On 11/30/2014 11:12 AM, Federico Leva (Nemo) wrote:
Anyway, please inform the European Central Bank of
your findings, I'm
sure they'll be interested in hearing them. Currently their website
seems unaware of such fraud possibilities and contains statements such
as «Sensitive data payment: Data which could be used to carry out
fraud, excluding the name of the account owner and the account number».
<https://www.ecb.europa.eu/pub/pdf/other/pubconsultationoutcome201405securitypaymentaccountaccessservicesen.pdf>
I'm not sure why you would conclude they are unaware of a possible form
for fraud just because they don't specifically identify it on their
website. At any rate, I suspect you may be misunderstanding the
definition of "sensitive payment data" (the actual term from the linked
document, which was somehow transposed above).
To my reading, that looks like an attempt to create a precise technical
definition for the purposes of the report, so that whenever the term was
used it would always mean the same thing. I don't think it's claiming
that the name of the account owner and the account number are not in the
larger class of "data which could be used to carry out fraud". Rather,
because these are nearly essential to transactions being possible at
all, I believe the language is attempting to exclude them from the
restrictions that the report recommends for all other data which meets
the definition of "sensitive payment data".
--Michael Snow