Allow for PINs longer than four digits. Better still, insist on them!
Cheques to the usual address please Mr. Banker.
Four-digit banking PINs are almost as insecure as website passwords, according to a study by Cambridge University computer scientists. The first-ever quantitative analysis of the difficulty of guessing four-digit banking PINs estimates the widespread practice of using a date of birth as a PIN code and other factor means that …
Problem is that 4 digit PINs are deeply entrenched into the system ... you'd need to make changes to terminals etc worldwide to cope with the change (for example virtually all UK ATMs wait for 4 key presses for PIN entry). I lived for a time in the US at end of 90s and there you could have a longer PIN number on cards .... but every so often you'd read a travel article that would warn readers that before travelling to Europe they should change their PIN to a 4 digit number as otherwise they could find they were unable to use their cards when European card readers assumed a 4 digit pin.
"Problem is that 4 digit PINs are deeply entrenched into the system ... "
As Google recently found out with their NFC stuff. I guess much of the existing EPOS infrastructure simply can't cope with any other form of authentication.
I have a feeling that if the 4 digit pin did change on point of sale that people would freak out if it required them to memorise more digits and probably wouldn't make any extra effort to choose a secure pin, e.g. they'd use their date of birth in a 6 digit form instead.
The workaround is for banks to refuse to change a pin to a value which is formed from obvious permutations of their age or birthday to reduce the chances of it being guessable.
Longer term maybe they should permit pins of any length, and perhaps a fingerprint reader next to the pin pad. Finger prints would have to be optional (since many credit cards are issued by post, company cards etc), but I assume if the option were there that many institutions would support it.
"The standard specifies that PINs shall be from four to twelve digits long, noting that longer PINs are more secure but harder to use. It also notes that not all systems support entry of PINs longer than six digits."
Certainly my Swiss UBS card is 6 digits ( and I think could be longer ).
I thought UK ATMs let you enter digits and then press <enter> rather than accepting a fixed number of presses.
I find that the 6-digit PINs I'm given here in Switzerland work in all UK ATMs and outlets, except for Clydesdale Bank cash machines in Scotland - most annoying.
6 digits are as easy to remember as 4, though I suppose that doesn't necessarily get round the 'date of birth' problem. I don't know why the UK went with 4 in the first place. Are you allowed to change your PIN to a 6 digit one in the UK? Try it and see.
Ignoring the technical feasibility for a moment, the sort of people who currently use their birthday will simply *write down* a longer PIN and keep the piece of paper in their wallet. Therefore, this will make the system less secure. Don't hold your breath for those cheques.
The suggestions in the paper are reasonable. At the very least, persuading people to use someone else's birthday would at least make it less likely that their wallet contained their PIN written down on another document.
Another useful suggestion might be for the banks to send a summary of these findings to their customers, rather than the usual vacuous warnings about keeping your PIN safe. If more people understood that using their own birthday meant they had a 1 in 11 chance of losing all their money, perhaps fewer of them would do it. They could also mention that 1 in 11 is about a million times more likely than winning the lottery.
I agree with what you're saying but for those who use their own birthday as a PIN and keep details of their birthday in their wallet then the risk is pretty much 100%, not 1 in 11.
For those who don't use their birthday then the risk is almost zero - the 1 in 11 chance is what the thief can expect when they nick a purse/wallet with a bank card and details of the owner's DOB i.e. 1 in 11 people use tehir DOB as their PIN.
"They could also mention that 1 in 11 is about a million times more likely than winning the lottery."
I reckon you might as well tell them 1 in eleventy-twelve! I mean, speaking as someone who has never done the lottery, I'd suggest the fact _they_ do demonstrates mathematically-speaking their brains are just floating up there on a fluffy cloud in the sunlight, way above the weather down here, eating marshmallows with Rocky and Bullwinkle perhaps (or anyway with the mental age equivalent to my real age when I had that annual! You know, when The Cat in the Hat seemed like a real person).
@ Ken Hagan
"Therefore, this will make the system less secure."
No it won't. The core idea is that instead of everyone having 4 digits, people can choose different lengths. This adds a whole extra layer to the guessing game, making it more secure overall given the limited number of wrong guesses allowed before the game's up
It could take loads more guesses just to get to one you already knew was based on your target's birthday; e.g 2nd February 1985 could become 02021985, 020285, 2285, 02285,20285, 0221985 etc etc, you get the idea.
"At the very least, persuading people to use someone else's birthday would at least make it less likely that their wallet contained their PIN written down on another document."
To add to that, the banks already know our DOB and the combinations it can be entered into a 4 digit pin is few: DDMM MMYY DDYY YYDD etc. etc. so why can't the banks check for this when the pin is being changed and say "Oi ... You ... Noooo, birthdays are NOT pins".
Same with phone numbers etc.
As a bank card user I want to protect my PIN and keep my money safe. If I can make it hard to get to my money while giving the impression that it would be quite easy then that is to my advantage.
If I have the chance to influence the results of a report from Cambridge that are likely to get reported more widely I would have a strong incentive to answer many questions indicating a low PIN strength/security.
It lulls crooks into trying the easy option and failing, a little bit similar to the piece of paper in the wallet (described in a comment above) with false 4 digit PINs on it.
While I get your point about people wanting to mislead the crooks via the study, they'd probably want to do it the other way around. They'd want to deter the crooks by indicating that the PINs are hard to guess while actually using very guessable codes. It is not to the general public's advantage, as I see it, to tell potential thieves and muggers that a code is easily breakable (even if it's not).
But this all assumes that the majority of the respondents are that cunning and think in detail about security when answering questionnaires. I didn't read it, but I assume the study also had some manner of consideration of incorrect responses..?
> How does everyone else with a birthday that doesn't fit those parameters decide what to
> put in their pin?
My birthday (247XX) does not fit the pattern unless (as suggested upthread) longer PINs were permitted. I use a favourite number, one which has entered my life in quite a few contexts already, so why not add one more context? Naturally it's unrelated to my date of birth or any other "obvious" numerical parameter.
And my list of favourite numbers includes one that is 11 digits long so enhanced PIN's wouldn't be a problem
I write the date in yy-m-dd format with the month in Hex when it is for my own reference. By good luck "a" (October) is the initial of "autumn", "b" (November) is for "bonfire" and "c" (December) is for "Chistmas".
Eg I use it in some file names and it puts them in date order, like :-
letter_11'a'24.odf [2011, October 24th]
letter_11'b'07.odf [2011, November 7th]
letter_12'1'17.odf [2012, January 17th]
It might catch on .....
Never understood the fuss. If you use the card often enough, the bank's PIN is more than enough to cater for and it is the only number you NEED to remember (and years ago, we were all memorising 5-10 phone numbers but we don't do that now). If you don't use your card that often, the only way is to write it somewhere (NOT WITH YOUR CARD!). Inconvenient, yes, but you also have to ask yourself why you're carrying around a card that you don't use and forget the PIN to. From a security point of view, that's probably worse than just leaving it in a safe at home.
That said, I don't think I've ever heard of someone having their PIN guessed by a robber. Forced out of them, possibly. Card used on t'Internet, sure. Try a transaction in a store that lets you sign and is lax on CCTV, of course. But PIN's, in general, do their job. If you're stupid enough to write them on the card and/or use something that's quite obvious (year of birth), that's your tough luck.
Longer PIN's? Almost all European countries accept them and the software change is entirely minimal BECAUSE almost all European countries, card manufacturers, banks, etc. already accept them. Why do you think you have to press the Enter button after the 4-digit PIN? To tell the machine you're finished. I've seen people type 6-digit PIN's into UK machines without a problem, but maybe it depends on the bank.
We should all follow Joey-from-Friend's example - scratch the number on the ATM... :-)
Memorising PINs is fine for 1 or 2 cards, but not if you have 4 credit cards (various cashback/international charging deals) and 5 bank accounts (personal and company).
And no I don't share a single PIN across the all, I used a specific combination of the numbers on the front, with an additional fix number added on to one of them. Guess that thieving twats!
Tbh though, if people use stupid numbers then take their cash! Education, not longer PINs, is the key.
I would have no problems remembering 5 digit or longer ones.
Regarding blacklisting, given that your bank knows your date of birth, surely they could forbid you to use a number derived from that date? That would not prevent you from using your wife's, or kids birthday, but those are not printed on your ID, as a rule, so at least some security is added.
Driving license photocards probably, although I don't carry mine around.
Maybe the insistence of supermarkets age checking 92 and 72 year olds when they try to buy alcohol means more people carry a driving license/proof of age card?
I would imagine a bigger issue is the fact that "Verified by visa" allows the use of your DOB to bypass the "password security" it claims to offer. So why bother guessing PINs?
It's a pointless, rarely used (and therefore regularly forgotten) password that can be reset using publicly available information.
If any transaction ever shows up as VbV then I KNOW it's fraudulent - so does my bank, I have several communications with them where I state that.
(Actually I have once used VbV - I was on the phone to my bank at the time, and they purged the registration straight away)
OK, so as someone who never carries ID around with me, I'm in a minority of ElReg commentards.
However, stats from the first 10 thumbs (1 up and 9 down) plus myself imply that - based on a sample of 11 commentards - a massive 82% carry their birthdate around in their wallet. Somewhat short of the claimed 99+%.
"However, stats from the first 10 thumbs (1 up and 9 down) plus myself imply that - based on a sample of 11 commentards - a massive 82% carry their birthdate around in their wallet. Somewhat short of the claimed 99+%."
You can't make that correlation I'm afraid. All we know of the upvoter is that they agree with you that the 99% figure appears bollox, they may still carry a drivers licence (or young person's railcard, or NUS card, or passport, or bus pass, or library card - I'm sure there are more) but just doubt everyone does.
Besides, they're not *claming* anything. They're simply stating what the responders put in a small sample of 1300 people - for all we know they sampled people at a service station on the M4.
Why are people voting Old Tom down? I too cannot believe that 99% of the populace carry their DoB around with them. Maybe 75%. Driving licence? Much fewer than 99% of adults have driving licences.
As the Reg crowd were so hysterically against ID Cards, it is ironic that they should consider it perfectly normal to carry a driving licence around, which is a de facto ID card.
"As the Reg crowd were so hysterically against ID Cards, it is ironic that they should consider it perfectly normal to carry a driving licence around, which is a de facto ID card"
Odd that you can remember how hysterical we were but you can't remember that it was the non-optional nature of the beast and its associated database that we were against.
It's quite normal to carry cash around, but I'd be opposed to a law that made it compulsory. (I gather some countries do insist on this so that "citizens" can pay fines on-the-spot without any of that tedious "due process" stuff.)
Relevant is Laurence Olivier's campaign to restore smoked haddock to the breakfast menu on his train from Brighton to London. This involved every contact that he had, and most of them were famous.
BR (the train operator that was) relented and restored smoked haddock to the menu. On the first day with haddock available Lord Olivier took his seat in the dining car and the waiter came to him with a broad grin, Olivier perused the menu and asked for scrambled egg. The waiter was shocked "But after this great campaign so you could have smoked haddock, why don't you want some?" Olivier replied "I never wanted smoked haddock, I wanted the <b><u>choice."
My Halifax card years back had some paper that said that you could use any PIN except 0000 and 9999.
The downside to removing the top X guessable ones:
is that the number of available numbers diminishes. This gives marginally better odds for guessing.
7854, 9856, 4521, 6523, 1452, 6325, 7412, 1236, 6987, 8741, 8521, 8523, 2587, 2589, 7456, 6541
See the common link? (17 numbers there that LOOK random, but aren't)
or.... 3141 or 1414 or 2718? Recognise them? Definitely not random!
It looks like once you remove the easy guessable and common dates you will be left with the Sony Random Number(TM)(R)(C) which of course is "4", making everyone's PIN '0004'
Why not use a hash of arbitrary length PINs? If I want to use the first 26 numbers of SQR(2) or PI, why can't I?
(not that either of those is a good choice, mind you..)
As the bank knows your DoB, surely they can check if your PIN is DD/MM, MM/YY or MM/DD for your DoB.
However, the ATM back-end computer doesn't need your DoB - it's only on the initial anti-laundering part. They could do a batch-job running through all recently-changed PINs and asking the back-end if the PIN one of these 3 values, and then send a stern reminder to the customer not to be so silly.
Over here they recently "upgraded" the things so that now you have to hit "ok" after entering the four digits. Still doesn't allow for changing any pin, nevermind for a longer one.
Personally I don't mind defaulting to four digits, it's hard enough for many already. I do mind enforcing that lowest common denominator as the standard. Could've specified right away that all machinery had to allow for, say, three-to-eight digit numbers, customer choosable. Could even make it so that the customer can only pick the PIN length, who in return will be provided with a randomly-generated pin of the right length sans that top-100. This sounds sensible to me, which probably is why I'm not a banker.
Leave it as it is. It's a 4 digit number, it's not hard to create a completely random number and remember the 4 digit number. It takes less than 5 minutes of elapsed time over a few hours to commit it to long term memory. If some thief managed to get hold of my card, I would really appreciate that they use some of their limited attempts on simple pins like DOB and number patterns. I have no sympathy for people who choose to use simple PINs. If your birth year is 1965 then why not swap two of the digits around e.g. 5961. This creates a much more difficult PIN while still retaining an easy to remember number. There's lot of other things you can do with the DOB pins to make it harder mix the day and month digits so you have DMDM or MDMD or DMMD. Add in the last two digits of your year and you have tons of combinations that all create an easy to remember PIN without making it easy for someone who may have your card and your DOB. If you still want more varied range then add your last two digits of your house number with your DOB, mix two of your digits of your telephone number. You can even vary the PIN for each card you have by varying a single digit. The digit could be random or could be one of the digits on the card itself (e.g. the last digit of the long number or one of the digits on the 3 digit security verification number). I could be here all day coming up with ideas of how to vary the PIN in easy to understand ways.
There has yet to be a fully proven truly random number generator -- primarily because testing to prove a number sequence is truly random is practically impossible*. There are many which are theoretically random (such as hardware random number generators) but they are usually qwuite slow and used primarily to seed a faster pseudorandom number generator rather than to produce final output.
As that is what most computing systems do, pseudorandom numbers from a generator seeded from a hardware random number generator are most likely the source of the PIN generated by your bank. Not truly random, but effectively random.
* There are statistical tests for randomness, but deterministic processes such as pseudorandom number generators can fool such tests. That is to say, a pseudorandom number generator generates a sequence of numbers which appear statistically to be random, but come from a deterministic process, which is by definition not truly random.
FFS people, spare me the lectures on the fundamentals of pseudo-random number generators, the point was there actually is a well established way to generate robust random-as-in-impossible-to-predict numbers (cryptographically secure pseudo-RNG seeded by entropy from a physical source) and it's reasonable to expect that that's what the banks use.
Dude! Provided you are the same guy behind the Guy Fawkes mask as further above, you are the one bashing somebody else over what you perceive to be the correct phrase to use. When other people then argue that your nitpicking is actually wrong you do not get to complain about people nitpicking.
Yes, in this instance, the pseudo random number is effectively random provided the algorithm provides all possibilities. It has to be less the obvious numbers as already discussed. A typical bank will produce at least 10,000 cards each day so provided each cycle starts at a random point and they are allocated in the order requested the result is genuinely random.
The article mentions "repeated digits" as part of the "not-so-random" codes. Why? Surely random codes would occasionally* lead to repeated digits, and forbidding them would reduce still further the available pool of numbers.
*someone with better stats than me can work out the frequency of occasionally.
While random codes will occasionally lead to repeated digits (for a very simple example, any single digit repeated 4 times in a 4 digit PIN would statistically be expected to appear on average 10 times in 10,000), they would be expected to appear more often in self-selected PIN, because they're easy to come up with and to remember, and people often self-select for convenience.
If my stats aren't too rusty:
With a truly random number, The odds of two sequential digits (and only two) being the same are 27.9%, the odds of three sequential digits being the same are 1.9% and the odds of all four being the same are 0.1%
You can quite easily work it out by considering the number of variations out of the 10000 possibilities, i.e. for each of ten possible values of the first digit, there is a one in ten possiblity of the second digit being the same, so 10% of all possible values, add on the percentages for the send and third digits being the same (also 10%), then the third and fourth (also 10%), gives 30% for two (or more) seqential digits.
For three seqential digits, there are ten different values those digits can take, plus ten variations of the extra digit, i.e. 1 in 100. The extra digit can be either at the start or end, so there is a 2% chance of two (or more) digits being the same.
There are exactly ten variations of four repeated digits, out of 10000 combinations, so 0.1%. To get the percentage of triple numbers not including all four being the same, take this off of the 2%, so 1.9% for two and only two repeated digits, and then take that off the 30% for double digits to get 27.9% for two and only two repeated digits.
I'm sure there's an easier way to get those numbers. Any mathematicians out there?
Interesting to note that statistically, more than a quarter of all pin numbers would have repeated digits if they are truly random. Anyone care to figure out the odds of two non-sequential digits being the same? I suspect it may even be more than 50%.
"The researchers modeled banking PIN selection using a combination of leaked data from non-banking sources"
Don't know about people in general, but I use a "much more random" PIN for my bank cards than I do for a mobile phone unlock code, for instance.
I wonder how many people use part of the card number as the PIN?
For my infrequently used cards I write the bank supplied default PIN on the rear of the card, but encrypt it by adding or subtracting another 4 digit number. Normally this is the last 4 digits of my phone number from 20 ish years ago - (4 relatively low value digits). I've always hoped that if someone steals my card, they will try the four digit number on the card directly a couple of times, then maybe reversed, then hey-presto it's locked out. Simples.
of course, it would be more secure to use a 128 bit DES algorithm or a Nth power polynomial to encrypt it, but I would never be able to work that one out mentally, in a drunken stupor, when I need my taxi fare home.....
A similar trick is to write down the PIN within a few other random digits - gives you enough of a reminder of which four digits are valid, while still hiding the purpose of the number and leaving several different schemes:
where 9 is actually a random digit of course.
my pin for my main card is part of a phone number for where I used to live.
however for someone to guess the number three things would have to happen.
1. they know its part of a phone number
2. they know the phone number that my parents had when I was 5 years old
3. they know which part of the number I chose
I would think that the odds of somebody guessing the number are around the same as their chances of getting it right by mashing their forehead against the number pad.
of course the odds of somebody getting the number go up by a large margin if they ask nicely (while holding a knife etc)
use the full number (area code and all) not just the three digit number for same exchange
300 (same exchange)
300300 (same area code)
0327 300300 (outside area before the area code changes)
01327 300300 (outside area since code changes)
No the above number is not the number I use, If anyone calls it you should find it answered by some very friendly police in Daventry or Towcester.
Date of birth is 6 digits, and you don't know which order is being used - some might use DDMMYY, others might use MMDDYY, geeks might use [YY]YYMMDD.
PIN is 4 digits.
The dodgy geezer has to pick the right format of DoB and then pick the right 4 digits from 6.
Not so easy now?
Or am I missing something?
There are 10,000 4-digit numbers, so if your PIN is truly random, there's a 1 in 10,000 chance of guessing it.
However, if your PIN is 4 of the digits of your DOB, in a random order, there are significantly fewer combinations. Given that the numbers are known (since someone's DOB is relatively easy to find), and allowing for a 4-digit year, the criminal only has to choose an order. Allowing you to sort them in any order means the criminal has 8 choices for the 1st digit, 7 for the 2nd, 6 for the 3rd, and 5 for the 4th. This means 8*7*6*5 = 1,680 total choices instead of 10,000.
So giving date of birth the best chance, it's still almost 6 times easier to crack than a random number (10,000 / 1,680 ) ~= 5.95
Beware of 5 digit PINS:
Italian banks - give you one and don't let you change it.
But as far as I've seen 1 or 2 digits are purposely repeated to make the PIN
easier to remember - which obvious defeats part of the purpose.
Beware also in some countries the only ATM you can find require a fixed
length PIN to be entered either 4 and not 5 or 5 and not 4.
So you can be denied access to cash abroad just by having the wrong length PIN!
Not by my reading it isn't. The reduction occurs because roughly 10% of people do both of (i) use their DoB as their PIN and (ii) carry this DoB elsewhere in their wallet. Therefore, a strategy of "use the DoB in the wallet" will succeed in 100% of those cases. Less amazing, and possibly not completely true, but (sadly) probably not completely false either.
pins aren't stored they are calculated in a HSM using your PAN and a derived Key, which I think is called the Pin Verification Key. your encyrpted PIN (in ATM transactions) is sent to your issuer with your PAN your issuer then can perform operations on the secret in the hsm to determine whether its is correct or not.
I have a personal UK debit card, 2 personal UK credit cards, a UK online banking access card, a Swiss debit card, a Swiss credit card and a Swiss online banking access card. All have PIN numbers, and I don't want to use the same number on them all. But I can't memorise 7 PINs plus all the other passwords I use every day. I use two cards frequently, and the others rarely. I can't be forgetting them when I'm abroad.
So I use an algorithm for the cards that lets me carry the numbers in plain sight.
4929 7014 5583 4826 <- Not my card
The simplest algorithm could be to choose a block of four, but in common practice that is too vulnerable. Here are a few different ones that I could use
One from each group = 4754
First from first, second from second, etc = 4086
Fourth from first, third from second, etc = 9154
Two from the first group, two from the back = 12 combinations in each group, for 144 possible
And so on. You can even use different algorithms for different types of cards, so in my example I can use one for debit cards and another for credit cards. Or one for UK and one for Swiss.
The important thing is that you can simply remember the rules, and look at the card every time you use it. One rule for 7 cards means 7 PINs that are as random as anything the bank will generate, it is right in front of you and yet no-one will see it.
The problem is understated due to the fact that most people carry more than one card and most likely use the same PIN for each of them. So a thief has multiple opportunities to compromise the PIN (at which point all remaining cards in the wallet are compromised).
One option is to use a common root PIN (say 3 digits or 5 digits depending on your PIN length) and then base the remaining digit (lets say make it the 3rd digit) card specific - e.g, base it on the CSV value printed on the card).
I was hanging about a bus station once with the missus waiting for a bus. There were some lockers with a "choose your own 4 digit pin" style combination locks on them. Said to the missus, I bet I could open one of those. How so? she asks. Well, a lot of people are going to use their YOB. And a lot of long-distance bus users with baggage are going to be in their early twenties / late teens. So a fair few will be locked with '198x'. Some bloke came up, unlocked his locker and went off with his suitcase. I checked the lock - he'd used 198x.
it's a 4-digit number, allocated by the bank which I can't change. 3 wrong tries and the ATM swallows the card, blows the chip, or the shop cashier receives a message that she must retain it.
Hard to remember?
No - I write it on the back of the card, coded with an algorithm only I know (no, not inversion, shifting, etc. Much more evil) If I forget the number, I can always remember the algorithm, as it's the same for all 4 cards I own.
In NZ if you are driving and do not have your driver's license on you you risk being slapped with a $500 on the spot fine, e.g. if you get pulled over for speeding, or in a drink-drive spot check.
I love reading about all the complicated schemes y'all have devised for hoodwinking the thieves. Especially the guy who has a pin for each card which is derived from the card numbers themselves plus some fiddle digit.
Very clever. But what do you do if that algorithm throws out one of the easily guessed PIN's ?
Complicated schemes for creating numbers is largely irrelevant to the guessability of the numbers even the most complex scheme produces (unless that scheme includes a mechanism for specifically excluding those guessable numbers).
@ The Mole... spot on !
As for remembering numbers, frequency of use is the key to that. I have no trouble remembering my PIN. I also have no trouble remembering the 16 digit card number, 4 digit expiry, specific "name on card" (I use different forms on different cards) and 3 digit CVV number of the TWO cards that I use most regularly for online purchases.
4 digit PIN ? 6? 9? 12? meh - easy peasy.
No, there are too many possible formats: ddmm, mmdd, dmyy, yyyy, yymd, mmyy, ... and you can't exclude all digits in the full DoB because there would be too few left. Then you have to think about telephone numbers, house numbers, children's/spouse's birthdays and so on. The more rules you impose the more numbers you exclude so the better chance of guessing correctly.
Everyone focuses on the Pin number, but why not just give someone 2 chances instead of 3. enter it incorrectly and card gets blocked.
If they are daft enough to use a number associated with them #fail
If they are daft enough to write number down # fail
But if the ATMs were smart enough to slow the attacker down - 2 invalid attempts and the card gets blocked for 48 hrs. would be annoying enough to make it hard work.
Because the other week I had to use a supermarket's self-scanner chip-and-pin unit with one duff key. It was supplying two keypresses for each press (i.e. the PIN was being mis-entered even when the correct keys were pressed).
It took two goes for me to realise that it was the device at fault rather than my typo. I gather that dozens of people locked out their PINs before the store thought to close that particular terminal.
No, not my pin, but any lazy thief might assume it IS my PIN and stick it, or a permutation, in thereby hastening the lock-up of my card.
Whenever a web page offers to store my password, I always accept AFTER putting the wrong password in, so if anyone tries to access it, it simply doesn't work..
They have _nothing_ to do with my PINs - and a lot to do with the idea that most crims are dumb enough to try repeatedly entering them.
Given that more secure codes would lead to more cases of crims standing over people at ATMs and threatening GBH whilst forcing them to withdraw money, wouldn't it be nice to have a "duress" code for ATM cards?
Probably should be an AC for this post but oh well. I assume you all are upstanding readers who wouldn't dare try to nick my card and guess my code.
I have 6 bank cards of which half are used frequently. The others I don't use so often and commonly used to forget their PINs (as a good bankee, I would never write them down). I have since build a system where each PIN is XXYY where the YY are the same to each card and XX are the two digits in two particular positions on the long card number. This way, each PIN is different, statistically random, yet easy to determine if you know the two common digits and the positions of the long number to read. I'm hoping there's no gaping hole in that strategy - the only vulnerability I see is if someone found out one of my PINs and somehow knew my strategy and got hold of a second card, they might be able to work out the second card's PIN.
Biting the hand that feeds IT © 1998–2019