back to article Crap PINs give wallet thieves 1-in-11 jackpot shot

Four-digit banking PINs are almost as insecure as website passwords, according to a study by Cambridge University computer scientists. The first-ever quantitative analysis of the difficulty of guessing four-digit banking PINs estimates the widespread practice of using a date of birth as a PIN code and other factor means that …

COMMENTS

This topic is closed for new posts.

Page:

Silver badge
FAIL

Simple solution...

Allow for PINs longer than four digits. Better still, insist on them!

Cheques to the usual address please Mr. Banker.

11
1

Re: Simple solution...

Problem is that 4 digit PINs are deeply entrenched into the system ... you'd need to make changes to terminals etc worldwide to cope with the change (for example virtually all UK ATMs wait for 4 key presses for PIN entry). I lived for a time in the US at end of 90s and there you could have a longer PIN number on cards .... but every so often you'd read a travel article that would warn readers that before travelling to Europe they should change their PIN to a 4 digit number as otherwise they could find they were unable to use their cards when European card readers assumed a 4 digit pin.

2
0
Silver badge

Re: Re: Simple solution...

"Problem is that 4 digit PINs are deeply entrenched into the system ... "

As Google recently found out with their NFC stuff. I guess much of the existing EPOS infrastructure simply can't cope with any other form of authentication.

I have a feeling that if the 4 digit pin did change on point of sale that people would freak out if it required them to memorise more digits and probably wouldn't make any extra effort to choose a secure pin, e.g. they'd use their date of birth in a 6 digit form instead.

The workaround is for banks to refuse to change a pin to a value which is formed from obvious permutations of their age or birthday to reduce the chances of it being guessable.

Longer term maybe they should permit pins of any length, and perhaps a fingerprint reader next to the pin pad. Finger prints would have to be optional (since many credit cards are issued by post, company cards etc), but I assume if the option were there that many institutions would support it.

0
0
Silver badge

Re: Re: Simple solution...

ISO9564

"The standard specifies that PINs shall be from four to twelve digits long, noting that longer PINs are more secure but harder to use. It also notes that not all systems support entry of PINs longer than six digits."

Certainly my Swiss UBS card is 6 digits ( and I think could be longer ).

I thought UK ATMs let you enter digits and then press <enter> rather than accepting a fixed number of presses.

6
0
Gold badge

Re: Simple solution...

Ignoring the technical feasibility for a moment, the sort of people who currently use their birthday will simply *write down* a longer PIN and keep the piece of paper in their wallet. Therefore, this will make the system less secure. Don't hold your breath for those cheques.

The suggestions in the paper are reasonable. At the very least, persuading people to use someone else's birthday would at least make it less likely that their wallet contained their PIN written down on another document.

Another useful suggestion might be for the banks to send a summary of these findings to their customers, rather than the usual vacuous warnings about keeping your PIN safe. If more people understood that using their own birthday meant they had a 1 in 11 chance of losing all their money, perhaps fewer of them would do it. They could also mention that 1 in 11 is about a million times more likely than winning the lottery.

8
0
Anonymous Coward

Re: Re: Simple solution...

I agree with what you're saying but for those who use their own birthday as a PIN and keep details of their birthday in their wallet then the risk is pretty much 100%, not 1 in 11.

For those who don't use their birthday then the risk is almost zero - the 1 in 11 chance is what the thief can expect when they nick a purse/wallet with a bank card and details of the owner's DOB i.e. 1 in 11 people use tehir DOB as their PIN.

1
1
Anonymous Coward

Re: Re: Simple solution...

"They could also mention that 1 in 11 is about a million times more likely than winning the lottery."

I reckon you might as well tell them 1 in eleventy-twelve! I mean, speaking as someone who has never done the lottery, I'd suggest the fact _they_ do demonstrates mathematically-speaking their brains are just floating up there on a fluffy cloud in the sunlight, way above the weather down here, eating marshmallows with Rocky and Bullwinkle perhaps (or anyway with the mental age equivalent to my real age when I had that annual! You know, when The Cat in the Hat seemed like a real person).

0
0

Re: Simple solution...

Yay !

WIth a 6 digit PIN I can have the Year, Month and day of my birthday. You are right - it is a big step forward.

8
0

Re: Re: Simple solution...

@ Ken Hagan

"Therefore, this will make the system less secure."

No it won't. The core idea is that instead of everyone having 4 digits, people can choose different lengths. This adds a whole extra layer to the guessing game, making it more secure overall given the limited number of wrong guesses allowed before the game's up

It could take loads more guesses just to get to one you already knew was based on your target's birthday; e.g 2nd February 1985 could become 02021985, 020285, 2285, 02285,20285, 0221985 etc etc, you get the idea.

0
1

Solved (Re: Simple solution...)

When I lived in Italy in the '90s I grew accustomed to their cards, with five-digit PINs.

Clearly the UK four digits is not a universal standard, nor the only option supported by current or old technology.

0
0
Anonymous Coward

Re: Re: Simple solution...

"At the very least, persuading people to use someone else's birthday would at least make it less likely that their wallet contained their PIN written down on another document."

To add to that, the banks already know our DOB and the combinations it can be entered into a 4 digit pin is few: DDMM MMYY DDYY YYDD etc. etc. so why can't the banks check for this when the pin is being changed and say "Oi ... You ... Noooo, birthdays are NOT pins".

Same with phone numbers etc.

1
0

Re: Re: Re: Simple solution... (ISO9564)

"I thought UK ATMs let you enter digits and then press <enter> rather than accepting a fixed number of presses."

Only some of them.

0
0
Anonymous Coward

Re: Re: Simple solution...

I find that the 6-digit PINs I'm given here in Switzerland work in all UK ATMs and outlets, except for Clydesdale Bank cash machines in Scotland - most annoying.

6 digits are as easy to remember as 4, though I suppose that doesn't necessarily get round the 'date of birth' problem. I don't know why the UK went with 4 in the first place. Are you allowed to change your PIN to a 6 digit one in the UK? Try it and see.

0
0
Childcatcher

Waaaaah! :'(

Cat in the hat _IS_ a real person. <sniff>

0
0

Re: Simple solution...

I love it. A solution described as simple, when it in fact makes things more complicated. Do you work in local government?

0
1
Anonymous Coward

Re: Simple solution...

My UK business bank card has a five digit PIN.

0
0
Silver badge

Re: Re: Re: Simple solution...

My bank in Canada used to require 4 digit but just over a year ago switched to 4-6 digits. You can still have 4 if you want, or use 5 or 6 for better security.

0
0
Silver badge
Coat

Re: Simple solution...

I would have thought the simple British solution would be to include a Bobbie with every PIN, thus also solving the unemployment problem.

0
0
Trollface

In case I ever lost my wallet or had someone 'lose' it on my behalf, I used to leave a small piece of paper with 4 random numbers written on it...

34
0

This post has been deleted by its author

IR

I've done that for years.

Especially good if you make two of the numbers easy to read as other numbers: 6/0 and 1/7.

They'll blow through the combinations before they spend a penny.

3
0
Anonymous Coward

Unless your card has one of those lovely little fraud friendly NFC chips that allow you to empty an account in £15 chunks :)

0
0

ATM's

It's 10 tries on an ATM

0
1
Silver badge

Re: ATM's

Don't know which country you're from, but in the UK it's most definitely 3, and not per session either.

5
0

Re: Re: ATM's

>> 10 tries

Only in base 3

7
0
Bronze badge
FAIL

Bogus research

Anyone with an ounce of nous on security issues can see why the researchers should expect to be supplied with false responses from the people surveyed.

1
1

Re: Bogus research

Can you explain your reasoning?

0
0
Bronze badge

Re: Re: Bogus research

As a bank card user I want to protect my PIN and keep my money safe. If I can make it hard to get to my money while giving the impression that it would be quite easy then that is to my advantage.

If I have the chance to influence the results of a report from Cambridge that are likely to get reported more widely I would have a strong incentive to answer many questions indicating a low PIN strength/security.

It lulls crooks into trying the easy option and failing, a little bit similar to the piece of paper in the wallet (described in a comment above) with false 4 digit PINs on it.

0
0

Re: Re: Re: Bogus research

While I get your point about people wanting to mislead the crooks via the study, they'd probably want to do it the other way around. They'd want to deter the crooks by indicating that the PINs are hard to guess while actually using very guessable codes. It is not to the general public's advantage, as I see it, to tell potential thieves and muggers that a code is easily breakable (even if it's not).

But this all assumes that the majority of the respondents are that cunning and think in detail about security when answering questionnaires. I didn't read it, but I assume the study also had some manner of consideration of incorrect responses..?

0
0

Only certain types of date of bitth work as a pin.

If it's ddmm then only Oct, Nov & Dec with the day >=10 work.

If it's dmyy then only Jan-Sept with day <= 9 work.

How does everyone else with a birthday that doesn't fit those parameters decide what to put in their pin?

0
17
Silver badge
WTF?

If only there were a valueless digit that could be inserted in front of a single digit day or month...

31
1
Bronze badge
Coat

Simpsons.

"Dial O and ask for the police. That number again...O. "

1
0
Happy

> How does everyone else with a birthday that doesn't fit those parameters decide what to

> put in their pin?

My birthday (247XX) does not fit the pattern unless (as suggested upthread) longer PINs were permitted. I use a favourite number, one which has entered my life in quite a few contexts already, so why not add one more context? Naturally it's unrelated to my date of birth or any other "obvious" numerical parameter.

And my list of favourite numbers includes one that is 11 digits long so enhanced PIN's wouldn't be a problem

0
0
Bronze badge
Headmaster

Months in Hex

I write the date in yy-m-dd format with the month in Hex when it is for my own reference. By good luck "a" (October) is the initial of "autumn", "b" (November) is for "bonfire" and "c" (December) is for "Chistmas".

Eg I use it in some file names and it puts them in date order, like :-

letter_11'a'24.odf [2011, October 24th]

letter_11'b'07.odf [2011, November 7th]

letter_12'1'17.odf [2012, January 17th]

It might catch on .....

0
0
Trollface

Re: Months in Hex

Yep, it might, once they start putting ABCDE keys on ATM keypads.

Seriously, most average Joes / Janes have enough trouble with complex machinery (lifts, escalators, doors, cutlery...) without making it any harder.

1
0
Silver badge

Never understood the fuss. If you use the card often enough, the bank's PIN is more than enough to cater for and it is the only number you NEED to remember (and years ago, we were all memorising 5-10 phone numbers but we don't do that now). If you don't use your card that often, the only way is to write it somewhere (NOT WITH YOUR CARD!). Inconvenient, yes, but you also have to ask yourself why you're carrying around a card that you don't use and forget the PIN to. From a security point of view, that's probably worse than just leaving it in a safe at home.

That said, I don't think I've ever heard of someone having their PIN guessed by a robber. Forced out of them, possibly. Card used on t'Internet, sure. Try a transaction in a store that lets you sign and is lax on CCTV, of course. But PIN's, in general, do their job. If you're stupid enough to write them on the card and/or use something that's quite obvious (year of birth), that's your tough luck.

Longer PIN's? Almost all European countries accept them and the software change is entirely minimal BECAUSE almost all European countries, card manufacturers, banks, etc. already accept them. Why do you think you have to press the Enter button after the 4-digit PIN? To tell the machine you're finished. I've seen people type 6-digit PIN's into UK machines without a problem, but maybe it depends on the bank.

We should all follow Joey-from-Friend's example - scratch the number on the ATM... :-)

2
1
Anonymous Coward

Maybe for Derren Brown

Memorising PINs is fine for 1 or 2 cards, but not if you have 4 credit cards (various cashback/international charging deals) and 5 bank accounts (personal and company).

And no I don't share a single PIN across the all, I used a specific combination of the numbers on the front, with an additional fix number added on to one of them. Guess that thieving twats!

Tbh though, if people use stupid numbers then take their cash! Education, not longer PINs, is the key.

0
0
Silver badge

5 digit PINs are being introduced here

I would have no problems remembering 5 digit or longer ones.

Regarding blacklisting, given that your bank knows your date of birth, surely they could forbid you to use a number derived from that date? That would not prevent you from using your wife's, or kids birthday, but those are not printed on your ID, as a rule, so at least some security is added.

2
0
Stop

You carry your birth date around with you?

"over 99 per cent of customers reported that their birth date is listed somewhere in the wallet or purse where they keep their cards"

That has to be one of the most bollox statistics ever.

1
16
Silver badge

Re: You carry your birth date around with you?

Like many people I carry my driver's license around with me (the plastic card one). So I am one of the 99%.

13
0

Re: You carry your birth date around with you?

Driving license photocards probably, although I don't carry mine around.

Maybe the insistence of supermarkets age checking 92 and 72 year olds when they try to buy alcohol means more people carry a driving license/proof of age card?

I would imagine a bigger issue is the fact that "Verified by visa" allows the use of your DOB to bypass the "password security" it claims to offer. So why bother guessing PINs?

4
0
Silver badge
Thumb Up

Re: Re: You carry your birth date around with you?

good for you, some of us do actually look younger than 25 and regularly get asked when buying alcohol. So a driving licence is a quick ID card.

0
0
Bronze badge
WTF?

You use verified by VISA???

Why?

It's a pointless, rarely used (and therefore regularly forgotten) password that can be reset using publicly available information.

If any transaction ever shows up as VbV then I KNOW it's fraudulent - so does my bank, I have several communications with them where I state that.

(Actually I have once used VbV - I was on the phone to my bank at the time, and they purged the registration straight away)

0
0
Bronze badge
Thumb Down

Re: You use verified by VISA???

Not by choice! I HATE VbV, and the MasterCard equivalent, but my frikkin' banks now insist on it (the 'cancel' button is no longer there on the signup screen) :-(

3
0
Mushroom

Re: You carry your birth date around with you?

OK, so as someone who never carries ID around with me, I'm in a minority of ElReg commentards.

However, stats from the first 10 thumbs (1 up and 9 down) plus myself imply that - based on a sample of 11 commentards - a massive 82% carry their birthdate around in their wallet. Somewhat short of the claimed 99+%.

1
2
Bronze badge
WTF?

Re: You carry your birth date around with you?

Why are people voting Old Tom down? I too cannot believe that 99% of the populace carry their DoB around with them. Maybe 75%. Driving licence? Much fewer than 99% of adults have driving licences.

As the Reg crowd were so hysterically against ID Cards, it is ironic that they should consider it perfectly normal to carry a driving licence around, which is a de facto ID card.

1
6
Gold badge

Re: the Reg crowd

"As the Reg crowd were so hysterically against ID Cards, it is ironic that they should consider it perfectly normal to carry a driving licence around, which is a de facto ID card"

Odd that you can remember how hysterical we were but you can't remember that it was the non-optional nature of the beast and its associated database that we were against.

It's quite normal to carry cash around, but I'd be opposed to a law that made it compulsory. (I gather some countries do insist on this so that "citizens" can pay fines on-the-spot without any of that tedious "due process" stuff.)

4
0
Silver badge
Boffin

@Old Tom - dodgy maths :-)

"However, stats from the first 10 thumbs (1 up and 9 down) plus myself imply that - based on a sample of 11 commentards - a massive 82% carry their birthdate around in their wallet. Somewhat short of the claimed 99+%."

You can't make that correlation I'm afraid. All we know of the upvoter is that they agree with you that the 99% figure appears bollox, they may still carry a drivers licence (or young person's railcard, or NUS card, or passport, or bus pass, or library card - I'm sure there are more) but just doubt everyone does.

Besides, they're not *claming* anything. They're simply stating what the responders put in a small sample of 1300 people - for all we know they sampled people at a service station on the M4.

1
0

ID card campaign and Lord Olivier

Relevant is Laurence Olivier's campaign to restore smoked haddock to the breakfast menu on his train from Brighton to London. This involved every contact that he had, and most of them were famous.

BR (the train operator that was) relented and restored smoked haddock to the menu. On the first day with haddock available Lord Olivier took his seat in the dining car and the waiter came to him with a broad grin, Olivier perused the menu and asked for scrambled egg. The waiter was shocked "But after this great campaign so you could have smoked haddock, why don't you want some?" Olivier replied "I never wanted smoked haddock, I wanted the <b><u>choice."

0
0

Re: Re: You carry your birth date around with you?

> Driving license photocards probably, although I don't carry mine around.

Here in the US it's against the law to drive without your drivers license with you.

0
0

Page:

This topic is closed for new posts.

Forums