The only two things you need to take money out of an account are the routing number and account number.

There are a lot of checks on top of that which individual banks may or may not implement or care about, but at the end of the day those two numbers get you 99% of the way there. And for an organization the size of PayPal they're really going to be given the benefit of the doubt by banks.

In Australia they technically need a direct debit authority, but PayPal is above the law in Australia so our dispute process is through our local bank. It works, but it's very tedious and the bank will try to push you towards the PayPal dispute process. It's much better not to link it to a bank account at all, use a credit card because that way it's two US corps fighting with each other when there's a problem.

So why aren’t criminals doing this to drain accounts all the time? They traffic in stolen credit cards, why not banking info?

I think that was why Donald Knuth stopped issuing checks for rewards for people finding errors in his books -- people would post images of the checks online to brag about having received them, and then criminals would initiate fraudulent ACH transfers.

Also not sure why that's not more common in comparison to credit card fraud.

Edit: I guess credit card fraud can be easier to cash out (for physical goods or services), while ACH fraud requires mules to act as intermediaries to receive the fraudulent deposits, which might be harder to come by and sustain.

They certainly try. But it's not like there are no protections in place.

The US banking system can be summarized as "withdraw first, ask questions later." The whole system is based around auditing after the fact. If at the end of the day (or week, or month), the numbers don't balance out, a flag is raised, and someone investigates it. And in many cases, there is a waiting period before you can access funds transferred.

Outside the US, people find this whole thing crazy, but that's how it is and it actually works well enough. My understanding is that banks are moving to a more modern system, but it's a slow process given how much is built around the current system.

I'm sure they do, but it might be less common because it takes more effort to launder than credit cards.

There's millions of retailers that accept credit info in exchange for goods and services.

You can't use ACH to buy Wal-Mart gift cards.

they do 100%. back in June i got charged $30,000 by a fake "home depot". I disputed the charge, but that wasn't fun. the cs reps told me it was not through a debit card but via acct+routing number which got leaked somehow.

Because you have to transfer it to another bank, and the banks are actually quite good at tracking and reversing it.

But it does happen; google "check cashing scam" to find how they mule it out.

must be some US thing, because this is literally crazy to think about to allow withdrawal without authorization

might also be a reason why US banks always seem nosy as fuck, calling people about transactions, blocking stuff, etc. instead of just giving the account owner a safe way to perform transfers/authorizations/set limits