back to article Sharing bank PINs leaves consumers at risk

One in ten consumers either write down or share their ATM card PIN codes, according to a new survey by the UK's Consumer Association. If a card is fraudulently misused, banks will only provide a refund if the cardholder had taken care of their card and account details. Writing down PIN numbers or sharing them with others …

COMMENTS

This topic is closed for new posts.
  1. ShaggyDoggy

    Read this then

    http://news.bbc.co.uk/1/hi/programmes/moneybox/8347147.stm

  2. JimmyPage Silver badge
    Flame

    PINs ? So 1970s

    I am still amazed, after all these years, that banks haven't introduced a better system than PINs ... personally I liked the suggestion that you use faces instead of numbers (as people remember faces), with the added advantage that you can then scramble the ordering, to prevent people catching the hand movements when entering a PIN.

    And how about a mechanism that causes the machine to payout, but disable the card if the PIN is entered backwards. This would mean the card could only be used at knifepoint once ....

    1. Anonymous Coward
      FAIL

      Re: PINs ? So 1970s

      "And how about a mechanism that causes the machine to payout, but disable the card if the PIN is entered backwards. This would mean the card could only be used at knifepoint once ...."

      What happens if your pin is 1331?

    2. Anonymous Coward
      Anonymous Coward

      Err...

      If you've got a five nines reliable solution to the identification issue, I'm sure the banks (and many others) would be interested. This will need to be inexpensive and implementable all round the world. Face recognition, fingerprints, iris scans etc simply don't cut it, they're too flakey, too expensive and too slow.

    3. Bassey

      Re: Faces

      Recognising faces sounds good but doesn't work for the blind or visually impaired so would fall foul of discrimination laws.

      1. Brutus
        WTF?

        @Bassey

        Are you suggesting that the blind and visually imapired don't have faces?!

    4. Anomalous Cowherd Silver badge

      Not faces!

      Jesus, I'd never be able to get money out.

    5. Anonymous Coward
      Thumb Down

      @JimmyPage

      "And how about a mechanism that causes the machine to payout, but disable the card if the PIN is entered backwards. This would mean the card could only be used at knifepoint once ...."

      Because most people would struggle to a) work out their PIN in reverse without a pen and paper and b) struggle to enter their normal PIN correctly if held at knife point, let alone calculate the reverse and enter it.

      And unless you choose 1 face in 10, a total of 4 times, it's no more secure than a PIN - even if you randomise the order. And people can remember numbers just fine, especially now you can choose your own number.

      1. heyrick Silver badge

        French ATM

        The French ATMs eject your card before giving your money (like most ATMs, I'd imagine...). I heard somewhere that pushing it back in would swallow the card, pay the cash (losing cash is better than losing life, besides it is a "panic" signal so you'd probably get the cash back), and automatically contact the nearest police/gendarme.

        Of course, with my luck, I'd be speaking to a machine from the early '80s that doesn't even have an onboard camera, never mind smarts.

        1. Paul 4

          Ah...

          The wonder of internet spam. There is no panic button.

    6. BristolBachelor Gold badge
      FAIL

      Backward PIN idea

      Jimmy Page said: "And how about a mechanism that causes the machine to payout, but disable the card if the PIN is entered backwards. This would mean the card could only be used at knifepoint once ...."

      The problem is, that for this to be useable apart from everything else, everyone would need to know about it. The perp with the knife would just make sure you took money out twice. If it didn't work the second time...

  3. Naughtyhorse
    Big Brother

    there goes the other shoe...

    This was the whole point of chip and pin in the first place, the banks shifting liability for fraud onto the customer.

    As far as I was aware under the old system non electronic authentication the dispute, in the case of fraud, was between the retailer accepting the card and the bank making the payment, and clearly if the banks got bolshy about it then the retailers would refuse all cards.

    now with chip and pin if a fraudulent transaction is approved it _must_ be due the the customer being a muppet and sharing the pin. ergo not the banks responsibility to cover the loss.

    well the meagre bonuses have to be covered somehow :D

    1. Anonymous Coward
      Anonymous Coward

      Sorry...

      You're dead wrong... This was never the case, and even if it was, the law was updated last year to explicitly state that the banks have to prove the customer was in the wrong.

  4. Subban

    Chip and Sign ?

    "And if banks don’t want disabled people to share PINs with carers, they ought to come up with an alternative, or be held to account under disability discrimination laws,"

    Request a Chip and Sign card if remembering numbers is a problem. The banks won't give them out to "just anyone", it seems to be a case by case basis. My wife is disabled and takes a metric ton (estimated) of medication. She genuinely felt that trying to remember various numbers would be nigh on impossible and a chat with the bank got her a chip and sign card.

    Its great to watch the confusion these days on till staff when it wants a signature, on numerous occasions they have been ready to hand back card and unsigned reciept not realising it needed signing and that no PIN was requested.. Damn our honesty we always point it out :[

    1. Annihilator
      Thumb Up

      Even easier

      Even easier, just whack a screwdriver through the chip. One of mine broke about 6 months ago and hasn't been accessible in any chip reader. They default every time to mag swipe and sign (once someone finds a pen..) - have never had a problem.

      Also find that it's quicker in ATMs - never noticed that ATMs that are chip'n'pin readers take about 4 seconds before displaying the "enter pin" screen while it engages the chip, negotiates with it and takes the details? Non-chip cards display it instantly as the act of inserting the card gives the machine the details it needs.

      Technology eh? It's the future I hear..

      1. Peter Gathercole Silver badge

        What I want to know is...

        If an ATM defaults to reading the mag stripe, where is the PIN stored? Is there a one-way hash algorithm in the ATM that reads a key from the card, that together with the PIN can be used to generate a non-reversable cryptographic signature whose authority can be checked in the ATM?

        I would prefer to have different numbers for the same card for ATM and Merchant Services transactions. This would be much safer than using the same number everywhere.

  5. Naughtyhorse
    Thumb Up

    @ShaggyDoggy

    wow thats a bit of good news then

    THE MAN 0 the rest of us poor schmucks 1

    yay for us, and of course the FSA

  6. strangefish
    Boffin

    sigh

    Tattooing passwords on your forehead where everyone else can see them is a security risk say high level boffins in yet another pointless statement of the bleedin' obvious. The thing is chaps in your whizzo world of wonderment where everyone and everything is made super secure by remembering endless strings of otherwise unmemorable letters and digits - deliberately obscure so they bear no relation to anything else and cannot be guessed - people like me who seem to have been suffering from Alzheimer's since they were old enough to need a memory for things end up forced to write the bloody things down. Sorry for being human and all that

  7. irish donkey
    Stop

    The Banks will always try it on

    Oh we are so squeaky clean we never do anything wrong.......

    You can buy bank details from their Indian Call Centre for a few quid!

    When I got money stolen from my Bank Account they tried to tell me I must have been careless with my card as Chip & Pin is bulletproof. When i explained to them my card have never been used or even activated so how could I be careless with it still they wouldn't admit liability but as a goodwill gesture they refunded my money!

    Banks the worst scum of our society!

    1. Anonymous Coward
      Anonymous Coward

      BS!

      Sorry but that's cock. The card couldn't have been used to "steal" money from your account had it not been activated. End of.

      1. Intractable Potsherd
        Stop

        @AC 5th May, 12:35

        I think your ire is misdirected. I think the OP was saying that the bank claimed that the card was the source of the fraud, when in fact it could not have been (because it had not been activated). If this is the correct interpretation, then it illustrates that the banks have (at least in some cases in the past) simply assumed that it was the customer's fault and allowed unauthorised access to the PIN. In some (most?) cases, this would have put the customer at least on the defensive, because it is rare that it can be said with certainty that s/he did not allow someone to "shoulder-surf", for instance, or that a trusted member of the family might not have let someone else know.

        Despite what an earlier poster said (I think it was a person called Fraser), the actions of the banks really do look as if they were shifting responsibility to the weakest link in the arbitration chain (i.e. the customer) in order to reduce their liabilty to fraud. In this they have been aided and abetted by the UK courts that made this change possible. Compare UK law on this matter with US law, and see why Chip and PIN is not popular in the States (one of the areas we can learn from).

    2. LuMan
      Stop

      Absolutely

      A friend of mine had a credit card taken out in their name by a person living nearly 200 miles away. The bank investigated the fraud and found my friend liable - within 24 hours of starting the investigation. The bank couldn't provide any CCTV footage of the day and time my mate allegedly entered the bank and applied for the card, nor could they disclose where the card had been used. Still, they managed to find my friend guilty of trying to get away with not paying for the credit card.

      Oddly, after taking legal advice, my pal asked for all the data from the investigations under the FoI act, only for the bank to drop all investigations and cancel the card with no charges to be paid. Amazing. Makes you wonder what investigations they actually did.....

  8. Natalie Gritpants
    Thumb Down

    "unmeetable burden"

    From a Cambridge don??? Surely that should be unbearable

    1. This post has been deleted by its author

  9. some vaguely opinionated bloke
    Headmaster

    Alternatives

    "And if banks don’t want disabled people to share PINs with carers, they ought to come up with an alternative [like, for example, chip and signature cards, freely available on request, assuming you can justify it to your bank], or be held to account under disability discrimination laws," Anderson adds.

    There. fixed it for him.

  10. John G Imrie

    If chip and pin is so secure

    Why do banks ask you to cut through the chip when you replace your old card?

    1. A J Stiles
      Black Helicopters

      Why?

      To make you think that someone, somewhere out there has a way of making use of them for naughty purposes, thus giving them plausible deniability in the event of money going missing.

  11. Scott 19

    Stupid people

    I've had the same pin number for 20 years, never had a problem (Commentors curse to follow). Mines from the good old days before you could change it so its just a random number that no one will guess, althoguh 1234 doesn't seem that secure now i come to think of it.

  12. Anonymous Coward
    Anonymous Coward

    Why?

    Why would anybody need to write down a four digit number to remember it?

    Why are most posters assuming this is solely related to chip and pin? PIN numbers work in ATMs too.

    Why are comentards assuming this report came from the banks? Read the story.

    Having said all that the majority of card fraud is now committed online, where you don't need the PIN number anyway.

    One of the main ideas behind chip and pin is that the merchant doesn't handle the card so they can't get the full card number or the three digit security number on the back. It's amazing how many clerks in shops expect you to hand over the card so they can put it in the machine. It's also amazing how many of them like to have a good look at the card when they do. It happened to me the other day. The chap in front of me handed over his card. The clerk had a good look at it, front and back, before putting it in the machine. He looked deeply offended when I told him I'd put the card in the machine myself. He then told me they had been instructed by head office to examine all cards to make sure they were valid. Quite how some spotty herbert can recognise a valid bank card I don't know. I noticed the other clerks were doing the same so I don't think he was lying. I've emailled the head office, but so far no reply. What worried me most was how every other customer handed over their card without question.

    1. Peter Gathercole Silver badge
      FAIL

      Reason for not handeling card

      is not so they can't read it, it is so they cannot put it through a card skimmer. There are not that many people with eidetic memories (for goodness sake, I can't remember a new phone number for more than a few seconds).

      I'm fairly certain that a high enough res. camera or two would be able to capture the name, dates, long card number, and the security code on the back even if the till operative did not handle the card. This is enough to use the card for Internet transactions.

      The scam used to be to skim the card, send the details to a country that does not have UK chip and pin, clone the card, and use it to pay for goods in that country. And if you are also able to grab the PIN by shoulder surfing, you can used the cloned card to get cash out of a non-chip-and-pin ATM abroad as well.

      Now that all you need is the visible information from the card for card-holder-not-present transactions, the whole system is open to abuse. This is the reason why we have the Verified by Visa and the SecureWhatever-it-is for Mastercard for Internet transactions. But this is not needed for card payments over the phone, so don't do it.

      The instance of banks that the PIN must be kept private should be communicated to retailers who put their merchant devices on fixed installations in plain sight (Tesco, I'm singling you out here, but I'm sure that most other Supermarkets are also guilty of this). I'm certain that I could with reasonable accuracy observe the PIN number of the two customers ahead of me in the queue on most occasions. This makes the whole system a joke.

      1. heyrick Silver badge

        "But this is not needed for card payments over the phone, so don't do it."

        I'm having a heck of a problem with my French Mastercard. It appears to want me to use an e-card for EVERY transaction where I'm not physically there to enter the PIN. Of course, no mention was made of this, the info talks only about the Internet. I'm working it out by trial and error. It isn't helped that the canned response from the bank system is "security code not valid" which means the teledroids keep telling me my security code is wrong when in actual fact the bank is totally refusing that card in that manner.

        For my other card, I've put a small piece of black electrical tape over the security code. At my local supermarket, they recently changed so the customer inserts the card themselves. Oh, and the loyalty cards are now barcoded so *nothing* except bank cards has a reason to go in the card reader. The girl I often go through (yes, she's cute...) noticed the black tape and smiled.

    2. strangefish

      oh really?

      How many four digit numbers can you remember? Almost nobody would have trouble remembering one four digit number if that were the only number you were ever being asked to remember but that isn't the case is it? Once you have two or three credit cards and a couple of debit cards, then add in numerous much longer passwords for various online services plus back-up ID questions and answers and it pretty quickly becomes a phone-book full of supposedly secure things to remember - and don't forget that then you are also expected to change those things on a regular basis to "ensure security". All of which is why so many people don't do the things they should. They don't memorise everything, they write it down, or let the browser remember, or just use the same password all the time, or their birthday, or their name, or any of the many other apparently daft security nullifying tactics that enable theft and fraud to be accomplished much more easily through social engineering than hacking. PIN based security, at least in its current form, is nothing but a tactic to put the blame in a weak system back on people instead of businesses so they can keep their insurance premiums down which is why it is so extremely disappointing to see a supposedly consumer rights based organisation taking this tack.

      1. Anonymous Coward
        Anonymous Coward

        How to remember all those numbers?

        Every card I've ever had is PLASTERED with numbers, front and back.

        Pick your own system and then use a combination only YOU know (eg. expiry date reversed, digits 9-12 of card number, CVS code + one extra number, whatever), and Robert's your dad's brother.

        Just remember to slyly check the numbers *before* you put it in to the slot...

    3. Graham Marsden
      FAIL

      Why would anybody need to write down a four digit number to remember it?

      Because just maybe not everyone finds numbers easy to remember.

      Why would anyone not consider that others may not find such things as simple as they do...?

    4. Anonymous Coward
      Paris Hilton

      Why??????

      Because I have to remember PINs for:-

      credit card

      bank card

      store card

      online bank pin (and password)

      online banking code

      corporate credit card

      corporate credit card online code

      house alarm

      work alarm

      work gate code

      work remote access code

      staff number (2 4-digit codes)

      my partners bank card

      my son's bank card ('cos he'll forget it)

      video shop number

      in other words, I'm up to my effing arse in 4-digit codes,

      Paris, 'cos I wouldn't mind effing her ar..... OH! thats a bit rude I'd better not say it.

    5. Anonymous Coward
      Anonymous Coward

      The full number

      is printed on the merchent recipt as is the expiry date, and the CCV code is not needed for processing a payment, it is an extra security thing.

      1. Peter Gathercole Silver badge

        @full number

        More and more merchant receipts only show 4 of the 16 numbers. It's stupid to have them all.

  13. Anonymous Coward
    Anonymous Coward

    Of course it's an "unmeetable burden"!

    The point of using it is to protect the bank's shareholder's asses, I mean assets. Silly git, a "meetable burden" wouldn't accomplish that at all.

  14. Graham Marsden
    Thumb Up

    A solution to let you write down your PIN safely...

    There is a system used by (I think) some banks in Denmark where the customer is given a 9x9 grid (like an empty Sudoku board) with different colours in the individual squares.

    You write your PIN in a way that you will be able to remember, eg the four corners reading clockwise or the four blue squares across the bottom row or the rightmost four squares on the middle row etc, then fill in all the other squares with the numbers 1-9.

    This hides your number in plain sight because only you know which four squares are the real ones.

    Banks could print these grids out for pennies and save everyone a lot of hassle.

    1. Intractable Potsherd
      Thumb Up

      Great idea, Graham!

      I am being serious - clever and simple. It doesn't even have to be banks providing them - they are easy to make. Don't even need to be computer literate - a pen and paper would do.

  15. heyrick Silver badge

    Why only four digits?

    People may say it is "hard" to remember longer sequences of numbers, but I think the extra effort is worthwhile given its our financial stuff at risk, with a system set up to not favour us.

    After all, we are expected to remember eight/ten digit numbers for online banking, not to mention sequences of ten-twelve digit numbers for telephones. Okay, sure, many people use phone books, but I bet most of us know our own phone number, plus the wife/husband and children. There are many we don't bother to remember, but ones we use frequently are committed to memory. As children, we are (or at least in my day) made to remember the address and phone number of our parents. I still know my childhood home number, despite it not existing for some twenty-odd years! People who aren't willing to remember at LEAST an eight digit number are simply not trying hard enough, for you IT bods, I bet your server has infinitely better security than your credit cards.

    And yet, all my personal bank access and purchasing is "protected" by a little microchip on a little piece of plastic backed up with a FOUR digit code and no photo or other identifying information on said card.

    1. Chemist

      Re : Why only four digits?

      I have a UBS debit card for our Swiss current account that can have a variable number of digits - we use more than 4. I've never tried it in a UK ATM though, but it works in all Swiss chip+pin readers that I've tried.

    2. Anonymous Coward
      FAIL

      Actualy

      As someone with sevear dyslexia I have difficulty with over 6 digets. 4 I'm ok with, but I have one card because I can't manage more than one. But then like so many you assume everyone is like you.

  16. Sarah 7

    Bank Security

    A few years back I walked into a branch of my bank that I rarely visited, so I was an unknown person, and explained to the bank teller than I had forgotten the pin for my ATM card. He happily walked me outside to the ATM machine and reset my pin for me--with no request for ID to prove that I was the legit owner of this ATM card. If that doesn't scare you, I don't know what would.

  17. Anonymous Coward
    Anonymous Coward

    @AC - Actualy

    I'm dyslexic, but I have no problems remembering numbers or passwords. Dyslexia takes different forms, my reading is weird* and my writing is a mess - handwriting is illegible, when writing block caps or typing I miss letters out and fill them in later. I have trouble proof reading what I have written or typed.

    The point I'm trying to make is that not all dyslexics are like you, so you're just as bad for generalizing as the people you are complaining about. You do not understand dyslexics, only those who are exactly like you. I suspect that I have no problems remembering numbers or passwords because I don't visualize them. Many people will visualize words or number sequences to remember them and I can understand why a dyslexic who does this would have trouble remembering these things.

    * I read very, very quickly, but sometimes have to skip back and reread bits that make no sense. This has been explained to me as an ability I developed long before being diagnosed. Essentially I'm told that I'm recognizing words by context as much as by form. I don't actually read the whole sentence as such, hence the speed. Sometines the system breaks down and I need to reread. It could well be true, I've noticed that I do sometimes predict a sentence before I've completed it (this shows up particularly when reading out loud) and also I have trouble with "sentences" where context is harder to spot - like newspaper headlines or words on their own. Oh and I find poetry and foreign lanuages very difficult to read indeed.

This topic is closed for new posts.