call the customer. Prevention is cheaper than the refund.

In the upcoming parts, we will continue our deep dive into banking vulnerabilities and Active Defense strategies.

For any questions, feel free to reach out at scottcarrigg@aol.com (yes, really, it’s AOL. No Protons or anonymous burner emails here). I’d be happy to chat.

Thank you for your time. Stay safe.