# Giving IBAN number



## roker (3 Apr 2020)

There a lot about scams  and giving details about our bank account  Some imply that the IBAN and BIC should be avoided, I fail to see how a scammer can draw from a person's bank account by giving these IBAN detail and not giving any passwords. We give IBAN numbers all of the time for electronic pament


----------



## EmmDee (3 Apr 2020)

roker said:


> There a lot about scams  and giving details about our bank account  Some imply that the IBAN and BIC should be avoided, I fail to see how a scammer can draw from a person's bank account by giving these IBAN detail and not giving any passwords. We give IBAN numbers all of the time for electronic pament



It's fine - it's meant to be given out. The only thing to be wary of is giving out personal information (e.g. dates of birth etc) or using the IBAN as a security question for example. This is more about social engineering hacking e.g. someone calling the bank help desk with enough personal information to get them to change something like the mobile phone contact number - and taking it from there

BIC's are totally public - they are the equivalent of a street address within SWIFT. They just identify the bank. You can actually guess the BIC usually. Every institution gets a 4 letter core code (e.g. for AIB it is "AIBK"), the next two letters are the country code for the branch (ISO country codes) and then a 2 letter/digit branch code (or head office code for a general payment). There can be a 3 digit / letter additional code to identify departments. So a payment to AIB is going to AIBKIE2D

The IBAN is also a construct made up of the 4 letter bank core SWIFT ID, sort code and account number (with an additional check digit). If you have someone's account number you can construct the IBAN

You can't draw from someone's account on the basis of an IBAN


----------



## Boyd (3 Apr 2020)

EmmDee said:


> It's fine - it's meant to be given out


Really? I wouldn't have thought so. I'd give card number mainly, I'd only ever give IBAN to a bank for mortgage application, they insist on this I think.

IMO giving the card number for all other payments means if you cancel the card, youre on control. If you give the IBAN, that's direct access to the account, effectively bypassing the card. You can't withdraw from an ATM with the IBAN or anything but you can set up a direct debit for example.

This actually happened recently to me whereby non authorised payments were happening and bank said it was easier to block them and cancel card since I had used the card number as opposed to if I'd given out IBAN.

That's my understanding anyway.


----------



## jpd (3 Apr 2020)

Giving a bank your IBAN is not authority for them to withdraw money from your account - you have to sign a direct debit or SEPA form for that to happen. 

Everytime you give someone a cheque, your IBAN is on it or can be derived from it


----------



## EmmDee (3 Apr 2020)

Boyd said:


> If you give the IBAN, that's direct access to the account, effectively bypassing the card. You can't withdraw from an ATM with the IBAN or anything but you can set up a direct debit for example.



No it isn't - and no you can't. IBAN gives you no access - it only allows payment to that account

Giving out a card number is actually a lot more risky. Yes you can cancel a card but only if you or the bank notice the transactions. An IBAN doesn't allow anyone even process a transaction


----------



## mathepac (3 Apr 2020)

EmmDee said:


> It's fine - it's meant to be given out.
> 
> The IBAN is also a construct made up of the 4 letter bank core SWIFT ID, sort code and account number (with an additional check digit). If you have someone's account number you can construct the IBAN
> 
> You can't draw from someone's account on the basis of an IBAN


It's big business calculating and verifying IBANs. You can use it to get the Pope's code at Vatican City, but I doubt you'll get any money out!






						IBAN Checker: International Bank Account Number validation
					

IBAN checker is a software designed to validate an International Bank Account Number and identify the bank owning this account, BIC code and address.



					www.iban.com


----------



## EmmDee (3 Apr 2020)

mathepac said:


> It's big business calculating and verifying IBANs....



I'm not sure what you mean by big business - it's public information and, as you linked, there are multiple ways of verifying an IBAN is valid online. But if you mean someone is making money from verifying IBAN's - they aren't. Anybody can do that


----------



## mathepac (3 Apr 2020)

They sell their licensed services to software developers and businesses who wish to make multiple validations or calculations in the course of their business day with having someone sitting at a keyboard. It's all there under "Pricing" - big business.  https://www.iban.com/pricing


----------



## Boyd (3 Apr 2020)

EmmDee said:


> No it isn't - and no you can't. IBAN gives you no access - it only allows payment to that account




To set up Direct Debit you'll need:
A Republic of Ireland bank account that allows Direct Debit to be set up
Your IBAN (Found on your bank statement).

So how does Electric Ireland set up a direct debit with just the above then? I'm not disagreeing, you seem far more knowledgeable on this than I) but I'm interested to see how utility companies setup payments then?


----------



## mathepac (3 Apr 2020)

Because you sign a Direct Debit mandate, a contract that allows them debit access to your account. Look at the ESB link you provided "Sign up for Direct Debit - Electric Ireland"


----------



## Boyd (3 Apr 2020)

Yeah so I fill that in, send it to utility company, but what from said mandate is actually seemed to set up the direct debit? Who actually sets up the debit, the bank or the utility? Does utility company send the mandate to the bank to set up the direct? 

In other words if I somehow had your iban, what else would I need in order to setup a direct debt to charge you monthly? Or if that not possible as I'd need to submit some official looking mandate headed with "please pay MyFakeDirectDebitCompany" to send to the bank before they'd action it?

Apologies if I'm being very slow on this.


----------



## jpd (3 Apr 2020)

You would need the signature of one of the account holders


----------



## Boyd (3 Apr 2020)

Yep but who ever looks at signatures on bank cards for example. Isn't that why they introduced chip and pin? Do you think banks match that up closely when processing the mandate? I'd say you'd find a letter in the garbage if you found where the person lives! Again I'm being super awkward I know


----------



## mathepac (3 Apr 2020)

Try searching for "Payment Processor" and/or "Originator Code" in your favourite search engine. They'll give you more links to look up.


----------



## Boyd (3 Apr 2020)

Thanks, most useful. The second result
https://businessbanking.bankofireland.com/app/uploads/2016/07/SEPA-Glossary-of-Terms-PDF.pdf is
actually is very good explanation, diagrams with boxes 
[Edit]
This is the corrected link https://businessbanking.bankofirela...7/OMI010324-SEPA-DD-Originator-Guide-v5-i.pdf


----------



## jpd (4 Apr 2020)

There are no diagrams in the pdf file you linked to.

If the bank does not check the signature on the mandate against the signature on file for that account, then you can easily question any payments taken and have them reversed

You can be sure that banks do check mandates properly before setting up the DD authorisation. If shop keepers and such like can't be bothered checking signatures on cards, then that is their problem not the banks


----------



## jpd (4 Apr 2020)

As for letter in the garbage, how would that help you find the signature of the account holder?


----------



## RedOnion (4 Apr 2020)

I'm not sure where this whole signature being checked by the bank is coming from.

Under the Irish 'DD plus' scheme, you don't need a signature on a mandate if it's an Irish IBAN and a DD+ originator. No signature or paper mandate is required by anyone.

Even if it's not a DD+ originator, the mandate never goes near the bank. All SEPA DDs are just electronic messages. The originator keeps the mandate.

However, the originator has signed up to a set of rules that provides the account holder huge protection, and unauthorised DDs can be reversed for up to 13 months.
An originator needs a bank sponsor before they can raise DDs, so in the event that they're not able to refund, then their sponsor bank pays.


----------



## Boyd (4 Apr 2020)

jpd said:


> As for letter in the garbage, how would that help you find the signature of the account holder?


Unmailed love letters, unmailed direct debit mandates 

I updated the link above, cheers.


----------



## hfp (6 Apr 2020)

You may not have much love for him, but Jeremy Clarkson got stung on this very issue a few years ago.  He too thought that no harm could come of giving out his bank account details, so printed them in a national newspaper. 

If I ring a utility company to set up a direct debit they have no way  of checking if the sortcode and account number I give them is in the same name as the utility account.

You are protected by the direct debit guarantee so can ask your bank to stop the payments, but the utility company won't speak to you if you're not the account holder.






						Jeremy Clarkson eats his words over ID theft
					






					www.telegraph.co.uk


----------



## mathepac (6 Apr 2020)

Telegraph story behind pay wall - and is 12 years old.


----------



## hfp (6 Apr 2020)

Strange, I wonder why it let me in, I don't pay either!! It may be 12 years old, but our banking systems haven't changed in that time!!

Motoring television presenter Jeremy Clarkson has been forced to eat some uncharacteristic humble pie after playing down the severity of Labour's lost data scandal.

The Top Gear host was so sure that the furore over the lost CDs of data was nothing but "a storm in a teacup" he printed his own bank details in a newspaper, convinced his money would be safe.

He also included instructions on how to find his address on the electoral roll and gave details about the car he drives, claiming he had "nothing to fear" from identity fraud.

But the exercise left the newspaper columnist with egg on his face when he had to admit that he had been the target of an internet scam.

 An unidentified reader copied his details and set up a £500 direct debit from his account payable to the British Diabetic Association.
The charity is one of many organisations which does not need a signature to set up a direct debit.
Clarkson, 47, wrote in the Sunday Times: "Back in November, the Government lost two computer discs containing half the population's bank details.
"Everyone worked themselves into a right old lather about the mistake but I argued we should all calm down because the details in question are to be found on every cheque we hand out every day to every Tom, Dick and cash and carry.
"To hammer the point home I even printed my own bank account number and sort code.
"And guess what? I opened my bank statement this morning to find out that someone has set up a direct debit which automatically takes £500 from my account.
"The bank cannot find out who did this because of the Data Protection Act and they cannot stop it from happening again.
"I was wrong and I have been punished for my mistake."
The discs, which contained the personal details of 25 million Britons, were lost by HM Revenue and Customs and have still not been found.
At the time, Clarkson wrote: "I have never known such a palaver about nothing. The fact is we happily hand over cheques to all sorts of unsavoury people all day long without a moment's thought. We have nothing to fear."
But yesterday, the newly-chastened pundit had changed his tune.
"Contrary to what I said at the time, we must go after the idiots who lost the discs and stick cocktail sticks in their eyes until they beg for mercy," he said.


----------



## roker (18 Aug 2020)

There are no signatures involved when setting up a utility company ie. Broadband also no written contracts, so you don't know what you agreed to.


----------

