Have you ever tried to buy groceries, swiped your debit card, and then needed to contort your fingers into a pretzel in order to fit them into the tiny slot at the POS machine just to enter your PIN? What about buying gas at the pump and the photo pops up on the screen telling you to shield your PIN-entering hand with your other hand? I laugh to myself whenever I’m forced to be ultra-secretive about entering my PIN on a machine. I laugh because I know it is completely meaningless if a would-be thief watches you. Let me explain. By the way, I’m never going to say “PIN Number” in this article because that’s redundant. That’s like saying “Personal Identification Number Number.” Stop doing it if you’re currently saying that.

There are two things a thief needs to steal your debit card information to perform a PIN-based transaction: your PIN(personal identification number) and your debit card. A thief can do some damage with your debit card by itself but can do absolutely nothing with only your PIN. I’ll speak on the PIN first and then get back to the card number.

There seems to be this belief that a person’s 4 digit PIN is completely unique to that person and nobody else in the world has it. Therefore, if a thief figures it out, your account is as good as hacked. That is absolutely false. Hypothetically, every one of us could all use the same PIN on our debit cards and it would be business as usual with no change or interference whatsoever. The card number is the unique factor in the equation, not your PIN. That is why I find it ridiculous to put all these measures in place to force us to contort our fingers to enter our PIN while buying groceries. A thief could practically put his face right in front of your hand, write down the numbers you are punching, and still not be able to do anything unless he stole your card. So, the idea of shoulder surfers watching you enter your PIN so they can steal from your account is absurd. Now, the thief could jump you in the parking lot and steal your card and then go on a spending rampage before you call or use your banking app to cancel your card, but that isn’t likely.

Years ago, I saw a warning video floating around online that showed how a would-be thief could download an app that could detect fresh fingerprints and copy the image on a POS machine. The video showed a customer buying groceries and paying for them using a PIN-based transaction. As soon as the customer left, the thief walked up to the POS machine, scanned the fresh fingerprints with his phone, and stored the image. The central warning message of the video was that this thief could figure out your PIN based on the fingerprint scan and then steal from your account at will. The glaring falsehood in this video that was never mentioned is the fact that the thief can do nothing without your physical debit card. Because of this, the warning was a complete waste of time assuming you weren’t about to have your card stolen off your person. I read the comments on the video and people were freaking out about how easy it is to figure out your PIN. I’m here to tell you—stop freaking out. A thief needs your card in order for the PIN theft to hurt you. I could practically shout my PIN out loud every time I used it anywhere and my account would be just as safe as it was if I kept quiet.

Now, about debit card theft. There are numerous ways that this can happen, but for this article we’ll assume the thief stole your physical card. The thief doesn’t need your PIN to use the card. When you swipe your card at the machine, you may notice you are often asked if you want to do a credit or debit transaction. This has to do with how the transaction is processed, not with what type of card you’re using. You can use a debit card and select either option. If you select “Credit,” then you will sign for the transaction and not enter the PIN. The money typically leaves your account in 1-3 days after your purchase. If you select “Debit” or “PIN,” then you enter your PIN and the money leaves your account the same day. On the banking side, the transaction code is different depending on what you press. So, the bank can see if you pushed “Credit” or “Debit” to buy your items. The thief can simply push “Credit” and forge the signature and make the purchase with your stolen card. That’s why I say a thief can do some damage if he has your card but not your PIN.

Along those lines, if the thief DOES have your PIN, it makes it harder for the account owner to prove they weren’t involved. It’s so unlikely that a thief would have both pieces that Fraud Departments are less likely to believe the transaction was fraudulent. Also, it is common for a person to give their debit card and PIN to a relative, only to then have unauthorized transactions after the fact. This makes it harder for everyone. I’m not saying it’s impossible, but it makes your case harder to prove. Bottom line: don’t give your card and PIN to anyone who isn’t on the account with you. I’ve seen this scenario go south numerous times.

I’ll end by adding a banker’s plea to everyone to uses a debit card: please DO NOT use the last 4 numbers of your social security number or your birth year as your PIN. If I was a thief, that’s exactly what I would try to use if I stole your card. Chances are, I’d be successful. Stop doing it. Use a 4 digit number that has nothing to do with anything in your life. Make up random numbers or use a random pattern on the keypad. Don’t use any kind of number that’s personal to you.

a person using a credit card to pay for a machine
a person using a credit card to pay for a machine

PINs and Debit Card theft