On 11/29/2014 1:05 AM, Lodewijk wrote:
Hi Garfield,
Thanks for the clarification. It's surprising to me that posting a bank
account number could lead to fraud - the bank systems are supposed to be
robust enough for that. I know that all charities in the Netherlands post
this number on their website - maybe it could be worth while to reach out
and see if switching banks might improve the security, if Citibank didn't
fix it themselves? (There is little relevancy of security to 'IBAN' itself
of course, which is merely a bank account number. I'm assuming you're
referring to what people can do using that number to get access in the
bank).
One avenue for fraud that's facilitated by posting account numbers is
small payment fraud, usually involving stolen credit cards. The basic
technique is that when people illegally buy credit card numbers in large
volumes, since they normally don't possess an actual card, they commonly
test the validity of the card information by making very small online
payments or donations to a known account. If the transaction goes
through, they know the card number can be "safely" used for larger-scale
fraud. Meanwhile, the small donations will invariably be backed out of
the system, whether by the fraudsters themselves or by the financial
institutions cleaning up later when the fraud is detected.
I don't know if that's the specific reason for the decision here, but I
know the fundraising team has dealt with fraud of this type in the past,
and there may be other issues as well. Ultimately it may not directly
threaten the security of our donors or the funds they contribute, but it
does create costs to the organization when it has to identify and review
a significant amount of fraudulent activity. Also, in financial circles
becoming a target for fraud or money laundering, even inadvertently,
could affect our reputation and the willingness of other organizations
to work with us.
As for our own difficulties around communications here, I suspect on all
sides we don't fully appreciate the challenges involved when trying to
merge financial cultures in a global sense. A system may provide
relatively open access to credit while treating bank information as
highly sensitive (as the US mostly does), or it may be more open with
bank information while being much more restrictive about credit (as some
European countries do). Each system has its security practices tailored
to facilitating typical transaction flows within the system. The
underlying assumptions may not work well across systems and may hinder
the ability to establish smooth connections between the two sides. I
certainly don't claim that the American system is necessarily superior,
but in the past when we've considered in which jurisdiction the
Wikimedia Foundation should base its operations, I think the financial
regime has been a secondary consideration, relative to other priorities.
--Michael Snow
_______________________________________________
Wikimedia-l mailing list, guidelines at:
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines
Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
<mailto:wikimedia-l-requ...@lists.wikimedia.org?subject=unsubscribe>
