02 Dec 2013
Losing your credit or debit card, or having it stolen is worrying and inconvenient. If your PIN details are also obtained or guessed, there is an even greater risk you will lose money.
Banks typically cover any loss if you take reasonable care of your card and PIN and report any loss to them promptly. If you haven’t, you are unlikely to recover the loss.
It’s therefore important to protect your credit and debit cards and PINs, know how to select a secure PIN, and know what to do if you lose a card.
You need to take reasonable care to look after your cards – in much the same way you look after wallets and keys.
You don’t need to be aware of the exact location of your cards at all times, but you should know their general whereabouts (for example, at home, in your bag, etc).
Your cards shouldn’t be left unattended in a wallet or purse, or anywhere a thief could remove a card without being noticed.
It would not usually be reasonable to leave your card:
· inside a car on the seat, or in view on the dashboard
· on your bedside table when you are not home
· in a hotel room when you are out.
Take care to remove your card when using it at an ATM, shop, restaurant or any other outlet after making a purchase.
If you find that your card is missing, you should advise your bank as soon as possible. Banks provide dedicated phone numbers to report lost or stolen cards within New Zealand and from overseas. If overseas, keep a note of the phone number with your travel documents.
You can specify the accounts that are linked to your card. If you have an account containing money you want to protect, ask your bank for advice about how to restrict card access to only those accounts which you allow.
There are several points to remember when selecting a PIN number to keep it secure:
· don’t use obvious number combinations or sequences
· don’t use combinations like 3456 or 0000, birthdays, anniversaries, home addresses, parts of your phone number or other numbers easily connected with you
· don’t use parts of numbers in the same order they are printed on any of your cards
· don’t use the same PIN number for different cards or log-ins.
You shouldn’t write your PIN number anywhere, tell anyone else, including family members, police, or bank staff what it is. Please note that banks will never ask you for your PIN. If you receive an email or other contact asking you to update your PIN, do not reply. It is likely to be fraudulent.
You must not store your PIN (even in disguised form) on any device, including mobile phones, computers, iPads, or similar electronic device. If you have already stored it on an electronic device, you should delete it and get a new PIN.
You should take reasonable care when entering your PIN at an ATM or a machine in a shop to stop someone else seeing it.
If you become aware someone may know your PIN, you should contact your bank as soon as possible, and ask for a new one.
Mrs B’s wallet, containing her EFTPOS card, was stolen. She thought the theft happened when she got out of her car to open her workplace gates.
Mrs B reported the theft to police and made a formal statement.
The thief withdrew $7,000 from Mrs B’s account at ATMs and a foreign exchange bureau, but her loss ended up being $3,000 because one of the bureau withdrawals could not be completed without the thief providing ID.
The bank recognised Mrs B was a crime victim, and offered to bear half her loss ($1,500). Mrs B complained to us. She felt the bank should bear the full amount because it was not her fault she was defrauded.
Our office had to determine whether Mrs B had complied with her EFTPOS card’s terms and conditions, and whether the bank had contributed to her loss. Mrs B’s EFTPOS card Conditions of Use stated she must not leave her card “in an unattended wallet, purse or vehicle or anywhere a thief could remove the card without being noticed”.
We considered Mrs B had not complied with the relevant terms and conditions because her EFTPOS card was left unattended and had been removed without her noticing.
The offender had also entered Mrs B’s PIN correctly on the first attempt, suggesting she had not taken appropriate care of it. It is virtually impossible to randomly select correct PIN numbers, let alone enter them in the correct order.
In our view, the bank had not contributed to Mrs B’s financial loss and we recommended she accept its goodwill offer to bear half her loss. Mrs B did so.
Mr G was the victim of fraud. Significant funds were transferred from his bank account via telephone banking by an unknown person. Mr G did not understand what happened and complained to us when the bank would not refund the stolen money.
We discovered his cell phone had been lost before the fraud occurred and that he had saved his telephone banking registration number and PIN as a mobile number and an email address.
Although Mr G had attempted to disguise telephone banking details, the offender saw through this and accessed his accounts. Mr G had unintentionally equipped the offender with the ability to commit fraud.
Because Mr G had recorded his banking details on his cell phone, he was in breach of his bank’s Terms and Conditions. This meant the bank did not have to reimburse the stolen funds.
It is important not to record banking details in any form on any medium. It is also important to have password-protected access to electronic devices.
Mr and Mrs P had a bank credit card. One day Mrs P used the card when shopping with her teenage grandson. She entered her PIN into a fixed, shieldless EFTPOS keypad. Unbeknown to her, her very tall grandson saw the PIN number as she entered it. Over the next few days, numerous unauthorised transactions worth $3,700 were made on the card. As soon as Mr and Mrs P realised their card was missing they put a stop on it.
The couple made a claim for reimbursement. The bank denied the claim, on the grounds inadequate security precautions were taken, breaching the card’s terms and conditions of use. It offered a goodwill payment of $738.15.
Mr and Mrs P did not believe they had breached the terms and conditions. Mrs P said she was unaware her grandson saw her entering her PIN. She kept her card secure, and the couple had no reason to believe their grandson would steal from them. The PIN was not written down anywhere, and was neither a sequential number nor easily identifiable in any other way.
We found Mrs P’s grandson almost certainly ‘shoulder surfed’ the PIN. The bank argued that because the PIN became known to the thief, Mrs P had not taken reasonable care. However, our view is while a customer must take care to avoid PIN disclosure when keying, this will not always protect against a determined person. There is a limit to what customers can reasonably be expected to do to protect PINs, particularly when using an unshielded EFTPOS keypad. The standard of care required in such circumstances is reasonable care, not extreme care or the use of every possible precaution.
We found Mrs P had not breached her card’s terms and conditions. She was entitled to full reimbursement, less the standard $50 maximum customer liability sum, of $3,650. Mr and Mrs P and the bank accepted our recommendation.