23 October 2014

65973

Matthew Palmer - FIS

6 | posts 12,313 | views 1 | comments

What are the most common PINs?

12 August 2013  |  2252 views  |  5

How much thought do you put into your PIN? Is it someone’s birthday? Your vital statistics? You would think that people would try to protect their bank account balance or credit limit to the best of their ability, but you’d be surprised. A startling number of consumers still put little effort into determining a PIN. 

Recent research [Data Genetics] confirms the fact that many consumers choose easy combinations or number patterns which are an open wallet for fraudsters. In fact, with just three combinations, they could swoop into nearly 20% of accounts and clean them out.

The result? A fraudster doesn’t need to be Dynamo the magician to gain access to a significant haul. In the end banks are typically the ones footing the bill for the crime. Rather than take the hit, shouldn’t we be finding new ways to encourage customers create less obvious PINs?

Banks already recognise the importance of secure PIN creation and invest significant time and effort in communicating this to the customer. Unfortunately the advice seems to be falling on deaf ears. In order to get this message through to their customers and close the loophole, they’ll need to take a different tack. Banks should devise alternative ways to hammer the message home, look at more sophisticated authentication methods to keep the fraudsters at bay and perhaps block the use of those three “magic” numbers.

 

TagsCardsSecurity

Comments: (6)

Brett King - Moven - New York | 12 August, 2013, 18:02

Matthew,

I worked extensively on two-factor authentication models for large banks like HSBC and others, and what we found was that the more you try and make a system secure, the less secure it becomes because due to memory load consumers find work arounds that are increasingly unsafe. 

To illustrate - you put two PINS on a card instead of one, and people will try to use the same PIN, or write down the second PIN on their card because of the memory load.

The solution is not more complex passwords or enforcing stricter rules, but as you've pointed out more sophisticated authentication methods that don't require memory load (i.e. Biometrics).

Brett King, BANK 3.0 

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Jonathan Rosenne - QSM Programming Ltd. - Tel Aviv | 13 August, 2013, 04:25

Customer selected PINs are a disaster. There exists better research, based on actual cracked PINs rather than passwords, where the results are different though similar. The most common PINs were 1234, 5555 and 3333, followed by birthdate and ZIP code related numbers. It was claimed that if a thief has your wallet or access to your pesonal data he needs on average 6 trials to get to 50% of the PINs.

Banks should use random or cryptographically generated PINs.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Christopher Mc Carthy - SunGard - Zurich | 13 August, 2013, 08:40

FYI for both my Swiss debit card and Swiss Visa card, my pin is 6 digits as opposed to the 4 I was used to in France/UK.  Not much more to remember, but more secure?

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Jonathan Rosenne - QSM Programming Ltd. - Tel Aviv | 13 August, 2013, 09:46

6 digit cardholder selected PINs would only be marginally more secure. One would, I guess, still get a preponderance of 123456, 555555, 333333, birthdays and zip codes related PINs.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Brett King - Moven - New York | 13 August, 2013, 15:40

Jonathan,

The problem with cryptographically generated PINs is memory load. We've got test after test of users who if they can't easily remember their PIN will write it down or store it in their phone.

With the memory load factor being a central hurdle to this problem the only solution is a simpler secure form, not more complex ones. Hence why biometrics are so core to a permanent solution to the Username/PWD/PIN connundrum. 

Brett King
BANK 3.0 

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Matthew Palmer - FIS - Birmingham | 04 September, 2013, 10:19

Thanks for the comments. From my perspective, technological advancements mean biometrics are well on the way as a viable way for banks to enhance security and improve the customer experience. This must be the right thing to do from both an industry and consumer perspective. But we need to tread carefully; biometrics may provide a route to a more secure service, especially for remote channels, but the industry must ensure that there are common user interfaces based on standards if we are to retain customer confidence. In a world where consumers maintain multiple financial services relationships, it is up to the industry to ensure that the added security enhances the customer interaction rather than detracts from it.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Comment on this story (membership required)
Log in to receive notifications when someone posts a comment

Latest posts from Matthew

Keeping up with KYC

26 February 2014  |  800 views  |  0  |  Recommends 0 TagsRisk & regulationInnovation

Banking on voice biometrics?

28 November 2013  |  3154 views  |  0  |  Recommends 0 TagsMobile & onlineRetail banking

The Ten Commandments of fraud prevention

30 October 2013  |  1105 views  |  0  |  Recommends 0 TagsSecurity

Mobile banking's day in the Sun

01 October 2013  |  2701 views  |  1  |  Recommends 0 TagsSecurityMobile & online

What are the most common PINs?

12 August 2013  |  2252 views  |  5  |  Recommends 0 TagsCardsSecurity
name

Matthew Palmer

job title

Head of Managed Service Solutions

company name

FIS

member since

2013

location

Birmingham

Summary profile See full profile »

Matthew's expertise

What Matthew reads
Matthew writes about
Matthew's blog archive
February 2014 (1)2013 (5)

Who is commenting on Matthew's posts