undefined | Better HN

0 pointsNextgrid10mo ago0 comments

But there is no cryptography or any kind of identity verification involved in "signing" such an agreement. If I know your IBAN I can subscribe to such an agreement on your behalf.

I'm not sure about Europe, but at least in the UK, what makes such a system secure is that the account holder can reverse any "pull" transaction for over a month, with the merchant being on the hook. So it reduces the incentive to exploit it (or at least shifts the risk off the account holder), to a level where it's pretty much never done.

0 comments

3 comments · 1 top-level

rkomorn10mo ago· 2 in thread

I don't have any experience with making fraudulent transactions, but I at least had to prove who I was when signing up for recurring transactions (so the fraud would've been effectively in my name), and I also see all my authorizations in my bank app (and I can remove them at any time).

In the US, I'd be more worried about a one-time fraudulent ACH withdrawal than a recurring payment situation.

I don't see a similar risk here. It seems like there are more hoops to go through to make a pull transaction?

NextgridOP10mo ago

I pay for several services via SEPA direct debit and the only things I had to provide to sign up was an IBAN and a pinky-promise I was the account holder. As far as I know they have to way to correlate the identity information on the provider account to the bank account holder’s, so it should work in case of fraud too. This lines up with how UK direct debits work as well, where a “sort code” (bank identifier) and account number are enough.

I presume the only security there is arises from the fact that those transactions can be reversed by the account holder within a generous grace period, and that this method of payment is only ever used to pay for long-standing services where there’s a strong paper trail to the beneficiary of said service (so not much point in doing the fraud to begin with).

rkomorn10mo ago

That sounds right.

IME, though, the whole authorization system I've had to use with SEPA and IBANs feels more secure, and I've had no misgivings about using it to transfer or receive money.

By comparison, using ACH to transfer funds between accounts is usually bidirectional in bank apps, so if you give me your account info so I can send you money, I can also use that same info to withdraw money.

That means I'd never send you my routing and account number even if the original purpose is for you to send me money.

j / k navigate · click thread line to collapse