Bank right to reject claim because PIN was easily guessable

Home Guides & cases Case notes Cards - 78469

Bank right to reject claim because PIN was easily guessable

Categories:

Cards and PINs, Fraud & scams,

Summary:

Fern was overseas when her house was burgled in April 2022 and three of her EFTPOS cards were stolen. Fern used the same PIN for all three cards. After just two failed attempts, the offender successfully guessed the PIN and made numerous transactions using the cards totalling $32,000. When Fern discovered the transactions, she immediately called the bank.

Published:

August 2024

She said she had not disclosed her PIN to anyone and had not written it down. She added that it was not an easily guessable PIN. The bank refused to reimburse the loss, saying the ease with which the offender had found the right PIN indicated she had breached a condition of the card – to reasonably safeguard her PIN – by choosing an easily guessable number. Fern said the offender could have simply guessed the PIN on the third attempt, or could have reverse-engineered the PIN through technological means.

Our investigation

We explained that, statistically speaking, it was extremely unlikely someone could guess a correct PIN in just three attempts, and we were unaware of any way to “reverse-engineer” a PIN simply by being in possession of an EFTPOS card. There was no evidence to suggest any other plausible explanation than that Fern had failed to reasonably safeguard her PIN, for example by writing it down, disclosing it or having a PIN that was easily guessable.