34

To deposit money into your account, some websites require that you provide them with a lot of details about your bank account: name, complete address and IBAN which includes your account number and identifies the exact bank.

Can a skilled cracker use this information to steal money from an account? How safe is it to provide these details?

this.josh
  • 8,843
  • 2
  • 29
  • 51
Gess
  • 341
  • 1
  • 3
  • 3
  • Usually public records searches will allow someone with your name and an incomplete address (or location deduced by IP geolocation) to get your complete address, so the complete address by itself is not all that significant. – Mike Samuel Aug 24 '11 at 21:11
  • Yes they can it happened to me a few days ago my bank is on it. It also happened in 2009 and they caught the person. –  Sep 14 '11 at 18:21
  • 3
    Hi Kathy, welcome to [security.se]! Answers here are expected to be provide information to base an answer on, either research, logic, etc - and not just an assertion or anecdote (btw, sorry to hear about that - I imagine it was not a pleasant experience). – AviD Sep 15 '11 at 21:26

5 Answers5

19

This question is likely to be country-specific. In the US, an account number is generally not enough to steal money from someone's account. This is fortunate, because every time you write a check or make a bank payment to someone, they receive your account number.

However, learning someone's the bank account number is enough to learn their account balance. There is an attack that is not widely known:

  • Most banks have a phone number that merchants can call and, via an automated voice response system, learn whether a particular account has enough money that a check for a particular amount will clear. Basically, you just call up, hit a few digits to go through the phone tree to the merchant check verification option, then type in the account number and the amount, and the phone system will respond with whether the account balance is at least as much as the amount you've provided.

This allows an attacker who knows your account number to learn your bank account balance, by using binary search. This is a confidentiality breach that is not widely known.

If this bothers you, you may be able to protect your own account against this by calling up your bank and asking them to put a fraud alert on your account. At least for my own bank, when the bank does this, it disables the merchant check verification service for your bank account.

D.W.
  • 98,420
  • 30
  • 267
  • 572
  • Write a check and they have your account number and routing number, seems it would be that much easier to get money out of an account. – Wayne In Yak Mar 09 '12 at 21:11
  • @WayneInML, yes, I agree, that is a risk too. I just wanted to point out an additional, separate risk that not as many people know about. P.S. The privacy risk I mentioned relies only upon knowing the victim's account number (routing number is not needed). – D.W. Mar 10 '12 at 01:28
  • 1
    FYI, the routing number is not at all secret. You can [look it up](http://www.fedwiredirectory.frb.org/search.cfm). – derobert Oct 02 '12 at 22:29
  • Interesting. Do most banks still do this? I'm aware that you can get amount ranges (e.g, <$1000, $1000-$50000, etc.), but not exact amounts. – speedplane Jan 06 '16 at 22:12
  • My credit union only allows calls from the phone number registered on the account. – Nathan Aug 24 '16 at 20:05
15

IBAN are used to identify a recipient.

The check digits enable the sending bank (or its customer) to verify the validity of a routing destination and account number from a single string of data at the time of data entry.

To be able to send money from your account to another account, someone needs to impersonate your identity. I doubt your bank would let somebody claiming they are you and giving an IBAN and an address, make transfert of money. If they do, change your bank.

M'vy
  • 13,033
  • 3
  • 47
  • 69
  • 17
    All German banks do allow [direct debit](http://de.wikipedia.org/wiki/Lastschrift) without requiring permission from the account owner. If he or she does not check the account in time to issue a reverse order, the money is lost. For direct debit, the account number, owner name, bank id and bank name are sufficient. – Hendrik Brummermann Aug 12 '12 at 07:27
  • 4
    Are you serious? That seems crazy - especially for Germany where there seems to be so much protection in other areas, especially wrt privacy etc. – Tim X Feb 28 '13 at 22:45
  • 2
    In France, I am required to send a letter of authorisation for each automatic withdrawing order (phone company, energy company etc). Hopefully the lack of proper authorisation should trigger refusal? – M'vy Mar 01 '13 at 10:46
  • 1
    @TimX: yes, but. 1. Even with authorization the payment can be canceled by the account owner without giving any reason within 2 months of the payment, no questions asked (you sign with your bank that it is your duty to check your account statement and that it is considered approved if you do not reject it within so many weeks after they provide it). 2. If the payment was not authorized/fraudulent, AFAIK the usual 3 year statutory period of limitation applies (though being outside time frame 1 there'll be more hassle). In addition, IIRC it is possible to tell your bank that you do not ... – cbeleites unhappy with SX Jan 15 '19 at 13:16
  • ... authorize any direct debits. Also, there are accounts that do not allow any overdraft, so you can make sure no money is withdrawn by not having money in that account while you can still receive money. On the side of the party that initiates the direct debit, they need to have a particular accreditation with their bank, and that can include a deposit to cover possible reversals of direct debit or AFAIK also that the amount withdrawn is held for some time. – cbeleites unhappy with SX Jan 15 '19 at 13:21
  • But OTOH, IBAN is the number that is exchanged over here in order to allow others to pay you as M'vy writes. There are literally thousands of IBANs out in the public of businesses who want their customers to pay their bills. Also keep in mind the destination of money that leaves an account via direct debit is *known*. – cbeleites unhappy with SX Jan 15 '19 at 13:28
8

It's possible to transfer money out of an account knowing only Account Number, Sort Code and address.

There was a reasonably high-profile case where Jeremy Clarkson, not believing this to be the case, published his bank details in a newspaper. The details were then used to send money to a charity.

http://news.bbc.co.uk/1/hi/7174760.stm

RJFalconer
  • 293
  • 1
  • 7
  • 5
    Although to be fair, that is not what was important in this case. You can't take money out of an account using just these details - you need more info, and a bit of social engineering. But an attacker with this info requires less effort to complete the attack. – Rory Alsop Sep 05 '11 at 14:29
  • Plus, it is known exactly *where* the money went (to a Diabetes charity who probably could get money that way only because they were in good standing with their bank for not initiating fraudulent direct debits so they are approved for initiating direct debits). If you do not just want to cause damage/hassle, but want to *get* that money it is far more difficult to both get it and stay unknown/undetected. – cbeleites unhappy with SX Jan 15 '19 at 13:34
3

The following is based primarily on US Banking, but most countries have similar risk management practices if they follow Basel Practices.

To perform an ACH requires a routing number and an account number.

However, for an ACH to go through requires it to pass internal controls and screens. The bank is required to monitor for fraud and if you are making irregular transactions for your account they should detect it. In the US, hopefully they are complying with the federal regulator's recommendations to implement layered controls FIL-50-2011, e.g., there is so security-gate to go through to move money out (e.g., out-of-band one time token, such as SMS one time code). Also, in the US, you are protecting against electronic funds transfer fraud through Regulation E. Regulation E allows you to make a claim against fraud. Often the bank can reverse fraudulent transaction.

You may want to read this paper by Microsoft Research: Is everything we know about password stealing wrong? (PDF) Is addresses the risk to individuals of bank account compromise.

Eric G
  • 9,691
  • 4
  • 31
  • 58
  • 1
    There are usually a greater number of controls for money flowing out of a bank versus in (though most banks will try to filter for money laundering and fraud patterns going in). Things like positive pay can help reduce outgoing fraud. Some banks may also prevent outgoing transfers without first requiring a confirmation through an out of band channel (e.g., click a one time link in an email or respond to an SMS). – Eric G Feb 23 '13 at 17:16
0

Normally, a bank will require proof of identification, such as a signature or online password, before allowing someone to withdraw or wire money from an account. Also, a bank may call or email the account holder before making the wire or withdrawal, especially if it is unusual activity for the account.

xpda
  • 101
  • 2