How to Build A Bank Account Firewall

Years ago, if you wanted to send money to someone online, you used Paypal.

Years ago, if you wanted to hack a system to steal money online, you tried to hack Paypal.

Nowadays, you have a lot of payment processors, a lot of money transfer systems, but the attacks and the phishing never stops.

I'm pretty savvy when it comes to phishing emails, those emails that trick you into logging into a fake site, but I try to set up systems as a backup to my vigilance. No one is 100%.

So today, I want to share a straightforward concept you can use today – it's called a firewall bank account.

What is a Firewall Bank Account?

In IT, a firewall is a system that monitors incoming network traffic for nefarious activity. A firewall in construction is a wall that inhibits or prevents the spread of a fire.

In our case, a firewall prevents the spread of a financial breach.

A firewall bank account is an account that sits between your primary bank account and any potentially insecure accounts.

Take a look at my financial map:

Paypal is connected to a Capital One 360 account, which is connected to my Ally account. My Ally Bank account is my main account, the Capital One 360 account is my firewall bank account.

(the arrows indicate who can initiate a transfer, so my Ally account can transfer to and from Capital One 360 but my Capital One 360 can't initiate anything with my Ally account)

Specifically, it goes to a checking account at Capital One 360, a checking account with just $1.

My Capital One 360 account is my firewall.

If someone gets access to my Paypal account, it can only transfer funds from a Capital One 360 account. That account only has a dollar in it so if someone tries to transfer more, it'll fail.

Why Capital One 360? You can use any bank account but I use them because it takes only a few minutes to open (and close) sub-accounts with their account number and has a minimum of $1. It's a feature that first started with ING Direct and I've never felt a need to change. You can use any account as a firewall though.

It Protects Against Accidents Too

Let me share this Reddit thread that started on April 16th, 2020:

The gist is that u/thaipedo had $7,000 withdrawn from his account by the IRS, except he didn't owe the IRS anything. He was due a refund!

It's not clear what happened but it looks like there was an error and he can't get someone on the phone because the IRS is currently processing all the stimulus check payments! He will get his money back eventually but who can stand losing $7,000, especially at a time like this, and still be solvent?

People make mistakes all the time and a firewall would prevent this too.

I Keep My Spoke Accounts Ignorant

If my Ally Bank account is the hub, the other bank accounts (like Capital One 360) are spokes.

My Ally Bank account can initiate transfers to and from my spoke accounts, but my spoke accounts can't. They don't even know about the Ally account.

For example, if you were to get login access to our Bank of America account, you would not be able to transfer money from to or from another account. It has no idea we have accounts anywhere else and that's by design.

Ignorance is bliss!

How to Set This Up Yourself

You can do this as part of drawing your financial map. As you log into each of your accounts, keep track of who can initiate activity and in which direction. Then start deleting the things you don't want and adding the things you do.

You will want:

  • Primary Bank Account: This holds most of your free cash, it should have connections to all other accounts.
  • Secondary Bank Account(s): This holds a minimum of what you need for whatever purpose it is, it should have no conenctions to other accounts.
  • Firewall Bank Account: This should be a secondary bank account with the minimum and links to non-bank institutions.

While you're at it, close any secondary bank account that doesn't serve a purpose and set up a secure email address for the account.

(by the way, this works with any account you want outside of your “firewall,” including these great alternatives to PayPal)

Simplifying your financial life is very liberating.

Other Posts You May Enjoy:

How to Get Free Money on the Cash App

There are a few legit ways to get free money on the Cash App. In fact, you can earn $5 by signing up with our new user referral code, ZBJVLJJ, and sending at least $5 to a friend. You can also earn debit card shopping boosts and enter social media giveaways.

Best Credit Repair Software for 2021: Consumer and Business

Credit repair software can help you correct errors on your credit report, assist with creditors, and provide education that will allow you to improve your credit as quickly as possible. Repairing damaged credit can be stressful and expensive. Investing in credit repair software can provide the help you need to clean up your report.

If You Don’t Understand the FIRE Movement, Read This

Not everyone wants to make the sacrifices it takes to save enough to retire "early," whatever that means to them, and that's totally OK. I think there are a lot of great takeaways from the FIRE movement even if you don't want to retire early, or be extremely frugal, or anything else that you find unappealing about it.

About Jim Wang

Jim Wang is a thirty-something father of four who is a frequent contributor to Forbes and Vanguard's Blog. He has also been fortunate to have appeared in the New York Times, Baltimore Sun, Entrepreneur, and Marketplace Money.

Jim has a B.S. in Computer Science and Economics from Carnegie Mellon University, an M.S. in Information Technology - Software Engineering from Carnegie Mellon University, as well as a Masters in Business Administration from Johns Hopkins University. His approach to personal finance is that of an engineer, breaking down complex subjects into bite-sized easily understood concepts that you can use in your daily life.

One of his favorite tools (here's my treasure chest of tools,, everything I use) is Personal Capital, which enables him to manage his finances in just 15-minutes each month. They also offer financial planning, such as a Retirement Planning Tool that can tell you if you're on track to retire when you want. It's free.

He is also diversifying his investment portfolio by adding a little bit of real estate. But not rental homes, because he doesn't want a second job, it's diversified small investments in a few commercial properties and farms in Illinois, Louisiana, and California through AcreTrader.

Recently, he's invested in a few pieces of art on Masterworks too.

Reader Interactions

Leave a Comment:


About the comments on this site:

These responses are not provided or commissioned by the bank advertiser. Responses have not been reviewed, approved or otherwise endorsed by the bank advertiser. It is not the bank advertiser's responsibility to ensure all posts and/or questions are answered.

  1. David says

    So when you want to transfer money that you receive from Paypal to your Ally account, it goes to your Capital One 360 main account, which you transfer to the sub account, which you then transfer to the Ally account?

    And is the reverse true if you need to send money from Ally to Paypal? Thanks!

    • Jim Wang says

      It goes from Paypal to my CapitalOne360 sub-account, then to my CapitalOne360 main, then to Ally. Realistically, it usually just sits in my CapitalOne360 main (similar interest rates) and I transfer to Ally in bigger chunks or back to the sub-account when I need to pay a friend via Paypal.

      • David says

        Also, does this scenario work because Ally has better online security compared to Capital One? If not, what if Ally gets hacked? Wouldn’t you regret leaving the majority of your money with them? Thanks!

  2. The White Coat Investor says

    I’m lost. Where does the BOA account fit in?

    I get the firewall account.

    I’m not sure exactly what you’re saying about keeping other accounts ignorant. Are you saying that Vanguard doesn’t pull money from Ally, Ally pushes it to Vanguard? If so, what’s the point of a firewall account between Paypal and Ally when you don’t have one between Ally and your bills or Ally and Vanguard etc.

    • Jim Wang says

      BOA isn’t on that map, the map isn’t 100% complete (just an example based on a subset of my own accounts). If it were put on there, it’s a spoke with an arrow to Ally in the hub.

      The firewall is there to protect against potentially less secure accounts, I don’t see Vanguard as a less secure account. Nor do I consider bills or other banks as less secure. Paypal, Dwolla, Venmo, and other payment systems are the ones I like to have firewalled. In fact, my Vanguard has way more money in it than my bank. 🙂

      • Leo says

        If I’m reading some of your other articles correctly, the BoA account is former hub checking account that you’ve kept around in case you need access to services at a physical branch (e.g. depositing cash, notary, medallion), correct?

        I did have a similar question regarding your arrows on the diagram. You mentioned that you keep your spoke accounts ignorant of the hub. That would make Vanguard a spoke, but the arrows indicate it can pull money from your Ally account. That means it couldn’t be ignorant of the hub, correct? (I get why you don’t need a firewall there.)

        I had a similar question with the bills. Are they pulling straight from your checking account? I’ve always been a little gun shy about that for the very reason indicated by your poor stimulus “recipient.” If my bank’s bill payment system screws up, then hopefully they’ll be faster to fix the glitch than dealing with, say, Big Cable.

        I’ve really enjoyed reading through your articles. I’m on a similar simplification-and-organization kick lately after dealing with the multitude of accounts and assets my parents left behind.

        • Jim Wang says

          Yes, it used to be my hub before moving to Ally Bank.

          You are correct about Vanguard knowing about Ally, yes that arrow should’ve gone both ways.

          Almost every bill is paid by credit card and those are paid from my bank account. The only exception is utilities.

          I’m glad you’re enjoying the articles, if you ever have any questions or just want to say hi, I love getting email! 🙂

  3. Jennifer says

    Great article! Instead of allowing Paypal (or others mentioned here) to have my bank log in, I take the delay in getting money (3-5 days). Your method is definitely more efficient. If I used Paypal more, I would definitely consider setting it up with way you did.

  4. Mighty Investor says

    I just found your site today. Great stuff!

    One question. The supposition behind this article is that funds you have deposited at PayPal are less secure than at other banks. Can you explain how you came to that conclusion?


    Tom (aka Mighty Investor)

    • Jim Wang says

      My history with PayPal spans over a decade, even before they were acquired by eBay in the early 2000s, and back then they weren’t as secure as they are now. Today, I have no concerns with PayPal itself but there are plenty of payment platforms out there and they all have some risk associated with them (they could be compromised, I could be phished, things of that nature) and so the firewall strategy has persisted.

      And it’s not that the funds are PayPal are insecure, it’s that my account could be compromised and I don’t want thieves to be able to transfer funds out of my regular checking account.

      As a business owner, I’ve heard of horror stories of other business owners had their accounts frozen for one reason or another. I’m not worried about that either because I don’t sell anything (and thus do not collect payments), but that would be a huge cashflow headache for a small business.

  5. Brian Hart says

    My wife and I just made a similar setup with small difference. We just opened both Ally checking and savings accounts and have our income going there and only Ally can initiate any transfers. We had been using Capital One 360 as our main account. Since it’s already linked to Paypal and the account info is already everywhere from our online purchases, in-store card purchases and added to our utilities and other bills sites. For any bills and other purchases we’ll transfer the money ahead of time into our 360 account. Since our Ally account is new and the info isn’t spread everywhere, should our 360 account be a part of any breaches or hacks our incoming money and savings are safe. We wont be without access to our money while things are fixed. We also just setup an account with Chime that we could switch with our 360 if needed to keep our Ally info safe. Just like 360 it’s linked to Paypal but only Ally can initiate any transfers.

  6. Chris says

    What happens if your Ally account gets breached and because you can only initiate transfers from Ally, aren’t you screwed out of your main money account and out of your secondaries because they are tied to it?

  7. Herman says

    I assume this strategy does not protect you from carelessness such as disclosing your online banking passwords to a stranger or accessing online banking over unsecure wifi network in public area.

    • Jim Wang says

      If you do that with Paypal and it’s only linked to a firewalled bank account, then you would be safe. But if you disclose your online banking password, it doesn’t much matter about the firewall if they get right into your accounts!

  8. TomballBob says

    Thanks, this is good stuff for someone who used PayPal etc., as I used to. If I ever started to sell on E Bay (or similar) again, I would use something like PayPal and this will be an awesome strategy.

    Currently, my method (partly since I don’t have much need for PayPal and similar) is to used dedicate debit cards that never have much money in them. I load them up with $100 to $200 and then use them for online or in-person payments when I don’t want to trust them with my regular credit cards. I can add $ to them quickly from my bank and then spend those $ within minutes.

    • Jim Wang says

      If you don’t use PayPal a lot, your way is great because then they don’t even get any banking credentials and your credit cards are safe. This is arguably a very small probability event but it never hurts to be proactive.

  9. Kathleen Stringfield says

    All very interesting. Especially since I’ve been through the same ING-CapitalOne-Ally journey. Loving Ally. About to check out their new Investment service.

    I keep most of my working funds in an Ally Savings account with one or two monthly transfers to cover bill payment out of the Ally Checking. Though as I write that, I realize that I have overdraft feature so if I encountered the IRS issue noted above, there would be a transfer to cover it. Need to fix that.

    1. So how do mobile banking apps on your phone fit into your banking security picture?
    2. You noted that almost all bills are paid with a credit card. Isn’t there extra fee for that?
    3. Do you really need the two accounts at Capital360 or is that just a legacy? Can’t the firewall be just one account at a separate bank?

    • Jim Wang says

      1. I use them normally.
      2. Nope, some bills are paid with billpay though (like our utility bills).
      3. It’s legacy, I’ve always used the Capital One account as a firewall and never felt a desire to change things.

See More Comments

As Seen In: