PINs and the burden on customers

May 4th, 2010 at 07:52 UTC by Ross Anderson

A survey by the Consumers’ Association shows that 10% of cardholders write down or share their PIN. This high proportion surely raises serious doubt about whether it’s fair for banks to claim that such people are “grossly negligent” even if the PIN is well disguised (for example, as part of a phone number in an address book with hundreds of other numbers). And if banks don’t want disabled people to share PINs with carers, they ought to come up with an alternative, or be held to account under disability discrimination laws.

Interestingly, Mark Bowerman (PR for the banks) says in this article that customers should not use the same PIN for multiple cards. We heard him on radio saying exactly the opposite a few years ago. Now he tells people to change PINs to something easy to remember (and easier for criminals to guess).

By giving customers contradictory and impractical advice, the banks are placing an unmeetable burden on them.

The banks also frequently give advice that is simply wrong. Look, for example, at this video by Barclays showing how to enter your PIN at a merchant terminal!

Entry filed under: Authentication, Banking security

5 comments Add your own

  • 1. Saar Drimer  |  May 4th, 2010 at 16:50 UTC

    Clearly a lose-lose situation for cardholders forced to use an unusable system, at least for as many as 1 out of 10 of them.

    In addition, I’d say that the advice of using something memorable may play against cardholders eventually: it increases the likelihood that the “PIN” is inadvertently stored/written down somewhere in your wallet, or on a mobile: dates/years or part of a phone number, for example.

    What if the banks start asking customers if the particular arrangement of digits were written down close the card? Context ignored, you’d end up either being accused of not telling the truth, or negligence.

  • 2. Lindsay Johnson  |  May 4th, 2010 at 23:35 UTC

    There alternatives for implementing PIN which would require extra cost by the issuers which would make PIN transactions far easier and more secure for both the issuer and cardholder. The ability to implement a dynamic PIN/one time PIN by the cardholder would certainly remove the burden from the cardholder. This can be implemented in a number of ways with emerging technologies. But as we have seen repeatedly from the banking inudustry it is cheaper for them to shift the burden to the cardholder for security of the PIN through Terms and Conditions and/or legislation etc.

  • 3. Barney  |  May 5th, 2010 at 14:22 UTC

    So the banks say we shouldn’t ever write down our pins, but it’s ok to change them to something memorable. I can change my pin to match the last four digits of my friend’s phone number, but to then copy that number into a new address book would be grossly negligent. Clearly.

  • 4. Ross Anderson  |  July 15th, 2010 at 10:51 UTC

    Now here’s an article reporting shim attacks, which we originally predicted in 2008. How on earth can you hold customers liable for attacks conducted using equipment installed invisibly within an ATM?

  • 5. John Phillups  |  August 21st, 2010 at 08:34 UTC

    I recently read an article from Mike Bond and Piotr Zielinski about an algorithm that could crack a pin in a mere 15 attempts. Has this theory been presented to said banks who are trying to avoid the blame from this crisis?

Leave a Comment

Required

Required, hidden

Some HTML allowed:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Subscribe to the comments via RSS Feed


Calendar

May 2010
M T W T F S S
« Mar   Jun »
 12
3456789
10111213141516
17181920212223
24252627282930
31