SEPA Payment Validation Issues

I found that Stripe and Dropbox SEPA Direct Debit implementations allow premium subscription activation without proper IBAN validation.

The issue is simple. Enter any valid IBAN format number as payment method. The subscription activates immediately. No verification happens between the IBAN and the account holder.

This is not a bug in the traditional sense. The system works as designed. SEPA Direct Debit is asynchronous. When you enter an IBAN, the merchant cannot know immediately if it is valid or if you own it. Verification takes days, sometimes weeks.

So merchants face a choice: delay service activation until payment clears, or activate immediately and hope the customer is honest. Most choose immediate activation. The conversion rate matters more than the fraud rate, until the fraud rate becomes unignorable.

With Dropbox, I was able to activate Dropbox Essentials Plus worth several hundred euros using an unverified IBAN. This vulnerability was being discussed in a private Telegram group with 10,000 members when I found it.

The EU's new Instant Payments Regulation requires verification between IBAN and account holder name by October 2025. Payment service providers must implement this. The companies that have not thought about this yet will have to rebuild their payment flows.

Companies like hide.me and squarespace.com use their own payment gateways and have implemented proper IBAN validation. It is possible. It just requires treating payment as something that needs verification before service provisioning, not after.