Yes! Look up ACH fraud. ACH is such an antiquated system. The only pieces of information that you need to do an ach pull (transfer) is the routing number and account number. Lo and behold, this is the same information that is on every check that you give out.

Edit:

To answer the other part of your question, originating financial institution (ODFI) can issue a chargeback up to 60 days after the money was sent. Unlike credit cards, there isn't a process for the merchant/service provider to refute the dispute.

So, the bank account owner can dispute the ACH transfer with their bank a month and a half later and it pretty much assured that they'll get their money back. Their bank isn't going to fight their own customer for it.

This information from my landlord is written into my lease agreement on my home. Every month I use his routing and account number to pay rent. I cringed when I read about ACH fraud.

It's also on the bottom of every check that anyone has written to you. It's a poor secret.

One bank I worked with essentially had two separate routing numbers - one for the checks vs one for ACH along with separate check and ACH/wire accounts for their corporate customers.

So, if I receive an ACH payment on a contract, I'm at risk of my bank pulling the funds from my account for 60 days?!

There are a few factors involved. If this is your personal checking account you're almost (lol) 100% safe.

If this is a merchant account which it needs to be if you're pulling from other ppl's accounts then yes. Hence the very strict consent rules. At the end of the day there's no guarantee of course but if it comes to litigation a recorded message with a verbal approval might tip the scale in your favor. Most merchants don't bother of course and just write this off as a cost of doing business and recoup the funds by factoring fraud costs into their prices.