Still, it means they had to spend some time to prepare for this specific person.
Aside - here in Europe, the account numbers including bank code is pretty much public information. Something like e-mail address. After all, you can only send something in there. To withdraw, you need login credentials.
Unfortunately, that's no longer true; with the SEPA Direct Debit system, money can be taken from an account with just the person's name, address, IBAN and BIC (the info required to fill a "SDD mandate"). I think there are some verifications you need to pass to be able to create direct debits, but it still seems like a move in the wrong direction, in my opinion.
I hope it's not possible anymore. At least my current bank lets you authorize direct debit in internet banking app. Anything you do in person requires either logging-in to the internet banking account at the branch or presenting an ID.
as far as i know, to set up a periodic sepa transfer - at least here in SVK(EU), you need to do it in person (although more and more banks are starting to allow this through their web/phone app)
eg. issuing a sepa for my monthly ISP subscription, i put into the system that 1)from this account 2)this amount of money 3)to this exact account 4)with these aditional details/comments/etc...
and if it fails for whatever reason - in my case mostly because once in a while, the amount that should be withdrawn for that month is more than the pre-set money
- the payment gets witheld at my bank / simply fails;
- the other side contacts me via phone/mail/... that there was a failure (which i can check on my bank account, so "kinda-phishing-safe");
the other side is still able to withdraw only that specific amount once in a period (most likely a month), and if anything is amiss, the payment simply fails