This is just one of many data leaks that have occurred among French companies in recent weeks, but it could be more serious than the others. The operator Free revealed on Saturday October 26 that it had been the victim of a cyberattack, during which the personal data of millions of subscribers, and in particular banking identifiers (Iban), were stolen. The hacker who claimed responsibility for the act claims to have more than 5 million Iban, as reported by several cybersecurity experts, including Damien Bancal to AFP.
When this data leak was announced, some voices were reassuring, maintaining that it was impossible for a crook to empty a bank account simply using an Iban. However, several experiments show that it is possible to use these identifiers to make payments, without prior authorization, even for regular payments.
Two journalists from the technology news site 01Net, for example, exchanged their respective Ibans to try to “steal” money from each other by purchasing products on the internet. The first test was carried out on Amazon. The journalist was able to add his colleague's Iban as a means of payment, then he bought an inexpensive product (a four-color pen) which he had delivered, without the slightest identity verification or alert to the owner of the account.
What about subscriptions and their regular payments? The site carried out another test, by subscribing to a mobile plan for 2 euros per month from Bouygues Telecom. The journalist used her colleague's Iban for the samples. At no time was the “stolen” person informed that their Iban had been used. The procedure was validated a few days later with an electronic signature made by the journalist… without validation code.
Although the journalists subsequently informed Bouygues of their experience, it was only on the eve of the first sample that the company's fraud department contacted the journalist, because her “banking data does not seem[ai]“not correct”. However, his colleague was indeed taken on the scheduled date. This The debit was finally canceled, without the owner of the bank account having been informed.
The banks here pass the responsibility on to the companies that receive the money. “It is up to the creditor who receives the direct debit mandate to verify the correspondence between the Iban and the holder”underlines Crédit Agricole to 01Net. This is the very principle of Sepa (“Single Euro Payments Area”), the European regulation in force since 2014 in 31 countries in Europe.
The UFC-Que Choisir association sounded the alarm on the subject in 2014. “Unlike the old system, banks are no longer required to obtain the customer's authorization to make a direct debit. It is now the recipient of the direct debit who makes the request to the bank themselves. 'establishment”explains the association on its site. “Practical consequence: anyone with an individual’s Iban number can withdraw money from it, without any control from the bank.”
Why don't creditors systematically verify identities? Questioned by 01Net, Bouygues declared that it “wants to offer its customers a smooth and reliable experience. To do this, numerous tools allow automatic and also manual checks to be carried out in order to secure transactions”. Amazon, for its part, mentions its “dedicated teams” and its investments “in cutting-edge risk management systems to protect customers”. However, none concretely explains what is put in place to check that a person who enters an Iban is indeed the owner of the bank account.
So, what to do? The first tip is to monitor the debits on your bank account, looking for payments you haven't made. Even the smallest ones, which can more easily go unnoticed. Banks also allow you to consult the list of creditors currently registered on your account, to spot suspicious names.
You then have several means of appeal. On the one hand, the entity which receives the money must notify you of the withdrawal at least 14 days before its execution, recalls the Banque de France on its site (unless there is a contractual agreement which establishes a different process). In addition, if a direct debit mandate has been signed, you have eight weeks to dispute a direct debit with your bank, and the bank must reimburse you within ten days. If no mandate has been initialed, you have 13 months and must be reimbursed “no later than the end of the first following working day”bank charges and agios included.
But that doesn't stop scammers from trying again, on the same site or another. Can we treat the problem at the source? You can prohibit entities from debiting you by asking your bank to put them on your “blacklist”. Conversely, you can send your bank a “white list” of companies that you authorize to make transfers. If a company that is not listed there attempts to charge your account, the movement will be blocked.
In both cases, your bank has an obligation to accept this request, recalls the UFC-Que Choisir association on its site. Note that a scammer can therefore use your Iban to pay for the services of companies that appear on this white list. But, at least the risks are reduced.
