One of my credit cards is going to expire soon. Apparently somebody at the credit card company has read Ross Anderson’s Liability and Computer Security: Nine Principles and tries to apply it to they advantage. I just received a letter informing me that my next card would come with a chip, and that in the future I would use a PIN instead of my signature to authorize payments. The company offers me to tell them my favorite PIN in advance so they can use that one, otherwise they would pick one for me. That’s all fine.
However, after setting me up to tell them my PIN – which shouldn’t be a problem, I will later give the PIN away to strangers with every payment anyway – their letter tries to instruct me to keep my PIN secret. My PIN would be for my eyes only, and the company would never ask me for it. Wait, what did this very letter just do?
I think I’m going to send them a nice letter. With my favorite PIN, handwritten. Followed by a few unpleasant questions.