As is well known, the German IBAN consists of the country code (DE), a two-digit check digit (according to ISO 7064 ), the bank code (8-digit) and the account number (incl. sub-account number, 10-digit, missing digits are filled with leading zeros) and is therefore 22 -digit. To calculate the check digit, the so-called BBAN (bank code and account number) as well as the numeric country code \(1314\) for Germany and the check digit \(00\) ) are formed.
For example, the bank code 21050170 and the account number 12345678 return the BBAN 210501700012345678, expanded with the country code and the check digit 00 then results in \(x = 210501700012345678131400\) , where the check digit is now: \(98 - (x \mod 97)\) . It is no coincidence that this is divided by \(97\) . As the largest possible two-digit prime number, it recognizes incorrect entries such as transposed digits with the greatest possible probability. We now show the following statements:
- Changing one digit of a valid IBAN will result in an invalid IBAN.
- Changing two different digits of a valid IBAN can result in a valid IBAN.
- If two different positions of a valid IBAN are interchanged, an invalid IBAN is created.
- If two different positions of a valid IBAN are swapped over twice, a valid IBAN can result.
Let $$A = DE P_1 P_2 N_1 N_2 N_3 N_4 N_5 N_6 N_7 N_8 N_9 N_{10} N_{11} N_{12} N_{13} N_{14} N_{15} N_{16} N_{17} N_{18}$$ a valid IBAN.
Then $$A_B = N_1 N_2 N_3 N_4 N_5 N_6 N_7 N_8 N_9 N_{10} N_{11} N_{12} N_{13} N_{14} N_{15} N_{16} N_{17} N_{18} 131400$$ the associated BBAN (extended with the number-coded country code DE and the check digit \(00\) ).
- Change now \(N_k\), is \(A_B^* = A_B + l \cdot 10^{24-k}\) with \(1 \leq k \leq 18\) and \((-1) \cdot N_k \leq l \leq 9-N_k \wedge l \neq 0\). With \( P = 98 - (A_B \mod 97) \) but is \(P^* = 98 - \left((A_B + l \cdot 10^{24-k}) \mod 97\right) \). Generally applies to \( a \equiv a' \mod m, b \equiv b' \mod m \): \(a + b \equiv a' + b' \mod m\). With \(A_B \equiv R_1 \mod 97\) and \(l \cdot 10^{24-k} \equiv R_2 \mod 97\) is \( (A_B + l \cdot 10^{24-k}) \equiv R_1 + R_2 \mod 97 \). But now it is \( 0 < R_2 < 97 \) and thus \( P^* = 98 - (R_1+R_2) \neq 98 - R_1 = P \) and therefore \( P_1 \neq P_1^* \vee P_2 \neq P_2^* \). This leaves only one possible change of a digit from \( P \) to \( P^* \neq P \). Here but \( N_k \) remains unchanged, the checksum is created \( P \neq P^* \).
- The following two IBANs are valid:
$$\begin{align} A_1 = DE89207300\boldsymbol{\color{red}01}0012345674 \\ A_2 = DE89207300\boldsymbol{\color{red}98}0012345674 \end{align}$$ This is where you take advantage , that we increased two adjacent digits in \(A_1\) by \(97\) . In addition, the IBAN is not only formally valid, but the underlying bank sort codes 20730001 and 20730098 actually exist. - We try first, \( N_{k_1} \) and \( N_{k_2} \) to swap. First is \( P = 98 - (A_B \mod 97) \) and \(P^* = 98 - \left((A_B + l \cdot 10^{24-k_1} - l \cdot 10^{24-k_2}) \mod 97\right) \) with \(l = N_{k_2} - N_{k_1}\) and \(1 \leq k_1, k_2 \leq 18\). Now is because of
$$\begin{array} {|c|c|} \hline k & R = 10^{24-k} \mod 97 \\ \hline 1 & 56 \\ \hline 2 & 25 \\ \hline 3 & 51 \\ \hline 4 & 73 \\ \hline 5 & 17 \\ \hline 6 & 89 \\ \hline 7 & 38 \\ \hline 8 & 62 \\ \hline 9 & 45 \\ \hline 10 & 53 \\ \hline 11 & 15 \\ \hline 12 & 50 \\ \hline 13 & 5 \\ \hline 14 & 49 \\ \hline 15 & 34 \\ \hline 16 & 81 \\ \hline 17 & 76 \\ \hline 18 & 27 \\ \hline \end{array}$$
\( \forall k_1 \neq k_2 \in \left\{ 1, \ldots, 18 \right\} : R_{k_1} \neq R_{k_2}\). So is \( P \neq P^* \). So it remains to be checked that \(P_n\) and \(N_k\) with \( 1 \leq n \leq 2 \) and \( 1 \leq k \leq 18 \) trades. May be \(P = 98 - (A_B \mod 97)), (R_1 = (A_B \mod 97)\), \(P^* = 98 - (A_B + (l \cdot 10^{24-k}) \mod 97)\), \(R_2 = (A_B + (l \cdot 10^{24-k}) \mod 97)\). Since we \(A_B\) around \(l \cdot 10^{24-k}\) we have to change \(P_1\) or \(P_2\) around \(-l\), so \(P\) around \(-10^m l\) with \(m \in \{0,1\}\) change: Then is \(P^* = 98 - R_2\) but also \(P^* = P - 10^m l = 98 - R_1 - 10^m l\), consequently \(R_2 = R_1 + 10^m l,\) and thus
$$((A_B \mod 97) + (l \cdot 10^{24-k} \mod 97)) \mod 97 = (A_B \mod 97) + 10^m l$$ However, this equation is never fulfilled, as the following script shows:See the Pen IBAN FORMULA CHECK by David Vielhuber (@vielhuber) on CodePen.
This leaves only a possible exchange of \(P_1\) and \(P_2\). Here but \( N_k \) remains unchanged, the checksum is created \( P \neq P^* \). - The following two IBANs are valid:
$$\begin{align*}A_1 = DE\boldsymbol{\color{red}8}\boldsymbol{\color{green}3}20220800\boldsymbol{\color{red}1}000000\boldsymbol{\color{green}0}00 \\ A_2 = DE\boldsymbol{\color{red}1}\boldsymbol{\color{green}0}20220800\boldsymbol{\color{red}8}000000\boldsymbol{\color{green}3}00\end{align*}$$ Here, too, the BIC 20220800 actually exists.