# About the robustness of the IBAN0422

As is well known, the German IBAN consists of the country code (DE), a two-digit check digit (according to ISO 7064 ), the bank code (8-digit) and the account number (incl. sub-account number, 10-digit, missing digits are filled with leading zeros) and is therefore 22 -digit. To calculate the check digit, the so-called BBAN (bank code and account number) as well as the numeric country code $$1314$$ for Germany and the check digit $$00$$ ) are formed.

For example, the bank code 21050170 and the account number 12345678 return the BBAN 210501700012345678, expanded with the country code and the check digit 00 then results in $$x = 210501700012345678131400$$ , where the check digit is now: $$98 - (x \mod 97)$$ . It is no coincidence that this is divided by $$97$$ . As the largest possible two-digit prime number, it recognizes incorrect entries such as transposed digits with the greatest possible probability. We now show the following statements:

1. Changing one digit of a valid IBAN will result in an invalid IBAN.
2. Changing two different digits of a valid IBAN can result in a valid IBAN.
3. If two different positions of a valid IBAN are interchanged, an invalid IBAN is created.
4. If two different positions of a valid IBAN are swapped over twice, a valid IBAN can result.

Let $$A = DE P_1 P_2 N_1 N_2 N_3 N_4 N_5 N_6 N_7 N_8 N_9 N_{10} N_{11} N_{12} N_{13} N_{14} N_{15} N_{16} N_{17} N_{18}$$ a valid IBAN.

Then $$A_B = N_1 N_2 N_3 N_4 N_5 N_6 N_7 N_8 N_9 N_{10} N_{11} N_{12} N_{13} N_{14} N_{15} N_{16} N_{17} N_{18} 131400$$ the associated BBAN (extended with the number-coded country code DE and the check digit $$00$$ ).

1. Change now $$N_k$$, is $$A_B^* = A_B + l \cdot 10^{24-k}$$ with $$1 \leq k \leq 18$$ and $$(-1) \cdot N_k \leq l \leq 9-N_k \wedge l \neq 0$$. With $$P = 98 - (A_B \mod 97)$$ but is $$P^* = 98 - \left((A_B + l \cdot 10^{24-k}) \mod 97\right)$$. Generally applies to $$a \equiv a' \mod m, b \equiv b' \mod m$$: $$a + b \equiv a' + b' \mod m$$. With $$A_B \equiv R_1 \mod 97$$ and $$l \cdot 10^{24-k} \equiv R_2 \mod 97$$ is $$(A_B + l \cdot 10^{24-k}) \equiv R_1 + R_2 \mod 97$$. But now it is $$0 < R_2 < 97$$ and thus $$P^* = 98 - (R_1+R_2) \neq 98 - R_1 = P$$ and therefore $$P_1 \neq P_1^* \vee P_2 \neq P_2^*$$. This leaves only one possible change of a digit from $$P$$ to $$P^* \neq P$$. Here but $$N_k$$ remains unchanged, the checksum is created $$P \neq P^*$$.
2. The following two IBANs are valid:
\begin{align} A_1 = DE89207300\boldsymbol{\color{red}01}0012345674 \\ A_2 = DE89207300\boldsymbol{\color{red}98}0012345674 \end{align} This is where you take advantage , that we increased two adjacent digits in $$A_1$$ by $$97$$ . In addition, the IBAN is not only formally valid, but the underlying bank sort codes 20730001 and 20730098 actually exist.
3. We try first, $$N_{k_1}$$ and $$N_{k_2}$$ to swap. First is $$P = 98 - (A_B \mod 97)$$ and $$P^* = 98 - \left((A_B + l \cdot 10^{24-k_1} - l \cdot 10^{24-k_2}) \mod 97\right)$$ with $$l = N_{k_2} - N_{k_1}$$ and $$1 \leq k_1, k_2 \leq 18$$. Now is because of

$$\begin{array} {|c|c|} \hline k & R = 10^{24-k} \mod 97 \\ \hline 1 & 56 \\ \hline 2 & 25 \\ \hline 3 & 51 \\ \hline 4 & 73 \\ \hline 5 & 17 \\ \hline 6 & 89 \\ \hline 7 & 38 \\ \hline 8 & 62 \\ \hline 9 & 45 \\ \hline 10 & 53 \\ \hline 11 & 15 \\ \hline 12 & 50 \\ \hline 13 & 5 \\ \hline 14 & 49 \\ \hline 15 & 34 \\ \hline 16 & 81 \\ \hline 17 & 76 \\ \hline 18 & 27 \\ \hline \end{array}$$
$$\forall k_1 \neq k_2 \in \left\{ 1, \ldots, 18 \right\} : R_{k_1} \neq R_{k_2}$$. So is $$P \neq P^*$$. So it remains to be checked that $$P_n$$ and $$N_k$$ with $$1 \leq n \leq 2$$ and $$1 \leq k \leq 18$$ trades. May be $$P = 98 - (A_B \mod 97)), (R_1 = (A_B \mod 97)$$, $$P^* = 98 - (A_B + (l \cdot 10^{24-k}) \mod 97)$$, $$R_2 = (A_B + (l \cdot 10^{24-k}) \mod 97)$$. Since we $$A_B$$ around $$l \cdot 10^{24-k}$$ we have to change $$P_1$$ or $$P_2$$ around $$-l$$, so $$P$$ around $$-10^m l$$ with $$m \in \{0,1\}$$ change: Then is $$P^* = 98 - R_2$$ but also $$P^* = P - 10^m l = 98 - R_1 - 10^m l$$, consequently $$R_2 = R_1 + 10^m l,$$ and thus
$$((A_B \mod 97) + (l \cdot 10^{24-k} \mod 97)) \mod 97 = (A_B \mod 97) + 10^m l$$ However, this equation is never fulfilled, as the following script shows:

See the Pen IBAN FORMULA CHECK by David Vielhuber (@vielhuber) on CodePen.

This leaves only a possible exchange of $$P_1$$ and $$P_2$$. Here but $$N_k$$ remains unchanged, the checksum is created $$P \neq P^*$$.
4. The following two IBANs are valid:
\begin{align*}A_1 = DE\boldsymbol{\color{red}8}\boldsymbol{\color{green}3}20220800\boldsymbol{\color{red}1}000000\boldsymbol{\color{green}0}00 \\ A_2 = DE\boldsymbol{\color{red}1}\boldsymbol{\color{green}0}20220800\boldsymbol{\color{red}8}000000\boldsymbol{\color{green}3}00\end{align*} Here, too, the BIC 20220800 actually exists.
Back