Using easily guessable passwords

The client woke up one morning to find his wallet missing. After an unsuccessful search, he called the bank to report the missing cards. In the meantime, the fraudster was able to make ABM cash withdrawals and debit purchases from the client's bank account totalling $3,437. For all of the disputed transactions, the client's Personal Identification Number (PIN) was entered correctly on the first attempt by the fraudster.

The client's branch decided to absorb $2,265 of the client's losses. The bank Ombudsman, in his review, said that the client was bound by his Cardholder Agreement to protect his PIN. The bank's view was that since the fraudster was successful on his first attempt, he was able to access the PIN number right away, possibly because it was written down or it was easily guessed.

The client told us that his PIN had not been written down anywhere. He also said he had two credit cards from different banks in his wallet, all with the same PIN. Our analysis revealed that the fraudster had unsuccessfully tried to use the other cards by guessing different PIN combinations. After many tries, the fraudster correctly guessed 1-2-3-4 and then used that PIN for the client's bank card. Our investigators considered two issues: the client's chosen PIN, and the same PIN being used for all cards. Under the Debit Card Code of Practice,using the PIN 1-2-3-4 is not prohibited.

However, in our view, the use of the same easily guessed PIN for all his cards was ill advised and directly contributed to the loss.

We therefore concluded that both the bank and the client should share responsibility. As the bank had already absorbed $2,265, we did not make any further recommendation for compensation in favour of the client.

(2006)