pull down to refresh

Here's what a hacker can do with your IBAN (FR)www.numerama.com/cyberguerre/2183391-fuite-ficoba-voici-ce-quun-hacker-peut-faire-avec-votre-iban.html?utm_source=share_button_feed
181 sats \ 0 comments \ @DarthCoin 6h news

The article is in French, so here is the translation:

On February 18, 2026, Bercy announced that a malicious actor had had access to the national bank account file (Ficoba). A compromise which would have allowed the hacker to access the information of more than ’1.2 million accounts. Among the data consulted? The IBAN, which raises fears of waves of widespread banking scams, is what it really is.

The intrusion reportedly took place at the end of January, but was not communicated until February 18, 2026. A hacker has spoofed it the identifiers of an agent legitimately authorized to consult Ficoba.

This administrative register lists all accounts opened in French banks, with the identities of the holders, their contact details, sometimes the tax identifier, and especially the RIB/IBAN. Sensitive banking references, which pose the threat of large-scale fraudulent direct debits.

In reality, an IBAN alone allows you to send money to an account without prior authorization, but not to empty it. Problem: Combined with other stolen data like here, it becomes a gold mine for malicious actors.

The biggest risk: fake SEPA mandatesThe biggest risk: fake SEPA mandates

With a stolen IBAN, a hacker can initiate SEPA direct debits fraudulent without your prior consent. To do this, it creates a falsified SEPA mandate, including a formal authorization given by the account holder to a creditor to directly withdraw funds in the SEPA area (enlarged euro zone).

The simplest fraud to set up consists of registering the victim for a false service with a falsified mandate, to collect small amounts each month which go unnoticed. " explains Jérémie Schram, cyber expert for WatchGuard. . " Would you react to a levy entitled "Public Treasury" or "PUBLIC TREZ0R"? »

To carry out such a maneuver, hackers generally rely on online platforms like Stripe. All they need to do is create a merchant account, make micro-debits (between a few cents and 2 euros), then automate thousands of transactions.

Another trick: adding a SEPA direct debit to legitimate platforms to make payments. On a platform like Amazon, for example, the online process is extremely simple; you just need the victim's IBAN and their first and last name to add the bank account to the payment methods on the platform.

Concrete protections after IBAN theft
In addition to these risks, there are identity theft and phishing attacks, which are often carried out by phone or email. The person you're communicating with gains credibility when they know your IBAN during the exchange.

"The basic problem lies in the fact that many other data are already in existence: your first and last names, addresses, scanned documents (ID card, passport, proof of address), information on your subscriptions, etc." "says Jérémie Schram.

“The possibilities for scams and embezzlement by social engineering are increased tenfold. Targeted phishing, fake banking service, fake bailiff, etc. A compromised email box will allow the attacker to intervene in a conversation, use the IBAN as proof of legitimacy, and request a change in RIB for future payments. »

Fortunately, there are simple measures to prevent your IBAN from being exploited, starting with the White List which allows you to block all direct debits which do not come from your trusted creditors.

write
preview
related posts