Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

You'll note of course that I said "banking system," and I said "you can assign a bank account a unique identifier." i.e. I can create a scheme where I can map a particular account to a globally unique number, with rules about who owns which ranges etc.

So if Alice provides Bob a globally unique identifier to their bank account, then that's where it's going.

If Alice gives Bob a token that is hopefully mapped to the account, then there's an additional layer that can go wrong.

Eve can compromise Alice's e-mail or phone number, and then try and convince their bank that their bank account should now be associated with that identifier. If it's a different bank, then presumably this request must be federated through the third party system. And hopefully the 'true' owner is not identified by sending an e-mail or SMS.

Or maybe Eve just creates a bunch of accounts and tries to associate them with a bunch of telephone numbers and e-mail addresses that she can compromise at will and waits for the money to roll in. This is obviously more likely if some people have more than one account, as it means that the mapping of account -> e-mail/phone no. can no longer be mandatory.

In your example it sounds like they've got some reasonable safeguards in place (like ensuring you have to de-register a mapping before you can register a new one), the only point I was trying to make is that yes, it can be done, but to be done safely it's much harder than just simply having an account number (including routing number/sort code/swift code etc.).

You lose the 1-1 mapping and it gives you yet another thing that you have to actively manage/remember how it's set up/remember to change when you change e-mail provider or your phone number changes.



Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: