Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.
Please note this sub-forum does not provide professional finance advice. You should seek advice from a licensed financial advisor. If investing please consider our affiliate links for new accounts: Sharesies or Hatch. To post in this sub-forum you must have made 100 posts or have Trust status or have completed our ID Verification



ForumsFinance and wealth managementMasking bank account number to client confirmation emails
dacraka

720 posts

Ultimate Geek

ID Verified
Trusted

#293845 16-Feb-2022 22:37
Send private message

What is the best way to partially mask (with asterisks) sending out a bank account number confirmation email to a client for security reasons, while making it easy for them to confirm that the masked number in the email matches the bank account number they assume it to be (which may be an account number they entered a long time ago).

One solution may actually be to not mask at all as there is no security risk!?

Cheers all.

Create new topic
michaelmurfy
/dev/ttys0
11027 posts

Uber Geek

Moderator
ID Verified
Trusted
Lifetime subscriber

  #2869978 16-Feb-2022 22:59
Send private message

There is no need to mask a bank account number as you can only put money into an account, not take it out (unless if you had a direct debit authority). There is no security risk here.

 

Credit cards however is another kettle of fish as you should never have them as plaintext in the first place :)

 

Also, I work in the banking industry.




Michael Murphy | https://murfy.nz | https://keybase.io/michaelmurfy - Referral Links: Sharesies | Electric Kiwi
Are you happy with what you get from Geekzone? Please consider supporting us by making a donation.

Affiliate link
 
 
 

Affiliate link: Backblaze Unlimited Backup. World’s easiest cloud backup. Get peace of mind knowing your files are backed up securely in the cloud.
dacraka

720 posts

Ultimate Geek

ID Verified
Trusted

  #2870065 17-Feb-2022 08:46
Send private message

Thanks Michael.

 

Although while entering your details into AT Hop card's auto top-up feature, it asks you for your bank account number for a direct debit, asks you to tick a box to say you have authorisation, then starts to withdraw funds from your account. Basically it relies on a checkbox.

 

Sure it would be fraud, but technically it will still be possible to take funds out of someone else's account (at least temporarily until the bank sees what is going on and puts a hold on it).

 

Thoughts?

Handsomedan
4854 posts

Uber Geek

ID Verified
Trusted
Subscriber

  #2870118 17-Feb-2022 09:57
Send private message

dacraka:

 

Thanks Michael.

 

Although while entering your details into AT Hop card's auto top-up feature, it asks you for your bank account number for a direct debit, asks you to tick a box to say you have authorisation, then starts to withdraw funds from your account. Basically it relies on a checkbox.

 

Sure it would be fraud, but technically it will still be possible to take funds out of someone else's account (at least temporarily until the bank sees what is going on and puts a hold on it).

 

Thoughts?

 

 

There are different types of Direct Debit authorities and AT sits within the most trusted group - basically they are paperless, with the ability to debit funds on your authority without a standard DD form. 

 

I was a senior transactional banker for around 25 years and this is something that people used to question all the time. 

 

There are a lot of rules governing the DD initiator status and how the DD authority is used, but long story short, they must be a trusted party to be able to debit an account. 

 

https://www.paymentsnz.co.nz/resources/payment-methods/direct-debit/

 

There are a number of guarantees that the initiator enters into and the bank is also on the hook in certain situations. 

 

Your money is pretty safe with a DD initiator. 




Handsome Dan Has Spoken.
Handsome Dan needs to stop adding three dots to every sentence...

 

Handsome Dan does not currently have a side hustle as the mascot for Yale 

 

 

 

*Gladly accepting donations...



lxsw20
2947 posts

Uber Geek


  #2870149 17-Feb-2022 11:24
Send private message

Reminds me of this gem : Clarkson stung by fraud stunt

rugrat
2743 posts

Uber Geek

Lifetime subscriber

  #2870256 17-Feb-2022 12:45
Send private message

Yes, if someone has your bank account details can set up a direct debit. I joined a gym a few years ago. Put my bank account details in and the direct debit started coming out. Was thinking at time, I could have been anyone.

neb

neb
6572 posts

Uber Geek

Trusted
Lifetime subscriber

  #2870342 17-Feb-2022 13:44
Send private message

michaelmurfy:

There is no need to mask a bank account number as you can only put money into an account, not take it out (unless if you had a direct debit authority). There is no security risk here.

 

 

There is a nonzero risk, if someone gets your banking details they can use that alongside stuff scraped from social media and the like to spear phish you. In particular since your bank account number is something only your bank would know, it has to be them when they message or call you, not a phishing attempt.

 

 

So I'd mask, or tell them "the third digit is X, the seventh is Y, the eighth is Z", not giving away enough information for a social engineering attack.

michaelmurfy
/dev/ttys0
11027 posts

Uber Geek

Moderator
ID Verified
Trusted
Lifetime subscriber

  #2870502 17-Feb-2022 17:58
Send private message

@neb Actually you do raise a good point there. Personally with me if somebody were to phone me claiming to be from my bank and gave me my account number I'll phone back my bank. I just had a personal banker help me with a large transaction for example to buy a new car but every time he phoned me I would be asked a few questions then put through to voice biometrics to fully verify me, I didn't give him any information as part of that process that could pwn me and they were giving me information indicating they already had it.

 

If a bank phoned me and said "Am I speaking to Michael with the bank account 06-05......" I'll know something was up but I fully understand also this is just me coming from the banking industry knowing full well what is OK security wise.

 

While the risk is low, I still don't see any reason masking an account number (nor have I ever seen this used). Take banks as an example when sending out a statement either via email or post, they'll mask a credit card number but will not mask bank account numbers. Better information is out there on an individual than a bank account number thanks to social media and todays society of oversharing.




Michael Murphy | https://murfy.nz | https://keybase.io/michaelmurfy - Referral Links: Sharesies | Electric Kiwi
Are you happy with what you get from Geekzone? Please consider supporting us by making a donation.

Create new topic





News and reviews »

Belkin Screenforce Tempered Glass Screen Protector and Bumper - Apple Watch
Posted 15-Aug-2022 17:20

Samsung Introducing Galaxy Z Flip4 and Galaxy Z Fold4
Posted 11-Aug-2022 01:00

Samsung Unveils Health Innovations with Galaxy Watch5 and Galaxy Watch5 Pro
Posted 11-Aug-2022 01:00

Google Bringing First Cloud Region to Aotearoa New Zealand
Posted 10-Aug-2022 08:51

ANZ To Move to FIS Modern Banking Platform
Posted 10-Aug-2022 08:28

GoPro Hero10 Black Review
Posted 8-Aug-2022 17:41

Amazon to Acquire iRobot
Posted 6-Aug-2022 11:41

Samsung x LIFE Picture Collection Brings Iconic Moments in History to The Frame
Posted 4-Aug-2022 17:04

Norton Consumer Cyber Safety Pulse Report: Phishing for New Bait on Social Media
Posted 4-Aug-2022 16:50

Microsoft Announces New Solutions for Threat Intelligence and Attack Surface Management
Posted 3-Aug-2022 21:54

Seagate Addresses Hyperscale Workloads with Enterprise-Class Nytro SSDs
Posted 3-Aug-2022 21:50

Visa Launching Eco-friendly Payment Solutions in New Zealand
Posted 3-Aug-2022 21:48

NCR Delivers Services to Run Bank of New Zealand ATM Network
Posted 30-Jul-2022 11:06

New HP Portfolio Supports New Era of Hybrid Work
Posted 28-Jul-2022 17:14

Harman Kardon Launches Citation MultiBeam 1100 Soundbar
Posted 28-Jul-2022 17:10








Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.







Backblaze unlimited backup



RSS feeds
Main feed
Forums feed
Copyright
©2002-2022 Geekzone®
Site features
Geekzone BI dashboard
Geekzone Badges
Geekzone Slack
Geekzone on Twitter
Affiliate links
Mighty Ape
Sharesies
Site Information
Subscribe to Geekzone
Privacy Statement
Forum Usage Guidelines (FUG)
Advertising
Trademark and copyright


This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.