Bank Customers Favor Birthdate PINs

Too many people use a date for their bank card PIN, giving attackers an edge in figuring out the number, reports Cambridge University researchers.

Why dont banks block overused or insecure passwords and PIN codes?
Thats one question posed by a study conducted by Cambridge University security researchers Joseph Bonneau, Soren Preibusch, and Ross Anderson, whove conducted what they said is the first-ever quantitative analysis of the difficulty of guessing four-digit banking PINs. Their research has implications not just for ATM cards, but also for any mobile device set to
require a numeric password
.
The big warning from their research is that based on current PIN-picking patterns,
would-be attackers
have a 9% chance of correctly guessing a persons ATM code.
How did the researchers reach that conclusion? Since banks dont share customers PIN codes for statistical analysis purposes, the researchers turned to the
leak of 32 million RockYou passwords
, which includes 1.7 million four-digit sequences. In addition, they said that developer Daniel Amitay graciously shared a set of
200,000 iPhone unlock codes
that hed amassed. With all of that data in hand, they assessed PIN popularity using 25 factors, including whether the data included a date (in DDMM format), as well as whether numbers ascended, and also surveyed more than 1,000 people about their PIN-management habits.
[ As smartphones turn into wallets, the risk to your bank account rises. See
What One-Time Passwords Could Do For Mobile
. ]
The good news from the study is that people are considerably more careful when choosing banking PINs than passwords, said Bonneau in a
blog post
. About a quarter stick with their bank-assigned random PIN and over a third choose their PIN using an old phone number, student ID, or other sequence of numbers which is, at least to a guessing attack, statistically random. Meanwhile, 5% use a numeric pattern--such as 3535--while 9% use a visual pattern on the keypad. Both of those approaches have only a 2% chance of being guessed.
But the researchers found that 23% of users base their PIN on a date, and nearly a third of these used their own birthday. What attacker could easily guess someones birthdate or birth year? Actually, the answer is elementary. According to the survey conducted by the group, 99% of people surveyed said they carry something in their wallet--most often their drivers license--that lists their birthdate. As a result, attackers have a 9% chance of guessing a birthdate-based PIN code.
In other words, a competent thief will gain use of a payment card once every 11 to 18 stolen wallets, depending on the proportion of banks using a denied PIN list, according to the researchers.
What can be done to
strengthen four-digit PIN codes
? For starters, the researchers propose blacklisting--that is, preventing users from selecting--100 specific PINs, including 0000 and 1010. Doing so would decrease the overall chance of an attacker guessing a PIN code to just 0.2%, yet numerous financial institutions apparently dont have such controls in place. In both the U.S. and U.K. we found banks which allowed us to change to 1234, said Bonneau.
Another security-improvement recommendation is to prevent users from using their birthdates as a PIN code, although the researchers questioned whether such a control could be easily implemented. Too many PINs can be interpreted as dates to blacklist them all, and customer-specific blacklisting using knowledge of the customers birthday seems impractical, said Bonneau.
The Cambridge University researchers plan to present their related
research paper
, A Birthday Present Every Eleven Wallets? The Security Of Customer-Chosen Banking PINs, at next weeks Financial Cryptography and Data Security 2012 conference.
To protect company and customer data, we need to determine what makes it so vulnerable and appealing. We also need to understand how hackers operate, and what tools and processes they rely on. In our
How (And Why) Attackers Choose Their Targets
report, we explain how to ensure the best defense by thinking like an attacker and identifying the weakest link in your own corporate data chain. (Free registration required.)

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Bank Customers Favor Birthdate PINs