Ummm. We have all kinds of ways for people to donate, and the process for
transferring is pretty clear. Having been in a situation where I had to
make bank transfers, I felt honestly like I was handing over the keys to
the kingdom just for the right to pay someone money: far more personal
information was required than is needed for any other means of payment that
I've ever used. Banks in Canada regularly call their customers for
transactions under $5 because fraud is so common - and that is with chip
cards and PINs.
Risker
On 1 December 2014 at 00:08, Gerard Meijssen <gerard.meijssen(a)gmail.com>
wrote:
Hoi,
IMHO we need to advertise how people can transfer money to us. It requires
an account number. Now if the USA is not able to accommodate this, FINE,
let us do it in Europe at least..
WHAT AM I MISSING HERE ?
Thanks,
GerardM
On 1 December 2014 at 03:38, Michael Snow <wikipedia(a)frontier.com> wrote:
On 11/30/2014 1:14 PM, Gerard Meijssen wrote:
> Hoi,
> An IBAN number is NOT a credit card ... You need a ping number in
> combination with some smart card functionality in order to make it
work..
The
combination generates a number that is always different..
You seem to have misunderstood the scenario I laid out. I'm not talking
about people using the IBAN to steal money out of a Wikimedia account, I
depend on the bank to have security robust enough to prevent that. The
scenario I'm discussing involves people using the IBAN to fraudulently
pay
money to Wikimedia from someone else's
account, such as a credit card.
That
account does not necessarily have an IBAN or
chip-and-pin security, and
at
any rate whatever security it has was already
breached. The payment would
just be a method for the fraudsters to verify the success of the breach.
The result would be added costs to Wikimedia and to the financial
institutions involved, in order to identify and reverse the fraudulent
transactions.
To respond to some of the other questions raised about my scenario:
This was a risk scenario I presented to answer the question, "How can
posting a bank account number lead to fraud?" It may or may not have
been a
factor in the decision to not publicly post the
IBAN, I don't know.
I'm also not suggesting that this scenario is unique to IBAN, it could
affect any type of account number that accepts payments (for example,
accounts you might have for various utility services, such as water,
electricity, telephone, or internet). It's also possible thru PayPal, of
course, and that's the reason for having a $1 minimum donation
requirement,
among other protections. I don't know if
there are difficulties with
establishing comparable security around the IBAN, or if it's more a
matter
of a cost-benefit analysis indicating that
it's worth the resources to
deal
with this for donations via Wikimedia's
online payment form, but not for
donations directly to Wikimedia's bank account.
Also, I'm no expert on EU regulations, but I do observe that according to
the European Payments Council, it seems payees receiving SEPA credit
transfers are advised to communicate the IBAN "only where necessary":
http://www.europeanpaymentscouncil.eu/index.cfm/sepa-credit-
transfer/iban-and-bic/ (and likewise for payers making direct debit
payments). It may simply be that the fundraising team has been advised
that
this is more consistent with providing the IBAN
upon request, rather than
posting it on the website. Not to disparage what may be common practice
at
other organizations, but that does seem like a
natural conclusion to draw
from that guidance.
--Michael Snow
_______________________________________________
Wikimedia-l mailing list, guidelines at:
https://meta.wikimedia.org/
wiki/Mailing_lists/Guidelines
Wikimedia-l(a)lists.wikimedia.org
Unsubscribe:
https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
<mailto:wikimedia-l-request@lists.wikimedia.org?subject=unsubscribe>
_______________________________________________
Wikimedia-l mailing list, guidelines at:
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines
Wikimedia-l(a)lists.wikimedia.org
Unsubscribe:
https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
<mailto:wikimedia-l-request@lists.wikimedia.org?subject=unsubscribe>