A Birthday Present Every Eleven Wallets? The Security of Customer-Chosen Banking PINs

Joseph Bonneau, Sören Preibusch, Ross Anderson

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

We provide the first published estimates of the difficulty of guessing a human-chosen 4-digit PIN. We begin with two large sets of 4-digit sequences chosen outside banking for online passwords and smartphone unlock-codes. We use a regression model to identify a small number of dominant factors influencing user choice. Using this model and a survey of over 1,100 banking customers, we estimate the distribution of banking PINs as well as the frequency of security-relevant behaviour such as sharing and reusing PINs. We find that guessing PINs based on the victims' birthday, which nearly all users carry documentation of, will enable a competent thief to gain use of an ATM card once for every 11--18 stolen wallets, depending on whether banks prohibit weak PINs such as 1234. The lesson for cardholders is to never use one's date of birth as a PIN. The lesson for card-issuing banks is to implement a denied PIN list, which several large banks still fail to do. However, blacklists cannot effectively mitigate guessing given a known birth date, suggesting banks should move away from customer-chosen banking PINs in the long term.
Original languageEnglish
Title of host publicationFinancial Cryptography and Data Security
Subtitle of host publication16th International Conference, FC 2012, Kralendijk, Bonaire, Februray 27-March 2, 2012, Revised Selected Papers
EditorsAngelos D. Keromytis
Place of PublicationBerlin, Heidelberg
PublisherSpringer
Pages25-40
Number of pages16
ISBN (Electronic)978-3-642-32946-3
ISBN (Print)978-3-642-32945-6
DOIs
Publication statusPublished - 27 Feb 2012
EventSixteenth International Conference on Financial Cryptography and Data Security 2012 - Kralendijk, Bonaire, Sint Eustatius and Saba
Duration: 27 Feb 20122 Mar 2012
Conference number: 16
https://fc12.ifca.ai/

Publication series

NameLecture Notes in Computer Science
PublisherSpringer, Berlin, Heidelberg
Volume7397
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349

Conference

ConferenceSixteenth International Conference on Financial Cryptography and Data Security 2012
Abbreviated titleFC 2012
Country/TerritoryBonaire, Sint Eustatius and Saba
CityKralendijk
Period27/02/122/03/12
Internet address

Fingerprint

Dive into the research topics of 'A Birthday Present Every Eleven Wallets? The Security of Customer-Chosen Banking PINs'. Together they form a unique fingerprint.

Cite this