/ Money, Shopping, Technology

Forgotten your PIN? Soon it may not be an issue

A recent report shows that contactless mobile payment systems in the UK have won the hearts of many. So are we losing our love for the PIN, or are we still a way off finding a secure alternative?

Two-thirds (67%) of us think the PIN will soon be a distant memory of the banking past, according to research by Intelligent Environments. And many believe this will be within the next five years

Could this really be true? Or are you with the 32% who have PINned their hopes on our four digit friend?

Cracking the code

PINs are supposed to be super-secure four digit codes. The theory is that a PIN is for your eyes only, and therefore the likelihood of someone cracking the code is extremely low.

While there are around 10,000 PIN variations, there are weaknesses in the system. Many of us – myself included – don’t adhere to basic PIN number security: 32% of us have never changed our PINs, and only 37% have kept them a secret.

Being a part of that 37% can be a safety net in some circumstances. There have been moments when I’ve had a complete brain freeze when trying to recall my number. As someone who hasn’t kept my PIN secret I’ve been able to lean on my other half, who has a certain penchant for remembering these vital details.

But, if I was on my own when I forgot my PIN, I would have resorted to using the three attempts to potentially block my card or crack the code. Alternatively, I could bring the transaction total down to under £30 and make use of the contactless card payment limit.

Future technology – safer than PINs?

We’ve already adopted contactless systems such as contactless cards and Apple Pay in the UK. Paying via these methods has rocketed by 200% since the payment limit was increased from £20 to £30 in October.

But there are some not-so-distant plans for new biometric technology, including vein pattern scanners, fingerprint readers and voice recognition systems. Lloyds Banking Group is currently testing a wristband that can identify a person by their heartbeat pattern. Experts believe that these systems will be so unique to the customer that fraudsters will be incapable of imitating us.

So what do you think the future holds? How do you think you will you be paying for your weekly shop?

Do you think that this is the end for the PIN number?

No (50%, 66 Votes)

Maybe (32%, 42 Votes)

Yes (18%, 24 Votes)

Total Voters: 132

Loading ... Loading ...

I use Apple Pay wherever possible. It avoids the need to take my wallet out of my my iPhone is often already in my hand for another reason anyway. Unlike a physical contactless card, Apple Pay has no transaction limit because it is authenticated by two-factor authentication (something you have and something you are) like chip & PIN (something you have and something you know). The missing piece in the jigsaw is delivering receipts electronically to make the whole process paperless.

It is disappointing that some retailers still don’t support contactless payments at all. Even a brand new branch of Sainsbury’s near me doesn’t support it. With no transaction limit for some contactless payment methods, all retailers really should support contactless by now.

I like contact-less and use it where ever I can though its a good thing at this early stage the amount is small and limited, I do not doubt it will grow. Mine is with HSBC, think the next stage it will be on the mobile like what Apple have introduced and are doing at present.

I have four PIN’s in varying degrees of regular use and sometimes I have a mental block. This is critical when you have to use the same credit card as you used to make a booking in order to receive the service [in some hotels for example]. I do have a safety net method of recovering a forgotten PIN from my memory but I won’t describe it. Anything that involves cards or iPhones is a nuisance because they can so easily be left at home, lost or stolen and then you really are stuck up a gum tree. So the idea of a wristband appeals to me, until I think – would I need four of them? Presumably a way could be found to ‘authorise’ the wristband to interact with one’s selected accounts and, at the point of payment, to pre-select the account to be charged before offering the wristband to the scanner. This could also help with store cards which are account cards rather than credit cards, although I suspect they are on the way out anyway. I can see why the banks might want to develop systems that lock their customers in to using just one account for everything but I think we should guard against that and seek multi-versatility [which is tautologous but sounds nice].

Predictably, my answer is no thank you and that, of course, makes me an old fashioned person, behind the times and the latest trends. So be it. It is through choice and not incapability. I would be very fearful of any phone app that let me spend an unlimited amount using a telephone. I have no doubt that others would be trying to find ways of spending that for me and any security lapse could drain my bank account. I also don’t need a card to buy a newspaper, though I would have one to use on London Transport as this seems to be the only way to get around the capital these days.
Technology moves on and things like computer boot up times and internet access will soon be instant using future chipless technology. Payment methods will evolve and, sadly, money may become a thing of past generations. It shouldn’t become too easy to purchase things. There should always be a barrier that makes one consider whether a purchase is necessary before parting with wealth, in what ever form it comes in. Wealth will always be finite and folk will always be able to get into debt. We are going to see many examples of card and chip based payments in the next few years as people try out new ideas. Some will catch on, others will fail, and, as said earlier, there will always be people willing to find ways of criminally exploiting loopholes in security. If I were a few years younger I would think more about these things, however I do believe that good, old-fashioned money will keep me going until I spend no more.

Vynor, like you I’m a little cautious. Can someone tell me, if my contactless card is stolen can it be used by the thief until I discover its loss and report it? If so the fact I have to authenticate my card whenever I use it in person is security I like. In principle if other personal features were used such as fingerprints or iris recognition (is that affected by contact lenses?) for example I’d be OK providing the banks put their money where their mouth is and do not quibble if the card gets misused – I am trusting their certainty in the method.

You mention making spending even easier, and whilst I use a card most of the time because it is convenient I think they, for some, make impulse buys with money you haven’t yet earned too easy and tempting. Some do not have the discipline to resist such spending. Part of the credit crisis was down to the huge levels of debt accumulated on credit cards.

If your contactless credit card is lost or stolen, then yes, the thief can spend on it until you report it stolen but only six times. However, your card issuer will reimburse any fraudulent transactions and you won’t have to pay for them. So there’s nothing to worry about with contactless credit cards.

I wouldn’t want a contactless debit card though, as it allows a thief to spend your money immediately rather than the card issuer’s money. Even if any fraudulent use is subsequently reimbursed, the temporary loss of your own money might cause problems.

NFH, thanks for the information. i am not clear though – how can it be used only six times if stolen? I might not realise it is lost for a while. Surely until it is reported stolen it is assumed I am using it? Forgive me if I am naive here – I don’t (currently) have a contactless card.

As far as not worrying about the loss because the card company will reimburse it, in the end it is all card users who will pay one way or another, isn’t it. A bit like all fraud – we all end up paying in premium hikes, bank charges or whatever?

According to the Which? guide to Contactless Payments referenced in the Intro [click on contactless cards in red] :

“Although contactless transactions do not require a Pin to be entered, card issuers will restrict the number of contactless transactions that can be made before the Pin is requested, to prevent fraud. Our research suggests a thief would be able to spend between £45 and £100 before being asked to provide a Pin.

“Fraudulent transactions on contactless cards are protected by the same rules that apply to other card payments. This means that if you’re a victim of fraud, your bank will refund you the money, provided it’s not a result of your own negligence. However, you will have to pay the first £50 of the total amount of fraudulent transactions made on your card. . . .”

So you could be caught for up to £50 even if the transactions were fraudulent.

If Which is actually right. However never mind the £50, who will prove if its a result of your own negligence ? Well guess who – Banks. Another nice way out for them – if you lose your contactless credit card, just guess who the Banks will blame.

I had assumed that people who lose their contactless payment card will tell the bank that they have lost it. The bank would not have to blame anybody else, let alone themselves, for such a situation.

If somebody finds the card and uses it that is a fraudulent transaction for which reimbursement [above £50] applies.

Don’t apologise. NFL’s post is confusing at the extreme, and really makes little sense. His (Hers) trust in the Banks to re-imburse so called contactless fraud is naive at best.

NFH’s comment seemed clear enough to me. The card will stop working after six PIN-less uses [so there might be only one more use left on the card at the time it goes missing]. Whether the the card-holder had lost it or whether it had been stolen does not affect the question of reimbursement – that depends entirely on the misuse being fraudulent [i.e. by somebody not entitled to be in possession of the card].

So what you are saying – is the thief can use it limitless times, but then only six times after it is reported stolen ??????? Or are you saying the thief can only use it 6 times even if its not reported stolen – fail to understand your post. PS credit card companies are promoting so called “contactless” payment because they firmly believe we will spend more. Your trust in the Banks willingness to re-imburse allegedly fraudulent contactless payments is amazing. How short is your memory ?

Ron – My comment between the quotation marks was an extract from a Which? document that is referenced in the Intro to this Conversation. I didn’t write it so I cannot help with comprehension, but I think the burden of it is that the stopping of PIN-less transactions occurs after a certain number of uses of the card, whether by the legitimate owner or by anybody else, and is not triggered by the reporting of theft or loss. Obviously, the sooner that any loss of the card is reported, the quicker all further transactions on it can be stopped. While it might be bothersome to have to use a PIN every so often to revalidate the card this is a useful protection that is making contactless cards popular.

The point about refunds for fraudulent transactions is not my words but Which?’s, but again I think it means exactly what it says and that card-holders in those circumstances will be reimbursed [except for the first £50] as that is fundamental to the contract between the bank and the customer.

My memory of banks and their relationships with customers is very long indeed and I cannot recall any cases of default on contractual liabilities. Some perseverance might be required to substantiate a claim but once accepted [with the assistance of the Ombudsman if necessary] the banks do pay up. It would be against their commercial interests not to as the uptake of new payment mechanisms would be severely retarded.

In view of what I read in the Which? guide, a PIN will still be required to validate the card after every five or six uses. So this is obviously not going to be the end of the PIN.

I endorse what NFH says about contactless debit cards as they allow immediate access to your account, so that’s another PIN required for as far ahead as we can see.

I can only assume that the “two-thirds (67%) of us (who) think the PIN will soon be a distant memory of the banking past, according to research by Intelligent Environments” are probably not fully-informed. I am certainly not fully informed because I found out recently that one of my cards is a contactless one but I do not recall receiving any information about it or how it works. I am grateful to Which? for producing the guide to Contactless Payments – undated unfortunately but some time in the summer of 2015.

Thanks John – I should have read the intro more carefully. When some of us may have trouble remembering our PIN, using it only once in every six transactions might make it even more difficult 🙂 .

However I note that if the card is lost or stolen the card issuer will reimburse you. Lost? Surely our responsibility to look after the card, just like you would your wallet or purse. Perhaps just reassurance from the card issuers to persuade us to accept them.

I’d prefer to have a convenience card like this that we pre-load with our own money. We might then look after it a little more carefully, but mainly live a little less off credit. 🙁

A week of security flaws as reported by the Register. Looking at a single aspect of payments and declaring it safe surely is rather misleading if the basis on which it exists is riddled with problems?

My honest opinion is that all the current systems will be hacked within two years to a greater or lesser degree. As for asking the general public on views of future payment methods when the knowledge base is tiny …….
Keeping such antiquated systems as cash and cheques in being is a vital fall-back.

Walmart spied on workers’ Tweets, blogs before protests
Defence contractor Lockheed Martin provided intelligence services
before Black Friday

Microsoft takes PUPs behind the shed with gun in hand
Cute canines safe, ‘Potentially unwanted programs’ now nixed by System
Centre or Forefront

Hello Barbie controversy re-ignited with insecurity claims
Doll leaks data, even before the tear-downs are finished

Telegram Messenger delivers candygrams to stalkers
Too easy to work out who’s talking to whom, says researcher

Final countdown – NSA says it really will end blanket phone spying on
US citizens this Sunday
We’re leaving together …

Millions of families hit in toymaker VTech hack – including 200,000+
Youngsters’ personal info, parents’ contact details leak from Chinese
gizmo giant

Kids charity hit by server theft
Some personal data stored, but motive likely equipment theft, says Plan

Hungryhouse resets thousands of customers’ passwords
Good security hygiene after third-party data breach

Mr Grey, the Russian hacker who helped haul in 1.2 billion logins
Courts release open source intel data sales scams on one man

Hackers spray Reader’s Digest stinky feet with exploit kit
Home remedy seekers backdoored by Bedep

HTTPSohopeless: 26,000 Telstra Cisco boxen open to device hijacking
Embedded device mayhem as rivals share keys

Microsoft rides to Dell’s rescue, wrecks rogue root certificate
Windows Defender lives up to its name by dealing death to Dell’s dumb

Last call for the NCC Group Cyber 10K challenge
Get your entry in by Nov 30 for chance to win £10,000

Nuclear exploit kit seen chucking CryptoWall 4.0 at late patchers
First time this one’s been seen in the wild

RAF web survey asks for bank details via unencrypted email
Hey participants, don’t be like Jeremy Clarkson. Enough said

Researcher reveals Chinese e-crime shopping list
Crazy low prices for app ‘purchases’, or perhaps you’d like a poison
PoS unit?

Lenovo slings privilege patches at in-built tools
Temp account means God mode for regular users.

Lazy IoT, router makers reuse skeleton keys over and over in thousands
of devices – new study
SSH logins, server-side HTTPS certs baked in firmware

Nest defends web CCTV Cam amid unstoppable 24/7 surveillance fears
The truth about camera that seemingly keeps recording even when powered

Finding security bugs on the road to creating a verifiably secure TLS
Microsoft, French bods push for mathematically provable bug-free code

Plusnet ignores GCHQ, spits out plaintext passwords to customers
At least we don’t email them, says security-shy telco

Hilton confirms hotel credit-card-snaffling sales till malware hit
Check your bank statements if you paid on plastic

Why Microsoft yanked its latest Windows 10 update download: It hijacked
privacy settings
Update now fixed, we’re told

Hacker predicts AMEX card numbers, bypasses chip and PIN
Easy algorithm and US$10 bork-box mean fun for fraudsters

Second Dell backdoor root cert found
Blackhats, head straight to the airport lounge.

Amazon resets account passwords feared compromised – report
Book baron keeps mum about reason for emergency emails

Tor Project: Anonymity ain’t free, folks. Pony up
Privacy network passes around the hat

Dell computers bundled with backdoor that blurts hardware fingerprint
to websites
How it works

Fifth arrest in TalkTalk hacking probe: Now Plod cuff chap in Wales
A ydynt yn hyd yn oed yn cael y rhyngrwyd yng Nghymru?

Cyber-terror: How real is the threat? Squirrels are more of a danger
No, go ahead, let’s spend billions worrying about an iPearl Harbor

Video malvertising campaign lasted 12 hours? Try two months
Vid crapware issue worse than you thought – researchers

North Korea is capable of pwning Sony. Whether it did is another matter
PART 2 – It looked like a training exercise anyway

Who’s right on crypto: An American prosecutor or a Lebanese coder?
District attorney and encrypted chat app dev sound off on privacy

British duo arrested for running malware encryption service
Customers freak, yell :Time to DBAN!”

Paris, jihadis, tech giants … What is David Cameron’s speechwriter
banging on about now?
Clare Foges’ outburst pulled apart by law prof, infosec expert

World’s most complex cash register malware plunders millions in US
‘ModPos’ kernel monster threatens haul during festive shopping blitz

Pen tester sounds alert over ‘gaping’ flaws in Brit alarm platform
To update a CSL DualCom rig rip off the glue, unscrew the box, manually
flash each unit

Dell: How to kill that web security hole we put in your laptops, PCs
Promises to automatically remove root CA cert from machines from Nov 24

Superfish 2.0 worsens: Dell’s dodgy security certificate is an
unkillable zombie
And now here’s how you can really destroy it

Superfish 2.0: Dell ships laptops, PCs with huge internet security hole
Root CA certificate opens up folks to banking, shopping snooping, etc

Shocker: Smut-viewing Android apps actually steal your data
Pr0n software actually leads to pwnage

Homebrew crypto in Telegram hangout app full of holes, say security
‘Jihadi favourite’ cooked up by Vkontakte’s Durov Bros

Want to defend your network? Profile the person attacking it
PART 1 – Can’t keep them out, so catch them while they’re in

Data breach at biz that manages Cisco, F5 certs plus many others
Pearson VUE says credentials manager product affected

Malvertising: How the ad model makes crime pay
… and who’s liable for all the money lost?

Top Android app devs found exfiltrating mystery stealth packets
Half of covert packets are about analytics, half are a mystery

Say again

For me, the main virtue of a contactless card is that it eliminates the possibility that someone could see me entering my PIN in a busy environment such as a supermarket checkout. It would be interested to find out how much is paid out to customers for card fraud and whether the amount has gone up or down since the roll out of contactless cards.

I’m not keen on using a mobile phone for any financial transactions. Ignoring security issues, mobiles get stolen, the battery can be flat when they are needed and they are targets for thieves.

Really ? So you see contactless card as a way of eliminating pin card fraud where the accidental crim in the queue behind you views your pin, and then mugs you for that card, which you would report immediately ? And the crime that crib lifts your contactless card without your knowledge and then loads it up is in some way less of a risk ? Explain I don’t understand your logic my friend. Contactless cards were introduced by Banks on the basis that the easier you can make a payment, the more you will spend. How can a card that requires no authorisation be safer than one that does ? Think about it.

First there is an upper limit [£30] on individual transactions, second there is a limit [5 or 6 depending on issuer] on the number of PIN-less uses before revalidation is required by inputting the PIN, and third they are not compulsory – banks will replace contactless cards with PIN-only types on request.

Ron – I take care with my cards, but there is always the possibility that someone could grab my card from my hand or there card reader. If someone saw me enter my PIN and then grabbed my card they might manage to use it before I managed to report the incident. As John says, there is an upper limit for transactions on contactless card before the PIN is needed, so there will be fewer opportunities for someone to see me enter the number.

Hopefully we will have better security in place soon. I have never been happy with systems based on use of a four digit PIN.

Sometimes my contactless card does not work and I have to put in my PIN. From the comments of checkout operators it seems that I am not alone. How reliable is the technology?

Totally trustworthy according to you.

I now suspect that the times that my contactless card did not work were those occasions when the system expected me to enter my PIN. Like me, the shop assistants assumed that there was a problem.

We are still on a learning curve with this payment system. Either the issuers have not explained the process adequately to people receiving contactless payment cards or card-holders have failed to read or understand the information provided. I think the unsolicited and automatic issue of contactless payment cards as previous cards reached their expiry date was a mistake. A lot of people have no need of one, preferring to use cash for payments up to [and beyond] the £30 limit. Although I share Wavechange’s reservations over the use of a four-digit PIN, I feel more in control of the transaction when I complete it by using my PIN.

This comment was removed at the request of the user

At the moment there is no totally secure encryption and if and when Quantum computing becomes a reality then it’s unlikely anything will be. RSA encryption is pretty good for most purposes but the big weakness behind current systems is that no string of so-called ‘random’ numbers is actually random: they’re all based on algorithms, so any sufficiently powerful computer with a similar algorithm can crack them – eventually. A Quantum computer, however, could theoretically examine billions of options simultaneously, so something new will be needed. The latest idea seems to be trying for truly random numbers, and for that some researchers are turning to the Cosmic Microwave Background. Fun times ahead 🙂

Maybe for you Pal

Keith says:
1 December 2015

Pin numbers are not infallible. About 2 years ago we were ordering some photos via a machine in a Tesco store. We chose the photos, and I inserted my card into the reader, we then started a discussion about did we really want so many. Before we had made our minds up the machine went into action and started printing them. So our photos were printed and the money taken from our account without any Pin number being entered at all. So how did that happen ? We got what we wanted, the payment was correct. The machines have now been superseded .

I’ve enable Apple-pay, though not used it yet. One thing does concern me – during a holiday in September (this country) I found that my iPhone kept failing to recognise my thumbprint. I would reset the print and it would work for a few hours, then fail again. It wasn’t the phone (which has worked perfectly since), but one or both of the change of water and soaps. That would be really frustrating if one was relying on thumbprint recognition to validate payments

Very very interesting post L Ellis. It is not a weakness I have heard of before – but then I do not track the subject.

It does raise the consideration of how you manage if you cut or abrade your thumb. Perhaps Which? researchers could list the know downsides of the various recognition systems. It seems a pretty raw deal that we have large sections of the industry and media telling us how wonderful everything is but no general consumer voice outlining pitfalls to be aware of.

Some research which does provide accuracy for most but highlights outliers one of which relates to scarred fingers. Not explored in the article is fake finger casts which are probably unlikely.

I add a link to a technically superior system at the end of this post.

Outlying subject 1 (SI Appendix, Fig. S11): The estimated intercept of this subject is very small. The subject consistently gives low genuine match scores because his fingerprints are severely scarred.

Outlying subject 2 (SI Appendix , Fig. S12): The intercept of the fitted model for this subject is rather large, although the slope is negative. This subject consistently gives high genuine match scores because his fingerprint impressions are of good quality.

Outlying subject 3 (SI Appendix,Fig.S13): This subject shows a very sharp decrease in genuine match scores as a function of time interval. In SI Appendix , Fig. S13 A , the genuine match scores involving the first fingerprint impression are very low. This fingerprint impression is indeed an impostor fingerprint ( SI Appendix ,Fig.S13B); it is of tented arch type whereas the actual pattern of this finger is a right loop. After inspection of the subject’ s 10-print cards, it turned out that the subject ’ s left and right hands were swapped at the time of the first 10-print card acquisition; the first impression came from the subject ’ s left index finger, instead of right index finger. This shows that operational fingerprint data can be mislabeled.

Outlying subject 4 (SI Appendix,Fig.S14): This subject also has a steep slope. It turned out that the fingerprint impressions of this subject were collected during his adolescence (starting at the age of 11 until the age of 21). This explains the sharp decrease in genuine match scores due to growth in finger size (19).

Outlying subject 5 (SI Appendix, Fig. S15): A positive slope is observed for this subject because the comparisons involving a lower quality fingerprint were made over a shorter time interval than the comparisons with higher quality fingerprints. This example illustrates that the fingerprint image quality
does not necessarily vary with respect to time elapsed.


You must like doing this nobody cares nor understands what your posts mean. Maybe try them on a different forum.

I think that is a very harsh reaction to DieselTaylor’s contribution, Ron. I found it useful to see that finger-print recognition is far from perfect and that there are a number of complications that have to be factored into the process in order to make it reliable but without degrading its security integrity. Translating technical documents for easy reading is difficult because it can lead to its own misinterpretations or over-simplifications. As you suggest, most people will not need to linger over the detail but the links are available for those that wish to explore further and the extract that DT has suppplied gives an impression of the scope of the issue which I thought was worth reading. It was presented in such a way that it was easy to recognise and to skip if too complex.

I moved from the USA two years ago where you don’t need a pin..just swipe your card and sign slip
When I moved here I felt more secure having to use a pin. It appears the States are behind…using a pin is the way to go. In the USA it’s easy to commit fraud when no pin required. Fight to keep the pin.

Absolutely Fiona. We developed a pretty secure system here, and now the Banks want to make it way less secure. You can see from the posts here that a majority of people have persuaded themselves that the Banks are right, and find puerile arguments to support them. People have such short memories.

Many years ago in Homebase I paid but inadvertently used my wife’s card, signing the slip with my signature – totally different from hers. No problem! So signature is out. Finger print? Iris (can you see them through contact lenses?

This comment was removed at the request of the user

Of course a lot of people see this as a good thing as the authorities are building up a useful database that they can use to eliminate the innocent or unconnected from their investigations and concentrate more rapidly on the real perpetrators of crimes and sedition.

“We’ve already adopted contactless systems such as contactless cards and Apple Pay in the UK. Paying via these methods has rocketed by 200% since the payment limit was increased from £20 to £30 in October.”

Yet again a Which? article using percentages without any grounding in overall figures. I suppose I should have picked it up last year but I was very busy after the Consumers’ Association AGM and it slipped by me.

Just to illustrate . One contactless card transaction Monday. Two on Tuesday equals a 200% increase in usage. If overall card transactions are 1 million per day these contactless card figures are insignificant.

I hope Which? writers will note that unsupported figures, rather like the unquantified number of consumers who like receiving cold calls, leaves a very cold doubtful feeling in the reader regarding the quality of the content.