This is not a bug as such, but I would like to bring this to your attention.
A customer incorrectly used my Bank Account details (instead of their own), when filling out the ‘Make a Bank payment with GoCardless’ details on the webpage, which can be accessed via the link inside the QuickFile invoice.
I have contacted GoCardless who were quick to explain how this happened and will be refunding the monies and I am of course protected by the DD guarantee.
My concern is that GoCardless allowed the customer to use my Bank Account details, without any security check (as far as I can tell) and that GoCardless did not see the payment and receiving account were the same before taking the monies.
This would appear to make it very easy for a criminal to commit fraud. All they would need is stolen Bank Accounts details and a Bank/QuickFile account.
I will of course be contacting GoCardless about this, but I would be interested in other peoples opinions on this.
GoCardless leverage the Direct Debit system to process payments. One thing about Direct Debits in general is you can set them up against any account by knowing just the bank account number and sort code, this has long been the case, even before GoCardless existed and there are mixed opinions about this (Just Google “Direct Debit Security”).
The Direct Debit Guarantee however does give you very strong recourse should you find any payments on your account that you do not recognise. I personally have used this in the past and the funds were returned immediately without quibble.
I believe GoCardless do also implement their own anti-fraud controls to prevent abuse of the system. However setting up a DD on the same sender and receiving account does seem strange and something that can easily be restricted (at least in theory). I’m sure GoCardless will be able to explain this in a bit more detail.