The introduction of the Pay feature in ABN Amro's payment app Tikkie has caused privacy problems. The new feature made it possible to track IBAN numbers of Tikkie users without their knowledge, RTL news discovered.
IBAN number visible upon withdrawal of payment
The Pay feature offered Tikkie users an overview of people from their contact list who also use Tikkie and had linked their 06 number to the app. That way, Tikkie users could easily make payments to people from their contact list.
However, it turned out that such a payment via the contact list could be withdrawn just before the actual transfer. The so-called recipient of a payment then received no money and thus did not know about the payment order, but the payer was shown a payment description containing the IBAN number of the recipient.
Risk of identity fraud and phishing
The ability to retrieve IBAN numbers poses a risk of identity fraud because account numbers are often used for identity verification. In addition, criminals can use account numbers for phishing messages, convincing people to make payments.
ABN Amro immediately took the Pay feature offline. The bank expressed concern about the situation, but also indicated that the feature had only been used less than 1,000 times. The incident has been reported to the Autoriteit Persoonsgegevens.
