Self-selected PINs aren’t that hard to guess
Four-digit banking PINs are usually randomly assigned by banks after the issuing of credit and debit cards, but there are still some out there that let its customers choose their own PINs so that they might remember them more easily.
Wondering how easy to guess these self-selected PINs are and failing to find any concrete study about the matter, a team of researchers from the University of Cambridge Computer Laboratory have set up to find the answer to that question for themselves.
“After modeling banking PIN selection using a combination of leaked data from non-banking sources and a massive online survey, we found that people are significantly more careful choosing PINs then online passwords, with a majority using an effectively random sequence of digits,” says one of the researchers, PhD candidate Joseph Bonneau. “Still, the persistence of a few weak choices and birthdates in particular suggests that guessing attacks may be worthwhile for an opportunistic thief.”
To do that, they analyzed passwords and PINs from two existing sources: the 32 million textual passwords leaked following the breach of the RockYou website (they took into consideration only consecutive four-digit sequences found in the passwords), and Daniel Amitay’s research on the 10 most common iPhone passcodes.
In addition to this, they deployed an online survey and asked people to anonymously share answers to questions such as “Do you use the same PIN for multiple cards?”, “Do you use the same PIN for several cards?”, “Have you ever used a PIN from a payment card for something other than making a payment or retrieving money?”, and others, including a number of questions that didn’t require them to share their exact PINs, but allowed the researchers to know whether the PINs were the users’ birth dates or years, dates or years of important events in their lives, the lives of other persons close to them or in history, patterns or other numbers such as the digits of a phone number, a ZIP code or postal code, their bank account number, a non-government identification number, etc.
“In total, 63.7% [of the respondents] use a pseudorandom PIN,” Bonneau shared. “Unfortunately, the final group of 23% of users chose a PIN representing a date, and nearly a third of these used their own birthday. This is a game-changer because over 99% of customers reported that their birth date is listed somewhere in the wallet or purse where they keep their cards. If an attacker knows the cardholder’s date of birth and guesses optimally, the chances of successfully guessing jump to around 9%.”
“A thief can expect to get lucky every 18th wallet — except for those banks which negligently allow their customers to choose really dumb PINs like 1111 and 1234,” Ross Anderson, another researcher on the team, commented for the NYT. “There the thief cashes out once every 11 wallets.”
Blacklisting easy to guess passwords such as those containing the same four digits, a repetition of two digits (also with minimal variations), and similar can help the matter a bit, but unfortunately doesn’t solve the problem when users use their birth dates as PINs.
All in all, the best solution would be for banks not to allow users to chose their own PINs, concluded the researchers.
For more details about the methodology of their research, download the paper.