The only reason you do want to keep your account details secret is that people can set up direct debits on your account. This happened to Jeremy Clarkson after he posted his account number and sort code in a newspaper column and challenged people to take some money [0]
Indeed. SEPA direct debit is disabled by default on Finnish bank accounts(), I believe for exactly this reason (and because no service here actually uses it).
Instead we use an e-invoice system that requires explicit signup from the user with their bank, usually via the bank web service.
() I checked OP and Nordea. I guess it could be enabled on some other banks but it is hard to find information about this service.
The linked BBC article says the victim hinted at how the public could find his address, so someone who knew how the system works called Clarkson's bluff with a £500 monthly debit to a UK charity.
Apparently, the UK system was designed to support push and pull transfer modes.
At least with a direct debit, my bank has a list of companies authorized to pull money from my account (they are all supposed to have a signed direct debit agreement on file) and I can revoke from my bank's website. Is there something similar in the US?
With my bank (known for its great service) you can call to place an ACH freeze but you have to know the vendor's identification or rough amount but you may end up with collateral damage (stopping a payment you do want to go through).
Or a dodgy enough place willing to look the other way when setting up the direct debit, because at least as of 9 years ago it was possible to do so when I was selling mobile contracts. Some would do so, and one of those is in jail now; so I guess it's not worth it, but the "validation" definitely wasn't foolproof then
[0] http://news.bbc.co.uk/1/hi/entertainment/7174760.stm