| ▲ | tietjens 3 days ago |
| Instant free bank transfers by IBAN. In comparison with how tightly-guarded personal email addresses are protected (GDPR, etc.), it's shocking how common it is to freely give out your IBAN. |
|
| ▲ | rkomorn 3 days ago | parent | next [-] |
| It helps that, to be able to use an IBAN for withdrawals, you basically have to "sign" a recurring transfer agreement. Otherwise it's pretty much always a "push" transaction from buyer to seller. Better than being able to commit ACH fraud merely by virtue of having the bank's routing and account number. Side note: shout out to both MB Way and Multibanco payments in Portugal that have made it so I haven't have to give payment information to an online vendor in years. |
| |
| ▲ | Nextgrid 3 days ago | parent [-] | | But there is no cryptography or any kind of identity verification involved in "signing" such an agreement. If I know your IBAN I can subscribe to such an agreement on your behalf. I'm not sure about Europe, but at least in the UK, what makes such a system secure is that the account holder can reverse any "pull" transaction for over a month, with the merchant being on the hook. So it reduces the incentive to exploit it (or at least shifts the risk off the account holder), to a level where it's pretty much never done. | | |
| ▲ | rkomorn 3 days ago | parent [-] | | I don't have any experience with making fraudulent transactions, but I at least had to prove who I was when signing up for recurring transactions (so the fraud would've been effectively in my name), and I also see all my authorizations in my bank app (and I can remove them at any time). In the US, I'd be more worried about a one-time fraudulent ACH withdrawal than a recurring payment situation. I don't see a similar risk here. It seems like there are more hoops to go through to make a pull transaction? | | |
| ▲ | Nextgrid 3 days ago | parent [-] | | I pay for several services via SEPA direct debit and the only things I had to provide to sign up was an IBAN and a pinky-promise I was the account holder. As far as I know they have to way to correlate the identity information on the provider account to the bank account holder’s, so it should work in case of fraud too. This lines up with how UK direct debits work as well, where a “sort code” (bank identifier) and account number are enough. I presume the only security there is arises from the fact that those transactions can be reversed by the account holder within a generous grace period, and that this method of payment is only ever used to pay for long-standing services where there’s a strong paper trail to the beneficiary of said service (so not much point in doing the fraud to begin with). | | |
| ▲ | rkomorn 3 days ago | parent [-] | | That sounds right. IME, though, the whole authorization system I've had to use with SEPA and IBANs feels more secure, and I've had no misgivings about using it to transfer or receive money. By comparison, using ACH to transfer funds between accounts is usually bidirectional in bank apps, so if you give me your account info so I can send you money, I can also use that same info to withdraw money. That means I'd never send you my routing and account number even if the original purpose is for you to send me money. |
|
|
|
|
|
| ▲ | tpm 3 days ago | parent | prev | next [-] |
| Why is that shocking? You can't really do anything with my bank account's IBAN unless you want to send me some money. |
| |
| ▲ | rkomorn 3 days ago | parent [-] | | It is shocking because ACH fraud in the US is shockingly easy to commit if you have the equivalent to someone's IBAN (ie routing + account number). | | |
| ▲ | Nextgrid 3 days ago | parent | next [-] | | Can ACH not be reversed? My understanding is that the European systems are just as vulnerable, but what makes them "secure" is that they can be reversed no-questions-asked, making such an attack pointless unless you know the account holder isn't going to notice it for months. | | |
| ▲ | rkomorn 3 days ago | parent | next [-] | | Not sure what you mean by "reversed". You have 60 days to tell your bank the transaction wasn't authorized, iirc, and you should get reimbursed. It might just be a hassle and it likely wouldn't be quick. I've only had to deal with credit card fraud in the US and it was easy enough. I did have a restaurant accidentally charge me $983 instead of $98.30 on a debit card for a meal during a holiday and, even though they immediately voided it, that still ended up basically blocking almost $1000 for several days. I can't imagine reversing an ACH transaction would be faster. Overall I have no huge complaints about banking in the US. I just find it better in Europe so far, particularly sending money with IBANs. | |
| ▲ | tpm 3 days ago | parent | prev [-] | | No, European systems are not vulnerable like this. You can't do anything given my IBAN etc., you would need access to my banking app or website plus whatever 2fa I have set up there to send money from my account. And SEPA transfers can't be reversed easily AFAIK. |
| |
| ▲ | tpm 3 days ago | parent | prev [-] | | Never mind individuals, but how are businesses sending money to each other then? Would it not be much cheaper to use a system like SEPA/IBAN too? | | |
| ▲ | rkomorn 3 days ago | parent [-] | | I don't actually know how B2B works, first hand. As a consumer, though, the way things work in Europe (at least where I live) just make more sense to me than what I experienced in the US. |
|
|
|
|
| ▲ | equinox_nl 3 days ago | parent | prev [-] |
| Not sure if I understand correctly, but are you saying that IBAN leaks personal information? |
