• Enhancing security/privacy through multiple IBAN's

So in order to enhance security and privacy, do any of you utilise some of your 25 accounts for that purpose?
If so, do you mind sharing how? :)

Example configurations that I mean:
- Holding account, containing your funds - you never share this IBAN with anyone. This account should never be used to pay for anything. For enhanced security, you can put a very low daily limit so it always requires you to up that first before sending a payment larger than X. (For security purposes, this is one of those things it would be nice for to have more control over Face/TouchID & iPhone passcode. ;))
- Generic payment account, containing enough funds for your direct debits and/or for example PIN, direct debit and/or online transaction, OR splitt this up as well:
-- PIN account, if you want to separate it from your payment account for direct debits
-- Online account, if you want to separate it from your PIN and/or Payment account, only to be used for online or manual payments (Such as iDeal)
-- Direct debit account, solely used for direct debits, if you want to separate this from PIN/Online/Manual transfers
- Temporary account IN. An account number to share with others so you don't reveal your other IBAN's. Any money going in should instantly be transfered to your Holding account and shouldn't hold a balance for anytime longer than needed for you to transfer the funds away from it. (It would be awesome if bunq adds a feature to automate this!).
- Temporary account OUT. An account number to use when sending manual payments to others, so you don't reveal your other IBAN's. This account should never contain more than what you're about to send. (Again, also for this it would be awesome if bunq can automate this some way. Eg "Use IBAN x to send funds out for accounts y and z" -> Bunq tops up the temporary account for the amount required from the account you initiated the payment from, then sends the payment from this temporary account.)
- Account dedicated to your MasterCard Debit
- Account dedicated to other online facilities, such as PayPal, Skrill, et cetera. Create as needed.
- Dedicated account for online trading (Marktplaats, eBay, Tweakers V&A, whatever)
- Dedicated account for (online) parties you don't trust a lot (with your data). (eg: Alibaba, Amazon, CJIB (just kidding :P), whatever)
- Extra's: of course, you can also create separate accounts for various direct debit mandates so not all parties have the same "Payment account" IBAN (nice when there's a breach!), or you can rotate them once in a while. :)
- Disposable accounts. You create on demand when needed for a one-time payment (send or receive).

Some might wonder "why go through this trouble", "you're crazy even suggesting this" or "tinfoil hat much?". ;)
But it's pretty simple: because its hardly difficult at all to take some or all of these measures and may prevent some attacks (notably social engineering, which is troublesome as some parties take your bank account for verification purposes :/) from taking place, plus it enhances your privacy in some respects. :)

Not saying I do all of the above by the way. :P That's just a long list of examples and depends on how many layers/separations you want to create.
The single point of failure remains your phone and your own wits/awareness of scammers, but compartmentalising your funds can surely lead to some extra security and privacy - even if you only take 2 or 3 of the potential measures above. (Eg: a holding account (secret) + an online/companies payment account (direct debit, iDeal and manual payments only) + a generic payment account ("public"))

    I'm using a dedicated MasterCard called "Firewall" that is connected to one account "Burner". I use this combination for online/risky payments. The "Burner" account has a card payment limit of 1€ and never has money in it.
    Whenever I need to pay online, I change the limit to what is needed and put enough money for the payment into the account. After that, the settings are reverted to normal.
    Also I'm using one IBAN for "Payments", which I use for direct debits from Amazon, PayPal, etc.
    When a direct debit comes in, I redirect it to the appropriate "real" account/budget manually. This is because I buy different stuff from Amazon/via Paypal, and those payments should be taken from different accounts/budgets so I can't just automatically accept them.
    That's it :)

      @LH-Black-Wolf#64114 In some examples above you make sure that people don't know (some of your) account numbers. Why would that be a problem in any way? The only thing people can do with your account number, is sending you money, right? It's not like they can take money from your account if they have your IBAN.

        @Petervdv#64162 It’s mostly to do with dangers of social engineering: https://en.wikipedia.org/wiki/Social_engineering_(security)
        For multiple reasons, one of which being some companies ask the last digits of your IBAN for verification, which may be the last step in gaining insights and/or access to your account there. This is a flaw, but actually revolves around the other topic I just had replied to and already mentioned it: usability vs security. They need to make it possible to get or restore access with a low hurdle, which is asking for information that mostly only you would fully know. However, through these attack methods - it's almost childs play to get the required data these days, also in part due to people posting half their life online.

        That, and it can help protect your privacy in certain scenarios. :)
        It may not add a whole load of extra security and the human factor remains the weakest link in this chain, but it does help. And SE is just one example of potential abuse with that knowledge, phising for example is also made easier knowing the IBAN. And there's more, but let's keep it at this for now.

        I'll add though that the people most susceptible to these type of thing will likely not consider doing this. On the other hand, maybe by reading this: people might consider taking more caution and indeed take a few measures so that if it happens to them: they have an extra line of defense. There is no 100% safety, but small little things can make a difference. (Even though security by obscurity is not equal to true security, but obscuring things can make it much harder to find the vulnerability - and that for sure as hell can help a great deal staying safe(r). ;))

          @LH-Black-Wolf#64114 I don't know any company that uses my bank account as access point to my data with them. Of course it means I just don't know. I never tried to get access to my own data pretending to not know the password and not being able to click on the "forgot your password" link because I somehow also managed to loose my email account.

          Like you point out having stuff that is not a secret by any means to get acces to accounts is just plain wrong. I wonder if a company could be held liable when they give access to third parties pretending to be you when hey give access using that kind of not so secret information. Perhaps they do know it;s wrong but for them it's just cheaper to do it anyway. Most likely it is actual the person who wants access and it'll cost them a lot less in support/calls and so on to do it this way. Even if once in a while they have to pay some small amount for damages .

          Regarding that I think that an email account is far more valuable in SE than a bank account. Once you got access to a mail account you can get all sort of "reset password" mails from just about anyone.

          What I have done for several decades is having two different bank accounts. 1 is in use for the main funds. Both income and expenses, like salary, mortgage, insurance and so on. I don't have (or use) a bank card for that account so the data on the card can't get stolen because there just isn't any. This only works for banks which don't have a gadget where you need to insert your card to log in on the website or app obviously.

          2 is used for doing the transactions in shops. There is only a limited amount on that account so if my card ever gets sucessfully skimmed or I'm forced to get money from an ATM with my card the thieves will only get a bit of money because there just isn't any more on the account.
          The only downside is that you'll need to replenish this account often oherwise you can't pay for your own groceries :|

          With bunq I use a lot more bank accounts but that is actually for a better overview in my budget/expenses/savings than it is used as security.

          For security reasons the fact that you have to give approval for direct debits in the bunq app is a big plus for me. Even though it is supposedly not used very much in criminal activities any company (which is approved!) can get money from any bank account that they know of using direct debit. Unlike bunq most banks just process them and only when the customer complains they revert the direct debit (and will investigate when lots of reversals are done). of course you don't get approval nilly willy. And in the past this was only possible for companies in your own country. Now with SEPA any company can do a direct debit from anywhere in the entire SEPA region.
          But I never heard of this happening on such a scale that there was actual news coverage about it. So probably the vetting process is better than I think it is.

            Yes, I am primarily using the multi-account functionality for security/privacy reasons, though I prefer a less complex three-account setup:
            - payments and subscriptions/direct debits, so everything going out to third parties (that I have at least some trust in)
            - personal transfers only, so not shared with third parties/anyone else
            - "burner" account for incoming funds from third parties, primarily from eBay buyers (who can see it in checkout process)

              Write a Reply...