Crap PINs give wallet thieves 1-in-11 jackpot shot
Four-digit banking PINs are almost as insecure as website passwords, according to a study by Cambridge University computer scientists. The first-ever quantitative analysis of the difficulty of guessing four-digit banking PINs estimates the widespread practice of using a date of birth as a PIN code and other factor means that …
The initial Cancel may have disappeared, but the sign-up process for FbV (no, that's not a typo!) requires you to "I agree..." (or something like that), so you can still escape from it without botching the purchase you're in the middle of making.
My Halifax card years back had some paper that said that you could use any PIN except 0000 and 9999.
The downside to removing the top X guessable ones:
0000,1111,....
0123,1234,....
9876,8765,....
is that the number of available numbers diminishes. This gives marginally better odds for guessing.
7854, 9856, 4521, 6523, 1452, 6325, 7412, 1236, 6987, 8741, 8521, 8523, 2587, 2589, 7456, 6541
See the common link? (17 numbers there that LOOK random, but aren't)
or.... 3141 or 1414 or 2718? Recognise them? Definitely not random!
It looks like once you remove the easy guessable and common dates you will be left with the Sony Random Number(TM)(R)(C) which of course is "4", making everyone's PIN '0004'
Why not use a hash of arbitrary length PINs? If I want to use the first 26 numbers of SQR(2) or PI, why can't I?
(not that either of those is a good choice, mind you..)
As the bank knows your DoB, surely they can check if your PIN is DD/MM, MM/YY or MM/DD for your DoB.
However, the ATM back-end computer doesn't need your DoB - it's only on the initial anti-laundering part. They could do a batch-job running through all recently-changed PINs and asking the back-end if the PIN one of these 3 values, and then send a stern reminder to the customer not to be so silly.
Over here they recently "upgraded" the things so that now you have to hit "ok" after entering the four digits. Still doesn't allow for changing any pin, nevermind for a longer one.
Personally I don't mind defaulting to four digits, it's hard enough for many already. I do mind enforcing that lowest common denominator as the standard. Could've specified right away that all machinery had to allow for, say, three-to-eight digit numbers, customer choosable. Could even make it so that the customer can only pick the PIN length, who in return will be provided with a randomly-generated pin of the right length sans that top-100. This sounds sensible to me, which probably is why I'm not a banker.
Leave it as it is. It's a 4 digit number, it's not hard to create a completely random number and remember the 4 digit number. It takes less than 5 minutes of elapsed time over a few hours to commit it to long term memory. If some thief managed to get hold of my card, I would really appreciate that they use some of their limited attempts on simple pins like DOB and number patterns. I have no sympathy for people who choose to use simple PINs. If your birth year is 1965 then why not swap two of the digits around e.g. 5961. This creates a much more difficult PIN while still retaining an easy to remember number. There's lot of other things you can do with the DOB pins to make it harder mix the day and month digits so you have DMDM or MDMD or DMMD. Add in the last two digits of your year and you have tons of combinations that all create an easy to remember PIN without making it easy for someone who may have your card and your DOB. If you still want more varied range then add your last two digits of your house number with your DOB, mix two of your digits of your telephone number. You can even vary the PIN for each card you have by varying a single digit. The digit could be random or could be one of the digits on the card itself (e.g. the last digit of the long number or one of the digits on the 3 digit security verification number). I could be here all day coming up with ideas of how to vary the PIN in easy to understand ways.
until you have a card you don't use very often and forget which system you used to derive the PIN...
Not if you use the same system on all your cards? That's the idea behind it surely, you don't need to memorise any numbers, only the system you use to derive them?
Did they ask the obvious question of how many people had actually chosen their pin and how many people just use the pin provided by their bank (which is effectively random)?
Rather than "effectively random", I would certainly hope that the PIN provided by the bank is actually, you know, er... random?
no, it's certainly not random. The closest they come is pseudorandom, i.e. the pin is generated by some sort of algorithm which make it appear random.
There has yet to be a fully proven truly random number generator -- primarily because testing to prove a number sequence is truly random is practically impossible*. There are many which are theoretically random (such as hardware random number generators) but they are usually qwuite slow and used primarily to seed a faster pseudorandom number generator rather than to produce final output.
As that is what most computing systems do, pseudorandom numbers from a generator seeded from a hardware random number generator are most likely the source of the PIN generated by your bank. Not truly random, but effectively random.
* There are statistical tests for randomness, but deterministic processes such as pseudorandom number generators can fool such tests. That is to say, a pseudorandom number generator generates a sequence of numbers which appear statistically to be random, but come from a deterministic process, which is by definition not truly random.
Did you read the article? I have to ask, because there is a big quote right in the middle, which forms about a third of the article, in bold text, starting with the words:
"About a quarter stick with their bank-assigned random PIN"
It's in the article. In bold writing.
"About a quarter stick with their bank-assigned random PIN"
FFS people, spare me the lectures on the fundamentals of pseudo-random number generators, the point was there actually is a well established way to generate robust random-as-in-impossible-to-predict numbers (cryptographically secure pseudo-RNG seeded by entropy from a physical source) and it's reasonable to expect that that's what the banks use.
Yes, in this instance, the pseudo random number is effectively random provided the algorithm provides all possibilities. It has to be less the obvious numbers as already discussed. A typical bank will produce at least 10,000 cards each day so provided each cycle starts at a random point and they are allocated in the order requested the result is genuinely random.
Dude! Provided you are the same guy behind the Guy Fawkes mask as further above, you are the one bashing somebody else over what you perceive to be the correct phrase to use. When other people then argue that your nitpicking is actually wrong you do not get to complain about people nitpicking.
The article mentions "repeated digits" as part of the "not-so-random" codes. Why? Surely random codes would occasionally* lead to repeated digits, and forbidding them would reduce still further the available pool of numbers.
*someone with better stats than me can work out the frequency of occasionally.
While random codes will occasionally lead to repeated digits (for a very simple example, any single digit repeated 4 times in a 4 digit PIN would statistically be expected to appear on average 10 times in 10,000), they would be expected to appear more often in self-selected PIN, because they're easy to come up with and to remember, and people often self-select for convenience.
Ok, 4 digits, 0-9, repeat digits allowed: 10000 combinations.
4 digits, 0-9, no repeat digits: 5040 combinations.
So about half as secure.
It also suggests that the chance of getting a repeat digit is close to 50%
If my stats aren't too rusty:
With a truly random number, The odds of two sequential digits (and only two) being the same are 27.9%, the odds of three sequential digits being the same are 1.9% and the odds of all four being the same are 0.1%
You can quite easily work it out by considering the number of variations out of the 10000 possibilities, i.e. for each of ten possible values of the first digit, there is a one in ten possiblity of the second digit being the same, so 10% of all possible values, add on the percentages for the send and third digits being the same (also 10%), then the third and fourth (also 10%), gives 30% for two (or more) seqential digits.
For three seqential digits, there are ten different values those digits can take, plus ten variations of the extra digit, i.e. 1 in 100. The extra digit can be either at the start or end, so there is a 2% chance of two (or more) digits being the same.
There are exactly ten variations of four repeated digits, out of 10000 combinations, so 0.1%. To get the percentage of triple numbers not including all four being the same, take this off of the 2%, so 1.9% for two and only two repeated digits, and then take that off the 30% for double digits to get 27.9% for two and only two repeated digits.
I'm sure there's an easier way to get those numbers. Any mathematicians out there?
Interesting to note that statistically, more than a quarter of all pin numbers would have repeated digits if they are truly random. Anyone care to figure out the odds of two non-sequential digits being the same? I suspect it may even be more than 50%.
Out of 10000 possible four-digit numbers, 2710 contain at least one repeated (adjacent) digit.
yes, for 4 repeats, but what about only 2 repeats, abbc, acbb etc. That's a far bigger pool of PINs potentially eliminated. Perhaps the original article was referring to all 4 the same rather than just 2 repeats within a PIN, but I didn't read it like that.
"The researchers modeled banking PIN selection using a combination of leaked data from non-banking sources"
Don't know about people in general, but I use a "much more random" PIN for my bank cards than I do for a mobile phone unlock code, for instance.
I wonder how many people use part of the card number as the PIN?
For my infrequently used cards I write the bank supplied default PIN on the rear of the card, but encrypt it by adding or subtracting another 4 digit number. Normally this is the last 4 digits of my phone number from 20 ish years ago - (4 relatively low value digits). I've always hoped that if someone steals my card, they will try the four digit number on the card directly a couple of times, then maybe reversed, then hey-presto it's locked out. Simples.
of course, it would be more secure to use a 128 bit DES algorithm or a Nth power polynomial to encrypt it, but I would never be able to work that one out mentally, in a drunken stupor, when I need my taxi fare home.....
A similar trick is to write down the PIN within a few other random digits - gives you enough of a reminder of which four digits are valid, while still hiding the purpose of the number and leaving several different schemes:
9991234999999
or
919293949
or
999999432199
where 9 is actually a random digit of course.
remove the ability to chose your own pin.
If you don't have the ability to remember a 4 digit number then you shouldn't really be allowed to walk freely in society. If you have to write it down then accept the consequences when your wallet gets stolen.
Remembering regularly-used numbers is easy.
Remembering numbers for cards you might not use very often is less so. Many people might have several day-to-day cards plus others that they only use on holiday or on infrequent business trips or something...
my pin for my main card is part of a phone number for where I used to live.
however for someone to guess the number three things would have to happen.
1. they know its part of a phone number
2. they know the phone number that my parents had when I was 5 years old
3. they know which part of the number I chose
I would think that the odds of somebody guessing the number are around the same as their chances of getting it right by mashing their forehead against the number pad.
of course the odds of somebody getting the number go up by a large margin if they ask nicely (while holding a knife etc)
> they know the phone number that my parents had when I was 5 years old
My parents had a phone when I was 5 years old, but I couldn't have used just part of it.
Even UK PINs require at least 4 digits...
Vic.
[Feeling kinda old tonight...]
use the full number (area code and all) not just the three digit number for same exchange
i.e.
300 (same exchange)
300300 (same area code)
0327 300300 (outside area before the area code changes)
01327 300300 (outside area since code changes)
No the above number is not the number I use, If anyone calls it you should find it answered by some very friendly police in Daventry or Towcester.
Date of birth is 6 digits, and you don't know which order is being used - some might use DDMMYY, others might use MMDDYY, geeks might use [YY]YYMMDD.
PIN is 4 digits.
The dodgy geezer has to pick the right format of DoB and then pick the right 4 digits from 6.
Not so easy now?
Or am I missing something?
There are 10,000 4-digit numbers, so if your PIN is truly random, there's a 1 in 10,000 chance of guessing it.
However, if your PIN is 4 of the digits of your DOB, in a random order, there are significantly fewer combinations. Given that the numbers are known (since someone's DOB is relatively easy to find), and allowing for a 4-digit year, the criminal only has to choose an order. Allowing you to sort them in any order means the criminal has 8 choices for the 1st digit, 7 for the 2nd, 6 for the 3rd, and 5 for the 4th. This means 8*7*6*5 = 1,680 total choices instead of 10,000.
So giving date of birth the best chance, it's still almost 6 times easier to crack than a random number (10,000 / 1,680 ) ~= 5.95
Most people will use MMYY or DDMM, so those are the first two I would try.
Beware of 5 digit PINS:
Italian banks - give you one and don't let you change it.
But as far as I've seen 1 or 2 digits are purposely repeated to make the PIN
easier to remember - which obvious defeats part of the purpose.
Beware also in some countries the only ATM you can find require a fixed
length PIN to be entered either 4 and not 5 or 5 and not 4.
So you can be denied access to cash abroad just by having the wrong length PIN!
so the long and short of this story is that by possibly knowing your birthday the theives can reduce odds of
10,000 : 1
to
10: 1 ???
amazing
Not by my reading it isn't. The reduction occurs because roughly 10% of people do both of (i) use their DoB as their PIN and (ii) carry this DoB elsewhere in their wallet. Therefore, a strategy of "use the DoB in the wallet" will succeed in 100% of those cases. Less amazing, and possibly not completely true, but (sadly) probably not completely false either.
Surely the simplest solution to the whole personal PIN number problem would be for researchers to calculate the most secure 4 digit sequence possible and then everybody uses that. I don't see how that could fail to work.
Already sorted, the research shows that 1234 is the most secure.
"That's the same code as I have on my luggage!"
What interests me is that I can request a PIN *reminder* from my bank, not a PIN reset. Doesn't that mean they must be storing PINs in clear or reversible encryption rather than as a hash?
pins aren't stored they are calculated in a HSM using your PAN and a derived Key, which I think is called the Pin Verification Key. your encyrpted PIN (in ATM transactions) is sent to your issuer with your PAN your issuer then can perform operations on the secret in the hsm to determine whether its is correct or not.
I have a personal UK debit card, 2 personal UK credit cards, a UK online banking access card, a Swiss debit card, a Swiss credit card and a Swiss online banking access card. All have PIN numbers, and I don't want to use the same number on them all. But I can't memorise 7 PINs plus all the other passwords I use every day. I use two cards frequently, and the others rarely. I can't be forgetting them when I'm abroad.
So I use an algorithm for the cards that lets me carry the numbers in plain sight.
4929 7014 5583 4826 <- Not my card
The simplest algorithm could be to choose a block of four, but in common practice that is too vulnerable. Here are a few different ones that I could use
One from each group = 4754
First from first, second from second, etc = 4086
Fourth from first, third from second, etc = 9154
Two from the first group, two from the back = 12 combinations in each group, for 144 possible
And so on. You can even use different algorithms for different types of cards, so in my example I can use one for debit cards and another for credit cards. Or one for UK and one for Swiss.
The important thing is that you can simply remember the rules, and look at the card every time you use it. One rule for 7 cards means 7 PINs that are as random as anything the bank will generate, it is right in front of you and yet no-one will see it.
The problem is understated due to the fact that most people carry more than one card and most likely use the same PIN for each of them. So a thief has multiple opportunities to compromise the PIN (at which point all remaining cards in the wallet are compromised).
One option is to use a common root PIN (say 3 digits or 5 digits depending on your PIN length) and then base the remaining digit (lets say make it the 3rd digit) card specific - e.g, base it on the CSV value printed on the card).
I was hanging about a bus station once with the missus waiting for a bus. There were some lockers with a "choose your own 4 digit pin" style combination locks on them. Said to the missus, I bet I could open one of those. How so? she asks. Well, a lot of people are going to use their YOB. And a lot of long-distance bus users with baggage are going to be in their early twenties / late teens. So a fair few will be locked with '198x'. Some bloke came up, unlocked his locker and went off with his suitcase. I checked the lock - he'd used 198x.
too true
Of the 2 numbers that have been shared with me for padlock combo's recently one was the current year , and the other was the the owners DOB , i think - she looked like a 1963 !
I've always used the bank assigned PIN, which seems random enough to me.
Simple solution, give you a PIN and don't allow it to be changed.
Hahaha sheer genius. "Several times a week", lol.
it's a 4-digit number, allocated by the bank which I can't change. 3 wrong tries and the ATM swallows the card, blows the chip, or the shop cashier receives a message that she must retain it.
Hard to remember?
No - I write it on the back of the card, coded with an algorithm only I know (no, not inversion, shifting, etc. Much more evil) If I forget the number, I can always remember the algorithm, as it's the same for all 4 cards I own.
Actually, quite a few banking applications support rejection of weak PINs. However, not so many banks take advantage of the application support....
Sign up, sign up for The Register's weekly IT security newsletter - click here
