Abstract
We provide the first published estimates of the difficulty of guessing a human-chosen 4-digit PIN. We begin with two large sets of 4-digit sequences chosen outside banking for online passwords and smartphone unlock-codes. We use a regression model to identify a small number of dominant factors influencing user choice. Using this model and a survey of over 1,100 banking customers, we estimate the distribution of banking PINs as well as the frequency of security-relevant behaviour such as sharing and reusing PINs. We find that guessing PINs based on the victims' birthday, which nearly all users carry documentation of, will enable a competent thief to gain use of an ATM card once for every 11--18 stolen wallets, depending on whether banks prohibit weak PINs such as 1234. The lesson for cardholders is to never use one's date of birth as a PIN. The lesson for card-issuing banks is to implement a denied PIN list, which several large banks still fail to do. However, blacklists cannot effectively mitigate guessing given a known birth date, suggesting banks should move away from customer-chosen banking PINs in the long term.
Original language | English |
---|---|
Title of host publication | Financial Cryptography and Data Security |
Subtitle of host publication | 16th International Conference, FC 2012, Kralendijk, Bonaire, Februray 27-March 2, 2012, Revised Selected Papers |
Editors | Angelos D. Keromytis |
Place of Publication | Berlin, Heidelberg |
Publisher | Springer |
Pages | 25-40 |
Number of pages | 16 |
ISBN (Electronic) | 978-3-642-32946-3 |
ISBN (Print) | 978-3-642-32945-6 |
DOIs | |
Publication status | Published - 27 Feb 2012 |
Event | Sixteenth International Conference on Financial Cryptography and Data Security 2012 - Kralendijk, Bonaire, Sint Eustatius and Saba Duration: 27 Feb 2012 → 2 Mar 2012 Conference number: 16 https://fc12.ifca.ai/ |
Publication series
Name | Lecture Notes in Computer Science |
---|---|
Publisher | Springer, Berlin, Heidelberg |
Volume | 7397 |
ISSN (Print) | 0302-9743 |
ISSN (Electronic) | 1611-3349 |
Conference
Conference | Sixteenth International Conference on Financial Cryptography and Data Security 2012 |
---|---|
Abbreviated title | FC 2012 |
Country/Territory | Bonaire, Sint Eustatius and Saba |
City | Kralendijk |
Period | 27/02/12 → 2/03/12 |
Internet address |