Millions of Brits risking fraud by writing down PINs - Which?

Millions of Brits risking fraud by writing down PINs - Which?

Around one in 10 Brits write down their card PIN or share it with someone, increasing the risk of fraud, according to a survey from Which?

The consumer group, which polled 1045 people, says this means up to four million debit card holders and three million credit card holders write their PIN down or tell a friend or family member the code. A third keep it in their handbag or wallet and a similar proportion have a note at home.

In addition, Which? says many Brits are ill-informed about their rights if fraud is committed on their card. More than four fifths believe that they will get a refund if they are a victim of street crime or fraud.

However, in reality, if a card is used fraudulently, providers will only issue a refund if the victim had taken reasonable care of their plastic and account details. Writing the PIN down or passing it on would be considered careless behaviour.

Martyn Saville, Which?, says: "The results show that too many consumers are putting their finances in jeopardy by not taking simple precautions. Writing down your PIN is like leaving the door open when you leave the house."

Comments: (4)

Lachlan Gunn
Lachlan Gunn - BenAlpin Ltd - Perth 29 April, 2010, 14:10Be the first to give this comment the thumbs up 0 likes

It seems that every card issuer assumes that their card is the only one in a consumers wallet!  Isn't this one of the great ironies of the system?  We are told not to write down our PINs, and yet also NOT to use the same PIN for more than one purpose.  Well if you have several internet and phone banking relationships, and several cards, all with different PINs, how can you not write down a PIN?  It's impossible for most of us to remember all of our PINs without recording them in some way...........isn't it?  Yes we should take every reasonable step to protect our PINs - but we also need to remember them.

Stanley Epstein
Stanley Epstein - Citadel Advantage Ltd - Modiin 30 April, 2010, 15:55Be the first to give this comment the thumbs up 0 likes

It's all very well to suggest that one commits ones PIN to memory and does not write it down. But whoever came up with this sage piece of advice is assuming that the user has a single bank card and absolutely nothing else in the way of a PIN or password. Either that or they are oblivious to reality. The plethora of rules and restrictions, especially in the construction of PINs which varies from institution to institution has already sown the seeds of confusion. Just assume that card "A" requires a 4 digit PIN while card "B" demands a 6 digit PIN and that in neither case are any sequential digits allowed. Then throw in card "C" which has a bank allocated 5 digit PIN. Three cards and we already have confusion. Add to this mix the fact that one may have Internet access to all three institutions and that each demands a different user name and password, often consisting of a combination of digits and letters and which has to be changes on a regular basis. No way can I personally function on memory alone. And that is the reason why my list of PINs, Passwords, Access Codes and the like which enables me to run my life is five pages long. It's time we each have a universal unbreakable PIN that works for everything.

John Dring
John Dring - Intel Network Services - Swindon 04 May, 2010, 09:11Be the first to give this comment the thumbs up 0 likes

Call me cynical, but isn't it almost in the interests of the banks to leave this loophole open to them?  Its a catch 22 - to be crystal clear with authentication and non-repudiation, a PIN is black and white.  Much easier for a bank to judge than a physical signature for example.  But to have even a few PINs means you must must some kind of note, log, system to record them somehow, and thereby provides the banks with a possible exit from liability in cases where they might really need it.  Much easier to claim you have written down your PIN and invalidated any protection on the resulting transaction, than prove that they never expose your PIN internally for example.

I wonder what the law would say about PIN reminders and hints?  Is that OK? (e.g. my favorite month and the year my dog died??)

Steven Murdoch
Steven Murdoch - University College London - London 04 May, 2010, 10:28Be the first to give this comment the thumbs up 0 likes Ross Anderson has written a blog post on this topic, which backs up some of the earlier commenters: "PINs and the burden on customers". In it, he also mentions a radio interview with an APACS spokesman, Mark Bowerman, who tells customers to change their PINs to the same number (contradicting the advice given by the same spokesman in the Which? article).