6

I'm currently developing a payment system where users can use SEPA-debit to pay for the service. The user has the ability to enter the data once and can then select the same payment method when making another payment in the future.

So in order for the user to select the proper account to debit, I need to show some information about her/his accounts. In the world of credit cards it is normal to mask all but the last 4 digits of the card number, e.g. XXXX-XXXX-XXXX-1234

Should I also hide all but the last 4 digits when displaying IBAN numbers? And should I do the same for the BIC, or is it safe to display the complete BIC number?

devsnd
  • 161
  • 1
  • 4

2 Answers2

6

Unlike credit card numbers, IBAN numbers are not secret. If anyone knows your bank account number, they can derive the IBAN number from it. And they would need to know your bank account number to pay you.

Similarly, BIC is not a secret either.

That being said, a bank account number and other identifying information can sometimes be used to order things, so it might be a good idea not to show more information about a bank account number / IBAN than is necessary. This is also a trade-off between user privacy and user experience.

(The example scenario would be someone out to harm you, perhaps as vengeance for something. They obtain your bank account number, some other personal info, and start ordering things in your name. Obviously this is illegal and stupid, but it's not impossible. You could undo the harm, but it would take you time and effort that you'd prefer to spent in a more pleasant way).

The account number is almost always the last numbers of the IBAN, and usually the last numbers of the account identify the different accounts that a user may have at the same bank. Depending on which countries you are operating in, showing only the last 3 or 4 digits, along with the ID of the bank, should be enough.

S.L. Barth
  • 5,486
  • 8
  • 38
  • 47
4

Without knowing country specifics, I do not see a difference, why credit card numbers are secret and IBAN - not. Knowing any of them (ok, in case of IBAN, you also need a name), one could make payments, order goods over Internet in some countries (e.g., in Germany to order from Amazon only IBAN and name are needed). Please see Can someone steal money from my bank account if they know my IBAN and personal details?.

So, I would recommend to protect both account number and BIC parts of IBAN, since if you only mask out too few digits of bank account, using IBAN checksum and knowing typical account numbers (e.g., there are banks where last 2 account number digits are always 00) for specific bank (identified with BIC), someone could bruteforce an account number.

Lets take German IBAN as an example. It always looks like 

DEcc bbbb bbbb aaaa aaaa aa

DE - country code, cc - checksum, b - BIC part, a - account number part.

Let's say you mask it out as:

DEcc bbbb bbbb XXXX aaaa XX

In my eyes it is not good at all, because now I know the checksum and BIC. From the BIC, I could know that the bank (1) has not so many accounts and (2) last 2 digits are reserved for other account types, e.g. 00 for main account, 01 could be partner account, 02 could be long-term deposit and so on. So, last 2 digits are always 00 for this bank and operating/settlement account.

Now we have 4 digits left. But from (1) I conclude that the bank has less than 1,000,000 clients. Than accounts of this bank will always look like

00aa aaaa 00

So now I only need to guess first two 'a'-s. But I have a checksum, which makes it very easy. If bank has more than million clients, it still could have a system, where first digit identifies country region, where an account was opened and so on.

Community
  • 1
Andrey Sapegin
  • 260
  • 1
  • 2
  • 16