2

I have just learned that in Germany you pay online by providing your IBAN. In other words, anyone to whom I have sent money and therefore has my IBAN can extract money from my account. Apparently, the system somehow works and nobody questions it. From what I understood from other questions here, the situation is similar in U.S.

Given this fact, however, I find hard to understand the number of obstacles I need to overcome to make a simple transfer from my account to another account. I need to login to my online banking, create the order and then verify it, usually using a code sent via a text message (i.e. 2-factor authentication). Paying with a classic credit card is similarly complicated.

If anyone can pay just by providing my IBAN without no identity verification whatsoever and it is considered secure enough, why do I need to go through a complicated authentication and verification process to access my money on my account? To me it sounds like building a 12 feet tall wall around my house and then leaving the gate open 24/7. The wall makes my life complicated but brings zero improvement to my security.

I understand that the situation is somehow similar to credit card numbers. When someone gets hold of my credit card (or just the number), he can just start draining money from my account. But firstly online payments are very often protected by 2-factor and secondly, I've always approached credit card numbers as something which has to be kept in secret. IBAN on the other hand, is more like a phone number. If you want people to be able to send you money, you just give them your IBAN. But then it just feels strange to allow online payments just using IBAN.

Why is IBAN considered to be enough to make only payments? And since it apparently is, why bother and complicate our lives with 2-factor protection of online banking and credit card payments? What are the reasons that I'm missing?

tobik
  • 373
  • 3
  • 6
  • Are you really sure the IBAN is enough to finish the payment? I have stumbled on some pages that asks for your IBAN, then at the next page, you will be asked to login to your banking and then send money to IBAN XYZ (the company's IBAN). The purpose of asking for your IBAN is then to identify the payment, eg "if source of payment is = entered IBAN ABC, mark order ### with entered IBAN ABC as paid" – sebastian nielsen Nov 28 '16 at 23:31
  • By "in Germany you pay online by providing your IBAN", do you mean the direct debit system ? It relies on you authorizing the company to bill you in future. – Peteris Nov 28 '16 at 23:34
  • I guess that's how they call it. I have just used TransferWise to issue an order to transfer 1000 euros from my account just using my IBAN. I also filled in my name and my address (it wasn't clear whether that was required for the payment itself) but definitely no real identity verification through password, PIN or text message. Anyone with these three pieces of information (which is pretty much public) could make that money transfer. – tobik Nov 29 '16 at 00:36
  • Same in the US - once you have someone's checking account number, **which is found on every check**. This is a [huge security hole](https://money.stackexchange.com/questions/4350/cant-the-account-information-on-my-checks-be-easily-used-for-fraud). – Dan Dascalescu Jul 21 '18 at 00:28

0 Answers0