Tuesday, September 09, 2003

Don't tell your pincode to anyone ...!!!!

One of the most difficult things to explain with respect to e-payments, use of the pincode and the legal discussion of fraud cases is the difference between the general rules and the consideration of these rules in a specific case. We've just had this nice example in the Netherlands.

A consumer is being issued a renewed debit-card which is sent to the home-address. Then, a criminal phones the consumer pretending to be an employee of the Postbank, the issuing bank and asking for the pin-code. Interestingly, the 'employee' appears to know the first two digits of the pin-code, which makes a trustworthy impression. Now under a false pretext, the consumer is convinced to provide the last two digits. After that the customers' debit card was being mis-used and the consumer (now a victim) claimed money from the Postbank.

Generally speaking, the legal rules are very clear. Customers should not mention their pin to anyone. Not even close family or employees of banks. And if they do ignore this instruction, they are legally liable for all the damage incurred. Yet, the case above was brought before the dispute resolution committee. The committee stated that in this specific case, the consumer could not be held liable. Their argument was that in the situation where the 'bank employee' appears to know the first two digits of the pincode, it is understandable that the customer believes the criminal at the other end of the phone is the bank.

I think the ruling in this case shows that general rules, in their application in specific cases, can and will be weighed so that a balanced and fair end result is reached. But still, this is not a ruling that hereby allows everyone to tell their pincode's over the phone and not be liable.

Also, I smell something scary or fishy. Scary is the situation where a criminal would steal or intercept a debit card, and stalk the owner and have a look at the pin-code usage to find out the first two numbers. After finding out these numbers, the phone number is obtained in order to get the last 2 digits of the pin-code. The net result is a crime which is rather intrusive.

The fishy scenario is one in which the victim knows it is the only witness of the telephone recording with the criminal and there are no tapes of the conversation. We may assume that the victim does not want to look like someone who is so foolish to tell his or her pin-code over the phone. So he or she may have reshaped - for reasons of increased social acceptability - his or her perception of the telephone conversation to include an element in which it sound logical that the last two digits are being provided ('as the bank employee appeared to know the first two digits of the pincode, I gave only the last two digits'). Which would make it fishy.

Let it be clear. Bank employees don't know pincodes and never have any ground to ask you for it. And consumers don't tell pincodes (or parts of it) to others. Ever !