Are Payment Card Contracts Unfair?

While US bank customers are almost completely protected against fraudulent transactions, in Europe banks are entitled to refuse to reimburse victims of fraud under certain circumstances. The EU Payment Services Directive (PSD) is supposed to protect customers but if the bank can show that the customer has been “grossly negligent” in following the terms and conditions associated with their account then the PSD permits the bank to pass the cost of any fraud on to the customer. The bank doesn’t have to show how the fraud happened, just that the most likely explanation for the fraud is that the customer failed to follow one of the rules set out by the bank on how to protect the account. To be certain of obtaining a refund, a customer must be able to show that he or she complied with every security-related clause of the terms and conditions, or show that the fraud was a result of a flaw in the bank’s security.

The bank terms and conditions, and how customers comply with them, are therefore of critical importance for consumer protection. We set out to answer the question: are these terms and conditions fair, taking into account how customers use their banking facilities? We focussed on ATM payments and in particular how customers manage PINs because ATM fraud losses are paid for by the banks and not retailers, so there is more incentive for the bank to pass losses on to the customer. In our paper – “Are Payment Card Contracts Unfair?” – published at Financial Cryptography 2016 we show that customers have too many PINs to remember them unaided and therefore it is unrealistic to expect customers to comply with all the rules banks set: to choose unguessable PINs, not write them down, and not use them elsewhere (even with different banks). We find that, as a result of these unrealistic expectations, customers do indeed make use of coping mechanisms which reduce security and violate terms and conditions, which puts them in a weak position should they be the victim of fraud.

We surveyed 241 UK bank customers and found that 19% of customers have four or more PINs and 48% of PINs are used at most once a month. As a result of interference (one memory being confused with another) and forgetting over time (if a memory is not exercised frequently it will be lost) it is infeasible for typical customers to remember all their bank PINs unaided. It is therefore inevitable that customers forget PINs (a quarter of our participants had forgot a 4-digit PIN at least once) and take steps to help them recall PINs. Of our participants, 33% recorded their PIN (most commonly in a mobile phone, notebook or diary) and 23% re-used their PIN elsewhere (most commonly to unlock their mobile phone). Both of these coping mechanisms would leave customers at risk of being found liable for fraud.

Customers also use the same PIN on several cards to reduce the burden of remembering PINs – 16% of our participants stated they used this technique, with the same PIN being used on up to 9 cards. Because each card allows the criminal 6 guesses at a PIN (3 on the card itself, and 3 at an ATM) this gives criminals an excellent opportunity to guess PINs and again leave the customer responsible for the losses. Such attacks are made easier by the fact that customers can change their PIN to one which is easier to remember, but also probably easier for criminals to guess (13% of our participants used a mnemonic, most commonly deriving the PIN from a specific date). Bonneau et al. studied in more detail exactly how bank customers select PINs.

Finally we found that PINs are regularly shared with other people, most commonly with a spouse or partner (32% of our participants). Again this violates bank terms and conditions and so puts customers at risk of being held liable for fraud.

Holding customers liable for not being able to follow unrealistic, vague and contradictory advice is grossly unfair to fraud victims. The Payment Services Directive is being revised, and in our submission to the consultation by the European Banking Authority we ask that banks only be permitted to pass fraud losses on to customers if they use authentication mechanisms which are feasible to use without undue effort, given the context of how people actually use banking facilities in normal life. Alternatively, regulators could adopt the tried and tested US model of strong consumer protection, and allow banks to manage risks through fraud detection. The increased trust from this approach might increase transaction volumes and profit for the industry overall.

 

“Are Payment Card Contracts Unfair?” by Steven J. Murdoch, Ingolf Becker, Ruba Abu-Salma, Ross Anderson, Nicholas Bohm, Alice Hutchings, M. Angela Sasse, and Gianluca Stringhini will be presented at Financial Cryptography and Data Security, Barbados, 22–26 February 2016.

2 thoughts on “Are Payment Card Contracts Unfair?”

  1. I was chatting with Ross Anderson in email about something related and mentioned the below as an example of terrible bank security practices. Ross suggested that I post it here as a comment.

    Smile Bank (www.smile.co.uk) ia part of the Co-operative Bank and was the first UK fully digital bank, launched in 1999, offering all services online. Since then, and until recently, the credentials required to login to your account have been:

    – Account number and sort code, or VISA card number
    – 2 random digits from a 4-digit security code (not a card PIN)
    – 1 piece of security info (from any of first school attended, last school attended, memorable name, place of birth or memorable date)

    Recently Co-op changed this, for both Smile Bank and for Co-op Banking online, to eliminate the usage of account details in the login process. The new login process now requires:

    – A username
    – A password
    – 2 random digits from a 6-digit security code

    The process by which Co-op implemented these changes, and the policies they used around them, are truly atrocious.

    1. After logging in, customers without new creds had their session hijacked and were required to select a new username, password and PIN before being allowed to use the banking, thus forcing them to make these choices under pressure and probably leading to sub-standard selctions in the moment, since they were occupied with wanting to complete whatever it was they had logged on to banking to do.

    2. The 2-digit entry used to be on the keyboard and represented by asterisks. Now it’s two drop-downs and appear as clear digits, so anyone nearby or with remote screen access can watch the selections.

    3. The username and password instructions are horrendous:

    Username: “Your username must have a minimum of 8 characters and be no longer than 30 characters. It should also be unique to you. It must not contain any spaces, but may contain special characters, excluding the following:` ; £ Please note, your username will be case sensitive. This means you’ll need to enter it exactly as you type it here when logging in, including upper and lower case letters. So please take extra care when creating it.”

    Password: “Your password must have a minimum of 8 characters and contain 3 of the following: 1. An uppercase letter 2. A lowercase letter 3. A number 4. A special character* A special character can be anything from a hashtag (#) to an asterisk (*) but please don’t include spaces or ‘ ; ”

    6-digit security code: “These details must be easy to remember, but impossible for others to guess”. It doesn’t say if we are allowed to invoke magic to achieve this.

    It doesn’t give an upper bound for passwords but a 30 character password was truncated to 20 characters with javascript in the browser with no warning. Ironically then a username can be 30 characters but a password is limited to 20.

    “Special characters” is meaningless garbage, and seems to imply protecting the back-end from exploits by passing code fragments, which doesn’t inspire confidence. The set of excluded special characters is inconsistent between username and password.

    No mention of using a password manager and generator. No TOTP option nor an SMS option. Not even a portable card-reader option, though this option would severely limit accessibility.

    The old 4-digit security code still has to be remembered as it is required for telephone banking but this is not mentioned when selecting its 6-digit replacement. I only found out by chance when calling them and being told so.

    4. They have a “secure message” area inside, where you can be sure that the content is definitely from them. But since the revamp they now routinely include links in their responses taking people to http://cbg.36o.co (cbg standing for Co-op Banking Group I assume) to complete a satisfaction survey, thus training customers to click insecure unencrypted third-party links in what is supposed to be a sterile, secure area.

    5. Reviewing previous statements used to be displayed in a table in the browser. Now it auto-opens a statement PDF without warning. But since they don’t know how PDFs are handled client side, they have no way of knowing what this action is launching, which could be malicious.

    I wrote a complaint and detailed these issues and they responded by failing to address the points, waffling about how seriously they take security, and crediting my account with £30. I’m going to keep writing back until they address the points.

    Tying this in with your article, it seems even more unfair to customers to be forced into capitulating to Co-op’s poor implementation and policy choices, and to then be held accountable for upholding them. I imagine that in the event of a fraud dispute the bank would trot out the same line about taking security very seriously, while totally failing to appreciate that they forced their customer to choose a password under duress using an outdated policy and failing to offer any two-factor option, for example.

    It’s bonkers that in 2016 Amazon can offer me stronger authentication with two-factor than my bank can.

    Regards,
    Chris

    1. Thanks for your comment Chris. It does seem that the new authentication procedures have not been well thought through. I’m not convinced that they have any clear threat model in mind when designing these new measures. For example, the drop-down boxes seems to be for protection against key-loggers, but those have been superseded by smarter banking malware some time ago.

      Amazon and Facebook do seem to have much better designed authentication, because they know that poor usability will lose them custom.

      It will be interesting to see what is the impact of the Payment Services Directive 2 on customer authentication.

Leave a Reply

Your email address will not be published. Required fields are marked *