Abstract
Fraud victims are often refused a refund by their bank on the grounds that they failed to comply with their bank’s terms and conditions about PIN safety. We, therefore, conducted a survey of how many PINs people have, and how they manage them. We found that while only a third of PINs are ever changed, almost half of bank customers write at least one PIN down. We also found bank conditions that are too vague to test, or even contradictory on whether PINs could be shared across cards. Yet, some hazardous practices are not forbidden by many banks: of the 22.9% who re-use PINs across devices, half also use their bank PINs on their mobile phones. We conclude that many bank contracts fail a simple test of reasonableness, and ‘strong authentication’, as required by the Payment Services Directive II, should include usability testing.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
- 2.
- 3.
IP address geo-location has a non-trivial error rate, but this still confirms that our sample is predominantly from the UK, as intended.
References
Anderson, M.C., Neely, J.H.: Interference and inhibition in memory retrieval. In: Memory. Handbook of Perception and Cognition, 2 edn., pp. 237–313. Academic Press (1996)
Bohm, N., Brown, I., Gladman, B.: Electronic commerce: who carries the risk of fraud. J. Inf. Law Technol. 2003(3) (2000)
Bonneau, J., Preibusch, S., Anderson, R.: A birthday present every eleven wallets? The security of customer-chosen banking PINs. In: Keromytis, A.D. (ed.) FC 2012. LNCS, vol. 7397, pp. 25–40. Springer, Heidelberg (2012). doi:10.1007/978-3-642-32946-3_3
Bowerman, M.: Radio interview with APACS spokesperson. BBC Radio Merseyside, 19 February 2007
Financial Ombudsman Service: Ombudsman news (March/April 2014), case 116/2. http://www.financial-ombudsman.org.uk/publications/ombudsman-news/116/116-disputed-transactions.html
HSBC, UK: General, current accounts and savings accounts terms and conditions. Accessed 1 Sept 2015
Kelman, A.: Job v Halifax PLC (not reported) case number 7BQ00307. In: Digital Evidence and Electronic Signature Law Review, vol. 6 (2009)
Murdoch, S.J., Drimer, S., Anderson, R., Bond, M.: Chip and PIN is broken. In: IEEE Symposium on Security and Privacy, pp. 433–446, May 2010
Renaud, K., Ramsay, J.: How helpful is colour-cueing of PIN entry? July 2014. arXiv:1407.8007 [cs]
Squire, L.R.: On the course of forgetting in very long-term memory. J. Exp. Psychol. Learn. Mem. Cogn. 15(2), 241–245 (1989)
UK Cards Association: Plastic fraud figures (2015). http://www.theukcardsassociation.org.uk/plastic_fraud_figures/index.asp
Acknowledgements
We are grateful to Adam Beautement, Brian Glass, Boris Hemkemeier and Kat Krol for helpful discussions. Steven J. Murdoch is supported by The Royal Society [grant number UF110392]; Ingolf Becker is supported by the Engineering and Physical Sciences Research Council [grant number EP/G037264/1].
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 International Financial Cryptography Association
About this paper
Cite this paper
Murdoch, S.J. et al. (2017). Are Payment Card Contracts Unfair? (Short Paper). In: Grossklags, J., Preneel, B. (eds) Financial Cryptography and Data Security. FC 2016. Lecture Notes in Computer Science(), vol 9603. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-54970-4_35
Download citation
DOI: https://doi.org/10.1007/978-3-662-54970-4_35
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-662-54969-8
Online ISBN: 978-3-662-54970-4
eBook Packages: Computer ScienceComputer Science (R0)