PIN is a Four Letter Word
Presenting my credit card in Europe always caused an awkward moment when they realized I was American. Even when I did get a card with a chip (which was a pain in the butt two years ago), American chipped cards don’t use PIN passwords… so they would run my card, look exasperated while the machine printed out a slip for me to sign and they fumbled for a pen.
Chipped cards are way more secure than the old magnetic stripe, but then there isn’t much way stripes could be less secure. A chip has special encryption for every transaction, it doesn’t leave data in the local card processor but instead acts as a little computer that talks directly with the bank. Then the bank tells the merchant that they got the money, but your card number is never exposed.
Stripes however, are just an easier way to type your number into a machine-- if you run your card through a magnetic strip reader on a computer, it just dumps your credit card number to the screen. You’re just letting the merchant copy your credit card number and expiry.
I remember hearing about a store clerk who stole hundreds of credit card numbers by just swiping cards through his Palm Pilot (yes that long ago) until someone noticed and called a manager, who in turn called the cops… no matter that this had gone on for months under the manager’s nose, but I don’t want to point fingers.
So now we all have these little computers on our cards and everything is cool, right? Managers don’t have to pay attention! Well….not exactly.
Because you don’t need a PIN, I can steal your card and use it. Even if they ask for a signature I can sign and not even be close -- there isn’t any signature verification on the computer pads we usually sign on now. And we don’t really hand our cards over as much as we used to so it’s not likely anyone is going to check the signature on the back of your card.
The reason we aren’t using PINs is a wonderfully American reason -- it’s too hard to remember. Really, that’s the only reason I saw for why we’re doing signatures rather than a unique PIN that verifies you are you.
We make choices between ease-of-use and security all the time. Sometimes it’s comfort, like why we don’t have 4-point restraints for seatbelts like they have in racing cars. Sometimes it’s plain stubbornness like “you can have my gun when you pry it from my cold dead hands” (which seems to be more likely every day).
But usually it’s because we’re just lazy. It’s too hard to remember a PIN, so let’s leave that feature out. Or even more insulting, designers just assume everyone else is too stupid to use something. Someone once told me that there was a study in the 70s that showed most people wouldn’t be able to understand how to use a mouse, which might explain why Xerox couldn’t figure out how to sell the GUI (and then let Apple steal the idea).
I admit, my brother and I refer to Rule Number One every time we talk about “people in general” (Rule 1: people are stupid. Rule 2: see rule 1). But people are amazingly clever. Often they’re clever idiots, but they’re still clever.
I like to assume that if there’s a good reason for it, people will figure out how to use things. Hell, I know for a fact that even when there’s a stupid reason or no reason at all, they can figure it out.
Even the enormously complex task of remember four digits.
Share this article:
Be sure to see my blog over at Cloudenity. This week's topic:
Identity Isn't Just for Users Anymore