On 11/30/2014 1:14 PM, Gerard Meijssen wrote:
Hoi, An IBAN number is NOT a credit card ... You need a ping number in combination with some smart card functionality in order to make it work.. The combination generates a number that is always different..
You seem to have misunderstood the scenario I laid out. I'm not talking about people using the IBAN to steal money out of a Wikimedia account, I depend on the bank to have security robust enough to prevent that. The scenario I'm discussing involves people using the IBAN to fraudulently pay money to Wikimedia from someone else's account, such as a credit card. That account does not necessarily have an IBAN or chip-and-pin security, and at any rate whatever security it has was already breached. The payment would just be a method for the fraudsters to verify the success of the breach. The result would be added costs to Wikimedia and to the financial institutions involved, in order to identify and reverse the fraudulent transactions.
To respond to some of the other questions raised about my scenario:
This was a risk scenario I presented to answer the question, "How can posting a bank account number lead to fraud?" It may or may not have been a factor in the decision to not publicly post the IBAN, I don't know.
I'm also not suggesting that this scenario is unique to IBAN, it could affect any type of account number that accepts payments (for example, accounts you might have for various utility services, such as water, electricity, telephone, or internet). It's also possible thru PayPal, of course, and that's the reason for having a $1 minimum donation requirement, among other protections. I don't know if there are difficulties with establishing comparable security around the IBAN, or if it's more a matter of a cost-benefit analysis indicating that it's worth the resources to deal with this for donations via Wikimedia's online payment form, but not for donations directly to Wikimedia's bank account.
Also, I'm no expert on EU regulations, but I do observe that according to the European Payments Council, it seems payees receiving SEPA credit transfers are advised to communicate the IBAN "only where necessary": http://www.europeanpaymentscouncil.eu/index.cfm/sepa-credit-transfer/iban-an... (and likewise for payers making direct debit payments). It may simply be that the fundraising team has been advised that this is more consistent with providing the IBAN upon request, rather than posting it on the website. Not to disparage what may be common practice at other organizations, but that does seem like a natural conclusion to draw from that guidance.
--Michael Snow