Are Payment Card Contracts Unfair? (Short Paper)

  • Steven J. Murdoch
  • Ingolf Becker
  • Ruba Abu-Salma
  • Ross Anderson
  • Nicholas Bohm
  • Alice Hutchings
  • M. Angela Sasse
  • Gianluca Stringhini
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9603)

Abstract

Fraud victims are often refused a refund by their bank on the grounds that they failed to comply with their bank’s terms and conditions about PIN safety. We, therefore, conducted a survey of how many PINs people have, and how they manage them. We found that while only a third of PINs are ever changed, almost half of bank customers write at least one PIN down. We also found bank conditions that are too vague to test, or even contradictory on whether PINs could be shared across cards. Yet, some hazardous practices are not forbidden by many banks: of the 22.9% who re-use PINs across devices, half also use their bank PINs on their mobile phones. We conclude that many bank contracts fail a simple test of reasonableness, and ‘strong authentication’, as required by the Payment Services Directive II, should include usability testing.

References

  1. 1.
    Anderson, M.C., Neely, J.H.: Interference and inhibition in memory retrieval. In: Memory. Handbook of Perception and Cognition, 2 edn., pp. 237–313. Academic Press (1996)Google Scholar
  2. 2.
    Bohm, N., Brown, I., Gladman, B.: Electronic commerce: who carries the risk of fraud. J. Inf. Law Technol. 2003(3) (2000)Google Scholar
  3. 3.
    Bonneau, J., Preibusch, S., Anderson, R.: A birthday present every eleven wallets? The security of customer-chosen banking PINs. In: Keromytis, A.D. (ed.) FC 2012. LNCS, vol. 7397, pp. 25–40. Springer, Heidelberg (2012). doi:10.1007/978-3-642-32946-3_3 CrossRefGoogle Scholar
  4. 4.
    Bowerman, M.: Radio interview with APACS spokesperson. BBC Radio Merseyside, 19 February 2007Google Scholar
  5. 5.
    Financial Ombudsman Service: Ombudsman news (March/April 2014), case 116/2. http://www.financial-ombudsman.org.uk/publications/ombudsman-news/116/116-disputed-transactions.html
  6. 6.
    HSBC, UK: General, current accounts and savings accounts terms and conditions. Accessed 1 Sept 2015Google Scholar
  7. 7.
    Kelman, A.: Job v Halifax PLC (not reported) case number 7BQ00307. In: Digital Evidence and Electronic Signature Law Review, vol. 6 (2009)Google Scholar
  8. 8.
    Murdoch, S.J., Drimer, S., Anderson, R., Bond, M.: Chip and PIN is broken. In: IEEE Symposium on Security and Privacy, pp. 433–446, May 2010Google Scholar
  9. 9.
    Renaud, K., Ramsay, J.: How helpful is colour-cueing of PIN entry? July 2014. arXiv:1407.8007 [cs]
  10. 10.
    Squire, L.R.: On the course of forgetting in very long-term memory. J. Exp. Psychol. Learn. Mem. Cogn. 15(2), 241–245 (1989)CrossRefGoogle Scholar
  11. 11.
    UK Cards Association: Plastic fraud figures (2015). http://www.theukcardsassociation.org.uk/plastic_fraud_figures/index.asp

Copyright information

© International Financial Cryptography Association 2017

Authors and Affiliations

  • Steven J. Murdoch
    • 1
  • Ingolf Becker
    • 1
  • Ruba Abu-Salma
    • 1
  • Ross Anderson
    • 2
  • Nicholas Bohm
    • 3
  • Alice Hutchings
    • 2
  • M. Angela Sasse
    • 1
  • Gianluca Stringhini
    • 1
  1. 1.University College London (UCL)LondonUK
  2. 2.Computer LaboratoryUniversity of CambridgeCambridgeUK
  3. 3.Foundation for Information Policy ResearchTakeleyUK

Personalised recommendations