In the US, all you need for an ACH transfer is the account number and bank's routing number (which is public info). If the transfer is unauthorized you should be able to get it reversed, but it's still pretty bad.
It's a decades-old system originally built on the assumption of trusted participants. It still uses nightly batch jobs to process transfers. Various hacks have been applied to improve it (banks require you to demonstrate some level of trustworthiness before they give you access to make ACH transfers) but that can only do so much.
This is part of the reason why Donald Knuth stopped sending out his reward checks and instead sends a certificate from the fictional Bank of San Serriffe. People were posting pictures of their reward checks, because getting one is pretty cool, which resulted in his account number being published.
