For SEPA-DD, 8 weeks is for no questions asked refund; in general for non-authorised payments you have 13 months to request a refund, but if it's 8+ weeks they can verify the lack of direct debit mandate before hand - but it seems to be the policy of most banks that they'll refund anyway immediately and let the merchant handle the problems.
Many companies (and individuals) in Europe publish their account numbers on their letter head and website, it really isn't a big deal.
Anything else seems security by obscurity.