One of the tenets of banking security rules today is that consumers must protect their PINs and passwords. If a customer, for example, posts his/her password on a publicly accessible social media site and fraud soon happens, the bank won’t cover the losses. But what happens when the customer doesn’t reveal the PIN of password to the thief, but the thief successfully guesses it? One Canadian customer found out that it meant he was fully liable for the theft, even after the thief confessed to the police.
In this case, which involved CIBC, the particulars are a little messier, according to a story aired by CBC. The victim and thief were a romantic couple and had recently broken up when the ex-girlfriend visited the ex-boyfriend’s house and stole and used his credit card. Due to EMV, the card still required a PIN and the ex-boyfriend had never shared it. The problem is that he had shared the PIN for an unrelated debit card. Yep, he had used the same PIN so his ex-girlfriend tried the PIN and it worked. More than $6,000 of theft resulted.
CIBC argued that he had, in effect, given his ex-girlfriend the PIN to his credit when he shared the identical PIN from his debit card. Besides, using the same PIN for multiple cards is another security no-no.
CIBC’s published PIN rules are extensive. What are CIBC’s rules regarding PINs? “Your PIN is equivalent to your signature. Therefore, whether you are a Primary Cardholder or an Authorized User, you must keep your PIN absolutely confidential; it is for your use alone. You will not tell anyone else (including a close family member or friend, or any bank, public official or merchant) what your current PIN is. When choosing a PIN, you will not use all or any part of: Your name, or a close relative’s name; Your birth date,year of birth, telephone number or address, or those of a close relative; A number on your Card, or any other account number; A number on any identification card you keep with or near your Card (such as your social insurance number or driver’s licence number); or any other number which can be easily obtained or guessed by someone else.”
And there’s more. “You understand that you should memorize your PIN rather than keep any written record of it. Therefore, when you receive the PIN we send you for your Card you will destroy the document on which the PIN is printed. However, if you decide that you truly need to keep a written record, you agree that you will store the PIN in a safe place; you will not record any PIN on, or near,your Card; Your PIN must be disguised within the written record you make, so that no one else can easily guess that it is a record of your PIN; and you will not record your PIN on, or near, a telephone.”