The warning caught many customers by surprise. The existence of a vulnerability in the transfer system may have exposed IBAN from several bank accounts of the Activobankonly by connecting to the mobile phone number. The situation raises serious concerns about privacy and digital security.
According to the Tugatech Digital Technology Forum, based on communication sent by the bank to customers, the failure was explored to obtain the IBAN associated with the mobile phone, with no signs of background movement.
The incident is related to SPIN, a service released by (BDP) in 2024 to simplify transfers, allowing them to send them with the number of mobile phone/NIF/NIPC instead of IBAN. This tool was designed to simplify transfers, allowing money to be sent without the need to share IBAN. Now the technical failure has revealed what the system wanted to protect.
According to the BDP, the SPIN confirms the name of the beneficiary before the authorization and does not provide for show IBAN to the ordinant, so the IBAN exposure stems from the way the functionality was implemented by the institution.
According to the communication cited by Tugatech, strikers simulated transfers to make the platform return the complete IBAN associated with a telephone number. The bank stressed that the failure did not give access to more information from the account, but exposed a sensitive data that can be valuable in fraud schemes.
The danger of social engineering
For Activobank, the biggest threat lies in the use of IBAN for burns as a “proof” of legitimacy, in telephone contact or by message, leading the victim to reveal codes or credentials. This vector is common in attempts at fraud in Portugal, with messages, called and emails to imitate legitimate entities.
In practice, someone with this data can call the victim, pretending to be a bank employee. In mentioning IBAN as a “proof” of legitimacy, it gains the confidence necessary to ask for access codes, passwords or other security elements. This is how many bank fraud starts.
Reinforced safety rules
In the message sent, Activobank recalls that it does not ask for telephone/SMS/E -mail access data and advise not to follow links in communications. The bank itself indicates on security pages that your communications do not contain links and that the customer must access directly to the official website or app.
Another recommendation is to avoid entering homebanking through links received by messages. The safe way to access the account continues to write the official address directly on the browser or use the bank application.
Another recommendation is to activate alerts in the app to validate movements and quickly detect any suspicious operation, functionality provided for by the institution.
Failure may not be isolated
On 17/09/2025, CGD will have contacted customers to inform that account numbers and Iban “were obtained unlawfully”, without confirming the origin, with suspicions to fall on SPIN, reports Tugatech. So far there is no official statement from Banco de Portugal to point to systemic vulnerability.
According to the same source, cybersecurity experts stress that shared interbank systems increase convenience, but also increase the risks. A problem detected in an institution can be replicated in others if there are no coordinated corrections.
The National Data Protection Commission may be called to follow the case as it involves processing and exposure of personal data. In similar situations, fines have already been applied to entities that did not properly ensure the confidentiality of the information.
Since IBAN is given personal, such situations can fit into data violation. According to CNPD and RGPD (art. 33), notification to the authority must occur within 72 hours when there is a risk to the holders. However, there is no public confirmation of any notification in this case.
A warning for the future
The convenience of transferring money only with a number of mobile phone does not need attention to good practices. According to Banco de Portugal, SPIN came to simplify and add security to the process (with beneficiary confirmation), but disabled implementations can open exploitable breaches by attackers. The user’s surveillance remains the first line of defense.
While technology advances, fraudulent schemes also become more sophisticated. Small slips, such as relying on an unexpected phone call or clicking on a suspicious link, can open doors to considerable financial losses.
Also read:
