PIN liability


D

Dominic

I've just had a leaflet with my CC bill. Under the heading "reducing
your liability" it informs me that if deatils of my PIN have been
disclosed to others I will be held responsible for all PIN based
transactions.

Anyone know *exactly* what they mean? Have I disclosed my PIN if
somone spies on me as I enter it, without my knowledge? Is the fact
that someone else knows my PIN taken to be proof that I must have
disclosed it?
 
Ad

Advertisements

T

Tumbleweed

Dominic said:
I've just had a leaflet with my CC bill. Under the heading "reducing
your liability" it informs me that if deatils of my PIN have been
disclosed to others I will be held responsible for all PIN based
transactions.

Anyone know *exactly* what they mean? Have I disclosed my PIN if
somone spies on me as I enter it, without my knowledge? Is the fact
that someone else knows my PIN taken to be proof that I must have
disclosed it?
The latter is the worry.
 
M

Mike Scott

Tumbleweed said:
The latter is the worry.
Quite. I think maybe when they say "reducing your liability", they mean
"your" in the loose sense of "one's" - ie the bank's.

But remember that since you are the only one who is supposed to have
knowledge of your PIN, it will probably be assumed a priori that if
someone else uses it, then you must have disclosed it either
deliberately or negligently. Can you prove you didn't?

But I think this topic's been done to death over the past months.....
and no-one has any real idea. It'll probably take a court case and
expensive legal team to decide the issues.
 
M

Michael Hoffman

Mike said:
But remember that since you are the only one who is supposed to have
knowledge of your PIN, it will probably be assumed a priori that if
someone else uses it, then you must have disclosed it either
deliberately or negligently. Can you prove you didn't?
Can the bank prove they didn't?
 
M

Mike Scott

Michael said:
Can the bank prove they didn't?
No. But using *balance of probabilities* (the standard of proof for a
civil court case), they could probably argue it was most probably the
customer - after all, their systems are secure, no? Well, they would
have one think so. If nothing else, a bank would have no obvious reason
for releasing a customer's PIN; a customer could easily have been
negligent in shielding it during entry. And when all's said and done, a
corrupt bank employee is less likely than a fraudulent or negligent
customer (I hope!)

Not that I'm supporting the banks' attitude. IMO C&P simply isn't secure
in practice.
 
T

Tim

Mike said:
No. But using *balance of probabilities*
(the standard of proof for a civil court case), ...
.... OK ...

... they could probably argue it was most probably the customer ...

Well, actually I'd have thought that it was much more likely for a PIN
number to have been compromised from one of the cards that the *bank* had
issued, rather than one of the cards that particular *customer* had ever
received - simply from the numbers involved (many thousands/millions for the
bank, unlikely more than a few dozen for the customer).

So, suppose the bank & customer go to court & the bank have had at least one
PIN number compromised on one of their cards, and the customer has *never*
had a PIN compromised on *any* of their cards. The **balance of
probabilities** would then come down *against* the bank - after all,
one/more of the cards they have issued has had the PIN compromised, but
*none* of the customer's cards have been!!

... - after all, their systems are secure, no?
And so are those of the customer!
[Assuming of course that they are.]
 
Ad

Advertisements

M

Mike Scott

Tim wrote:
....
So, suppose the bank & customer go to court & the bank have had at least one
PIN number compromised on one of their cards, and the customer has *never*
had a PIN compromised on *any* of their cards. The **balance of
probabilities** would then come down *against* the bank - after all,
one/more of the cards they have issued has had the PIN compromised, but
*none* of the customer's cards have been!!
Except the bank will now, I assume, argue that in each case the
particular customer was at fault. Which will often be true - so the
argument may work the other way: of 1000 people (say), 998 have been
proven negligent or criminal. You're the 1000th in line - the "obvious"
conclusion is.....??? (But then, you can prove anything with statistics
if you try (or lie) hard enough :)
(I do wish you'd kept the rest of that paragraph! It changes the obvious
sense.)
And so are those of the customer!
[Assuming of course that they are.]
But they aren't. The banks' systems are all locked up (or down?); your
PIN number is used in some very public places (precisely because of the
banks' requirements).
 
T

Tim

Tim said:
Except the bank will now, I assume, argue that in each case
the particular customer was at fault. Which will often be
true - so the argument may work the other way: of 1000
people (say), 998 have been proven negligent or criminal.
You're the 1000th in line - the "obvious" conclusion is.....???
Eh? Why should each customer be "tarred with the same brush" as other *bad*
customers??!

According to your logic, if the last 9 people charged with murder in a
particular court were all found guilty, and you were the tenth person to
appear charged with murder, then you should be found guilty solely because
the other nine were!!!
Tim said:
And so are those of the customer!
[Assuming of course that they are.]
"Mike Scott" wrote
But they aren't.
They can be. If the customer doesn't write the PIN number down, nor
otherwise record it - apart from memorising it - and never tells anyone else
the number, then their systems will be very secure!

The banks' systems are all locked up (or down?);
your PIN number is used in some very public places
(precisely because of the banks' requirements).
Exactly - the PIN pads are part of the **bank's** systems - the customer has
no control over the design of that part of the system, although the banks
do.
So you cannot say that "the banks' systems are all locked up" -- because the
PIN pads are part of their system & they are the obvious weak point!!
 
M

Mike Scott

Tim wrote:
....
Eh? Why should each customer be "tarred with the same brush" as other *bad*
customers??!

According to your logic, if the last 9 people charged with murder in a
particular court were all found guilty, and you were the tenth person to
appear charged with murder, then you should be found guilty solely because
the other nine were!!!
It's a question of populations and sampling. Take a more obvious
example: a barrel of apples. You take out 10 apples and find they're all
bad. Are you going to blindly remove the 11th and bite into it? I'm not
trying to defend the banks - I'm just trying to indicate the sorts of
rubbish arguments they might bring up (and remember from the Meadows
cases that courts and lawyers and doctors seem poorly genned up on
elementary statistics, never mind technical issues.)
... - after all, their systems are secure, no?
Tim said:
And so are those of the customer!
[Assuming of course that they are.]
But they aren't.

They can be. If the customer doesn't write the PIN number down, nor
otherwise record it - apart from memorising it - and never tells anyone else
the number, then their systems will be very secure!

The banks' systems are all locked up (or down?);
your PIN number is used in some very public places
(precisely because of the banks' requirements).

Exactly - the PIN pads are part of the **bank's** systems - the customer has
no control over the design of that part of the system, although the banks
do.
So you cannot say that "the banks' systems are all locked up" -- because the
PIN pads are part of their system & they are the obvious weak point!!
But by the banks' view, that's part of the customers' "system", not
theirs. I doubt that the banks would worry that they designed the
weaknesses into it and so they view "proper use" of PIN pads etc as the
*customers'* responsibility. (IMO precisely because it is the weak part
of the system. They're trying to save their *own* money, not yours and
mine.)
 
Ad

Advertisements

M

Michael Hoffman

Mike said:
Indeed. But you're the second person who's selectively quoted me. What
I wrote was, "....their systems are secure, no? Well, they would have
one think so." Which I think changes the tenor a bit:)
I did not think that by cutting the latter part of your message out
people would think that you were agreeing with the banks' assertions
wholeheartedly (indeed I thought I was preaching to the choir to cast
doubt at these assertions).

Apparently you disagree, so please accept my apologies.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads


Top