Ummm. We have all kinds of ways for people to donate, and the process for transferring is pretty clear. Having been in a situation where I had to make bank transfers, I felt honestly like I was handing over the keys to the kingdom just for the right to pay someone money: far more personal information was required than is needed for any other means of payment that I've ever used. Banks in Canada regularly call their customers for transactions under $5 because fraud is so common - and that is with chip cards and PINs.
Risker
On 1 December 2014 at 00:08, Gerard Meijssen gerard.meijssen@gmail.com wrote:
Hoi, IMHO we need to advertise how people can transfer money to us. It requires an account number. Now if the USA is not able to accommodate this, FINE, let us do it in Europe at least..
WHAT AM I MISSING HERE ? Thanks, GerardM
On 1 December 2014 at 03:38, Michael Snow wikipedia@frontier.com wrote:
On 11/30/2014 1:14 PM, Gerard Meijssen wrote:
Hoi, An IBAN number is NOT a credit card ... You need a ping number in combination with some smart card functionality in order to make it
work..
The combination generates a number that is always different..
You seem to have misunderstood the scenario I laid out. I'm not talking about people using the IBAN to steal money out of a Wikimedia account, I depend on the bank to have security robust enough to prevent that. The scenario I'm discussing involves people using the IBAN to fraudulently
pay
money to Wikimedia from someone else's account, such as a credit card.
That
account does not necessarily have an IBAN or chip-and-pin security, and
at
any rate whatever security it has was already breached. The payment would just be a method for the fraudsters to verify the success of the breach. The result would be added costs to Wikimedia and to the financial institutions involved, in order to identify and reverse the fraudulent transactions.
To respond to some of the other questions raised about my scenario:
This was a risk scenario I presented to answer the question, "How can posting a bank account number lead to fraud?" It may or may not have
been a
factor in the decision to not publicly post the IBAN, I don't know.
I'm also not suggesting that this scenario is unique to IBAN, it could affect any type of account number that accepts payments (for example, accounts you might have for various utility services, such as water, electricity, telephone, or internet). It's also possible thru PayPal, of course, and that's the reason for having a $1 minimum donation
requirement,
among other protections. I don't know if there are difficulties with establishing comparable security around the IBAN, or if it's more a
matter
of a cost-benefit analysis indicating that it's worth the resources to
deal
with this for donations via Wikimedia's online payment form, but not for donations directly to Wikimedia's bank account.
Also, I'm no expert on EU regulations, but I do observe that according to the European Payments Council, it seems payees receiving SEPA credit transfers are advised to communicate the IBAN "only where necessary": http://www.europeanpaymentscouncil.eu/index.cfm/sepa-credit- transfer/iban-and-bic/ (and likewise for payers making direct debit payments). It may simply be that the fundraising team has been advised
that
this is more consistent with providing the IBAN upon request, rather than posting it on the website. Not to disparage what may be common practice
at
other organizations, but that does seem like a natural conclusion to draw from that guidance.
--Michael Snow
Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/ wiki/Mailing_lists/Guidelines Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, mailto:wikimedia-l-request@lists.wikimedia.org?subject=unsubscribe
Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, mailto:wikimedia-l-request@lists.wikimedia.org?subject=unsubscribe