18

With a credit-card number, validity date and CVV-code, people can make purchases, so this information should be strictly protected. But if I post my bank account details online (IBAN + BIC/SWIFT), does this put me at any risk at all? In my understanding, this allows people to transfer money to my account; not from my account. But with direct debit, companies may be able to withdraw people from my account. Can they? Am I at risk?

On Yahoo Answers the answer is "not safe", whereas on Money.SX the answer is "it depends", but neither answer is sourced very well. In fact, many different websites say different things...

Does anyone have a reliably sourced answer laying out the risks of doing so in different banking systems and different parts of the world?

Community
  • 1
gerrit
  • 17,636
  • 17
  • 84
  • 137
  • 1
    What is the claim you are skeptical of? From the FAQ *Skeptics is about applying skepticism — it is for researching the evidence behind claims you encounter. It is not for speculation, philosophical discussions or investigating original claims.* You are asking for us to investigate the risks... You have several notable claims to be skeptical of, but you are not asking us to show proof or contradiction to any of them. That makes this a poor question for skeptics. – Chad Aug 21 '12 at 14:22
  • 2
    What reason would you have to post your bank account number in a public forum? – Sam I Am Aug 21 '12 at 18:56
  • 2
    I think this is on-topic, but the answers should *not* contain any personal research. Possible valid facts to find: cases in which accounts have been compromised this way; studies by security firms which recommend against similar practices or at least that specify account numbers should be crypted when stored in a database; &c. – Sklivvz Aug 21 '12 at 19:24
  • This could be a better fit for money.se. –  Aug 22 '12 at 20:19
  • 1
    @SamIAm, to enable people to give money to me. It's not uncommon for companies to have their bank-account information online for people to pay their bills, for example, or charities for people to donate money. – gerrit Aug 22 '12 at 21:36
  • I would say **yes**, that information is unsafe online. Personal cheques, in the USA, can be legally printed by 3rd parties, in addition to the bank. There are even inexpensive personal finance software programs that will print cheques on an ordinary printer. The identity information together with the bank information could be very useful to a criminal with such software. – Paul Aug 26 '12 at 03:56
  • 3
    @gerrit: even experimentally, this question can only be answered for single countries as the safety will very much depend on the local transaction laws. – cbeleites unhappy with SX Jan 12 '13 at 19:33
  • Even if you don't post it online, anyone you write a check to has this information on the bottom of the check and could easily pass it on to others and even post it online if they wanted. – BlueWhale Jan 22 '13 at 23:28
  • Bank data such as IBAN + BIC actually *are* often published on the internet, though not necessarily willingly by the owner. For example some folks publish scans of letters and other documents (just google a bit) they obtain or otherwise get a hand on and such letters may (or sometimes are required to) contain that bank data – Hagen von Eitzen Jun 27 '15 at 22:53

2 Answers2

29

An experiment was conducted by Jeremy Clarkson in 2008 to test the hypothesis that it was safe. He published his bank details in the newspaper.

The Top Gear host revealed his account numbers after rubbishing the furore over the loss of 25 million people's personal details on two computer discs.

He wanted to prove the story was a fuss about nothing.

But Clarkson admitted he was "wrong" after he discovered a reader had used the details to create a £500 direct debit to the charity Diabetes UK.

[...]

"I opened my bank statement this morning to find out that someone has set up a direct debit which automatically takes £500 from my account," he said.

"The bank cannot find out who did this because of the Data Protection Act and they cannot stop it from happening again.

"I was wrong and I have been punished for my mistake."

From a report in The Guardian:

The charity is one of many organisations that do not need a signature to set up a direct debit.

My personal recollection of the incident (that I haven't been able to verify with references) is that, while it was legally possible for Clarkson to dispute the charge and demand that the bank reverse the transaction, he elected not to because the money went to a worthwhile charity.

Community
  • 1
Oddthinking
  • 140,378
  • 46
  • 548
  • 638
  • 1
    @Chad: you're giving example from US, which uses billing system completely different from European ones. In Europe directly charging bills from account is standard. Electricity, gas, water, phone companies only need your account number, full name and address to bill you. – vartec Aug 21 '12 at 16:24
  • 1
    @Chad I don't see how my saying that an advert is not an adequate reference is different from your saying that an anecdote is not an adequate reference. – DJClayworth Aug 21 '12 at 16:40
  • @Chad. OK good point. – DJClayworth Aug 21 '12 at 16:46
  • 5
    It is a confirmed example of it not being safe. One example is all I needed. The fact that the UK bank couldn't prevent it from recurring shows that even if he eventually got his money back, the problem wasn't over; it remains unsafe. The perpetrators use of a charity was the trick; the charity couldn't be blamed for the transaction. If the perpetrator tried to directly benefit, they might expect to be detected and charged with fraud. – Oddthinking Aug 21 '12 at 17:26
  • I remembered there was something like the Jeremy Clarkson incident, wanted to add it to my question, but couldn't remember enough details to google what it was again – gerrit Aug 21 '12 at 19:35
  • @Chad "you can stop charges". So? It's like saying is driving on nails safe? Yes, because if you blow a tire you can repair it. Whether you can fix the damage or not has no bearing on whether the practice can lead to negative consequences. It is, as exemplified, clearly unsafe. – Sklivvz Aug 21 '12 at 20:44
  • @Chad, even if you can dispute the charges it's still dangerous. Providing any proof that you can dispute the charges is completely irrelevant. The whole point is whether making your account number public is exploitable. It is, and one anecdote is enough to prove it, just like one single virus is proof that some code is exploitable. – Sklivvz Aug 21 '12 at 21:32
  • @Chad: "the anecdote said you could not" Ah, I didn't mean to imply that. Sorry. I have added a clarification that, unfortunately, I haven't been able to support with references after searching for a while. – Oddthinking Aug 21 '12 at 23:46
  • 1
    @vartec: AFAIK, in Europe recovering money taken that way is trivial. There is no dispute or process, you just trivially cancel the charge and the money's back. Of course if it was for a bill, you still have that bill to pay but one needs a court order to take money from someone's account without the owner's consent -and keep it-. (if cancellation causes illegal debit on the taker's account, it's their and the bank's problem.) – SF. Jan 11 '13 at 18:01
  • 1
    @SF: (for Germany) I think the legal technique for these pull transactions is that he bank still needs your approval but chooses to advance the money at *their* risk. The trick is then that if you do not tell them that something is wrong with your account statement within a certain period of time (6 weeks after the statement), the bank is allowed to assume everything is correct. Which is a duty you agree on when opening the account (and of which you are usually reminded on every account statement). Of course the bank knows where it sent the money, so they can get *their* money back. – cbeleites unhappy with SX Jan 12 '13 at 19:44
  • I find the more interesting question here is: is it possible to generate the pull request to someone else. Of course what the bank can trace is where the money went (to that charity). But it does not even give any probability that the pull was *not* launched from the charity (a cashier of the charity could have been the reader in question). With SEPA pull transactions there will be an advance notification stating amount and date of the withdrawal. And the creditor (puller) has to have an ID number. Info in German: http://www.bitkom.org/files/documents/BITKOM_SEPA-Leitfaden.pdf – cbeleites unhappy with SX Jan 12 '13 at 19:54
  • @vartec in Poland there is no such mechanism. Most sellers put their account number in online listings free for everyone to see it. It's actually safer this way, as it makes harder to fall for phishing. – Agent_L Nov 11 '16 at 13:33
3

It does depend. In the USA, the Federal Trade Commission says that you can limit your liability for fraudulent electronic transactions that are reported within 60 days.

What if I find unauthorized transactions on my account?. - Generally, if you find unauthorized electronic check conversion on your account (or someone has fraudulently obtained your banking account information), notify your financial institution immediately. Your level of loss depends on how quickly you report the problem.

Under federal law, for unauthorized electronic check conversion, you have 60 days to report these transfers after your bank account statement containing the problem is mailed to you. If you fail to report the unauthorized transfers within this time period, you risk losing all the money in your account and the unused portion of your maximum line of credit for overdrafts. It’s also a good idea to report any other unauthorized transfers on your account or problems regarding any loss or theft of your checks immediately.

Contact your financial institution about any additional limits on liability they may offer.

Of course, they recognize that giving up your banking information to anybody is still dangerous. (Note: While your bank is investigating if the withdrawals were legal, you may not have access to your account or the money that should be in it. This can last from 45-90 days. (FDIC: laws and regulations))

Be especially cautious about sharing your bank and checking account numbers. Do not give out personal information – particularly on the telephone, by e-mail or otherwise online – unless you have initiated the contact or know who you’re dealing with. Scam artists can use your personal information to commit fraud – such as identity theft. That’s where someone uses your personal information, such as your checking account number, Social Security number, mother’s maiden name, or birth date, without your knowledge or permission, to commit fraud or theft.

These recommendations are based on the Electronic Funds Transfer act, the details of which can be found here. It might be as little as $50.

Community
  • 1
user1873
  • 8,931
  • 42
  • 81
  • This answer is badly worded. Need to just expand on the federal regulations link at the bottom of the page ($50 max with 2 day notice, $500 of within 60 days, $all if not notified...barring state regulations. – user1873 Aug 21 '12 at 15:04
  • Not an answer. The question is whether it's unsafe, not whether any consequences of it being unsafe enjoy protections by the law. – Sklivvz Aug 21 '12 at 20:41
  • @Sklivvz - *they recognize that giving up your banking information to anybody is still dangerous.* that is from the OP's post... – Chad Aug 21 '12 at 20:53
  • @Chad surely "they recognize that xxx" is not a viable skeptics answer. It's just someone's opinion, not the conclusion of a specific study. – Sklivvz Aug 21 '12 at 21:24
  • @Sklivvz, Not an answer? I must be misunderstanding, "am I at risk? What are the risks under different banking systems" Certainly, you **risk** losing money from your account. – user1873 Aug 22 '12 at 01:59
  • @Sklivvz - Except that it is backed up by references properly... Maybe you should actually read the answer. – Chad Aug 22 '12 at 12:23
  • @Sklivvz, "not whether any consequences of it being unsafe enjoy protections by the law." or "except that it is backed up by references properly." **Which is it** Am I answering the wrong question (so it isn't an answer), or is my answer not properly referenced? I am capable of reading, but your mode of speech is difficult to follow, "which answer am I supposed to read, my own?" – user1873 Aug 22 '12 at 14:40
  • @user1873 you are not answering the question ("Is making your bank account public, unsafe?") anywhere in your answer, with the exception of the single *unreferenced* sentence: `Of course, they recognize that giving up your banking information to anybody is still dangerous.`. As such: 1) the rest of the answer is not addressing the question and 2) the sentence that does, is merely repeating the claim instead of addressing it with *facts*. – Sklivvz Aug 22 '12 at 18:30
  • @Sklivvz, ah ha. That sentence is from the original Federal Trade Commission link. It is a formatting error on my part. – user1873 Aug 22 '12 at 20:50