> "If some nefarious actor has the users credentials (e.g. username / password) won't they then be able to circumvent both of those checks?"
They would. However, typical ACH fraud entails pulling money using only the routing and account numbers, which can be found on all paper checks; this mechanism prevents that.
They would. However, typical ACH fraud entails pulling money using only the routing and account numbers, which can be found on all paper checks; this mechanism prevents that.