I had a situation where Amazon couldn't bill my bank account, so they blocked logging in.
I verified with just name and address to a customer service rep and asked for the steps I'd have to do to unlock it again, and they told me that (a) the transaction failed, (b) they told me my IBAN. In plaintext. The full IBAN. (c) and then they told me the steps to fix it (wire them the money that I was owing them, plus 6 EUR. Standard procedure in Germany).
In the end, everything worked again, but, the fact that they gave out by IBAN — enough info for anyone to go and pull money from my account — is making me so angry.
Could you tell how knowing IBAN enables someone to take money from your account? As far as I understand, the only think that can happen with IBAN is to receive money.
Maybe you're thinking of credit card number? The CC's I had had different CC number and IBAN account.
SEPA direct debit allows you to pull money via IBAN (+ BIC, depending on the countries involved in the transaction).
Specifics vary from country to country. Some require active approval from the customer (IIRC France, probably more), others "just work".
Fraud is not as common, since bank accounts that are allowed to debit money this way are generally only available to companies who have to sign paperwork ensuring that they have written permission from each debitor. Additionally, although this might be country-specific as well, chargebacks can be initiated without providing any reason for at least 8 weeks, and in case of a fraudulent transaction, up to 13 months.
Thanks! That's something new that I didn't hear before. For interested parties seems [0] has some information. I need to check with my bank then to see how it works in my country.
If you call a bank or another entity, that has your bank information on record, and claim to be someone specific, can answer basic questions and knows the full IBAN - perhaps they believe you are who you claim to be. This is social engineering, and it works.
I think parent specifically mentioned that just IBAN is enough which sounded very unprobable for me. Another comment explained that it's possible but in very specific accounts.
How would you pull money from an account by knowing just the IBAN? That's just the public address of your bank account and can be used to give you money, but you need all kinds of authentication to actually get money out of that account.
SEPA Direct Debit, or "Elektronisches Lastschriftverfahren".
You can go to amazon, give them your IBAN, and buy things, and they’ll use direct debit to get the money from the account specified by the IBAN, no further authentication necessary.
Obviously, you can do chargebacks, but this is still something they shouldn’t publish.
I verified with just name and address to a customer service rep and asked for the steps I'd have to do to unlock it again, and they told me that (a) the transaction failed, (b) they told me my IBAN. In plaintext. The full IBAN. (c) and then they told me the steps to fix it (wire them the money that I was owing them, plus 6 EUR. Standard procedure in Germany).
In the end, everything worked again, but, the fact that they gave out by IBAN — enough info for anyone to go and pull money from my account — is making me so angry.