It helps that, to be able to use an IBAN for withdrawals, you basically have to "sign" a recurring transfer agreement. Otherwise it's pretty much always a "push" transaction from buyer to seller.
Better than being able to commit ACH fraud merely by virtue of having the bank's routing and account number.
Side note: shout out to both MB Way and Multibanco payments in Portugal that have made it so I haven't have to give payment information to an online vendor in years.
I don't have any experience with making fraudulent transactions, but I at least had to prove who I was when signing up for recurring transactions (so the fraud would've been effectively in my name), and I also see all my authorizations in my bank app (and I can remove them at any time).
In the US, I'd be more worried about a one-time fraudulent ACH withdrawal than a recurring payment situation.
I don't see a similar risk here. It seems like there are more hoops to go through to make a pull transaction?
I pay for several services via SEPA direct debit and the only things I had to provide to sign up was an IBAN and a pinky-promise I was the account holder. As far as I know they have to way to correlate the identity information on the provider account to the bank account holder’s, so it should work in case of fraud too. This lines up with how UK direct debits work as well, where a “sort code” (bank identifier) and account number are enough.
I presume the only security there is arises from the fact that those transactions can be reversed by the account holder within a generous grace period, and that this method of payment is only ever used to pay for long-standing services where there’s a strong paper trail to the beneficiary of said service (so not much point in doing the fraud to begin with).
That sounds right.
IME, though, the whole authorization system I've had to use with SEPA and IBANs feels more secure, and I've had no misgivings about using it to transfer or receive money.
By comparison, using ACH to transfer funds between accounts is usually bidirectional in bank apps, so if you give me your account info so I can send you money, I can also use that same info to withdraw money.
That means I'd never send you my routing and account number even if the original purpose is for you to send me money.
But there is no cryptography or any kind of identity verification involved in "signing" such an agreement. If I know your IBAN I can subscribe to such an agreement on your behalf.
I'm not sure about Europe, but at least in the UK, what makes such a system secure is that the account holder can reverse any "pull" transaction for over a month, with the merchant being on the hook. So it reduces the incentive to exploit it (or at least shifts the risk off the account holder), to a level where it's pretty much never done.