My iban was used 3 weeks ago to buy ~578€ worth of tools via a hardware online store, via a Paypal guest account. For some reason they did not need verification of the account. Perhaps it had to do with this exact Iban being verified with my PayPal account but this account was not hacked or used in any way.

Lidl also had huge issues surrounding sepa debit payments, it was in the media.

Credit card payments are getting more secure by the day in the EU, and direct debit is still a piece of rubbish.

> Only vetted companies are allowed to perform Direct Debits, e.g. utilities who know your physical address.

The scenario is not fraud, that is hard(er) to pull off due to vetting, but trolling someone with fake online shop orders.

> In the UK (still a member of SEPA even post Brexit) the Direct Debit Guarantee [1] makes it easy to reverse any errant Direct Debits through your bank.

It's the same here in Germany, but you're still stuck with unwinding all of the bullshit.

> The pizza or dildo company likely won't accept Direct Debits and will require a debit or credit card for the transaction instead.

Here in Germany, paying with SEPA DD is the norm.

SEPA Direct Debit is mostly used for recurring payments, and the account owner must authorize the company to use it. Just knowing someone's account number is not enough, you still need that initial authorization.

In fact, in some EU countries businesses are required to publish their bank account numbers in some central, government-run registry. It wouldn't be safe to do, if it could result in having your money stolen.