globalcitizen
commented
4 years ago This is a good thing to think about.
Fundamentally, however, one should not assume that an IBAN is a secret, because it is in many cases generated from previous predictable systems or is broadcast to business partners or the public internet.
It is true that identifiers do have some privacy significance. However, I believe in the context of conventional banking systems their use is expected, so they should not be expected to be secret.
Once you have told anyone, the 'cat is out of the bag' (you cannot 'reset' the secret-ness of your IBAN).
I recommend reading about 'security through obscurity' for more discussion on these concerns.
Hi @globalcitizen,
Thank you for the great library! It really helps to be able to do IBAN validation when dealing with bank accounts.
When going through the commits of the most recents releases I came across the falsehood you added that IBANs are not secrets (https://github.com/globalcitizen/php-iban/commit/d568c5462eda0a47f8a929d82a8d67be8cd0ba8c).
Even though it's harder nowadays to abuse an IBAN solely by knowing the number, when it is the IBAN of an actual person (rather than a company) it is considered what's called Personal Identifiable Information (PII). That makes it sensitive information that should be protected and I wouldn't want to call it a "public identifier", as it is not public. That is private information. In the EU, storing and using PII (including IBANs of natural people) is strictly regulated under the privacy regulations set forth in the GDPR. It is also not public since there is no website where you can just type in the name of a person and get their bank account, and you also can't call a bank and ask what someone's IBAN is, they won't provide it.
My suggestion would be to remove this falsehood again. Whether or not IBANs should be secret really depends on the context. What is the use case of the IBAN? What type of application are we dealing with? Is it an IBAN of a company or a natural person? What are the local laws and regulations? I don't think there is a single yes or no answer on whether IBANs should be kept secret or not.