Blog article
See all stories »

What are the most common PINs?

How much thought do you put into your PIN? Is it someone’s birthday? Your vital statistics? You would think that people would try to protect their bank account balance or credit limit to the best of their ability, but you’d be surprised. A startling number of consumers still put little effort into determining a PIN. 

Recent research [Data Genetics] confirms the fact that many consumers choose easy combinations or number patterns which are an open wallet for fraudsters. In fact, with just three combinations, they could swoop into nearly 20% of accounts and clean them out.

The result? A fraudster doesn’t need to be Dynamo the magician to gain access to a significant haul. In the end banks are typically the ones footing the bill for the crime. Rather than take the hit, shouldn’t we be finding new ways to encourage customers create less obvious PINs?

Banks already recognise the importance of secure PIN creation and invest significant time and effort in communicating this to the customer. Unfortunately the advice seems to be falling on deaf ears. In order to get this message through to their customers and close the loophole, they’ll need to take a different tack. Banks should devise alternative ways to hammer the message home, look at more sophisticated authentication methods to keep the fraudsters at bay and perhaps block the use of those three “magic” numbers.



Comments: (6)

Brett King
Brett King - Moven - New York 12 August, 2013, 18:02Be the first to give this comment the thumbs up 0 likes


I worked extensively on two-factor authentication models for large banks like HSBC and others, and what we found was that the more you try and make a system secure, the less secure it becomes because due to memory load consumers find work arounds that are increasingly unsafe. 

To illustrate - you put two PINS on a card instead of one, and people will try to use the same PIN, or write down the second PIN on their card because of the memory load.

The solution is not more complex passwords or enforcing stricter rules, but as you've pointed out more sophisticated authentication methods that don't require memory load (i.e. Biometrics).

Brett King, BANK 3.0 

Jonathan Rosenne
Jonathan Rosenne - QSM Programming Ltd. - Tel Aviv 13 August, 2013, 04:25Be the first to give this comment the thumbs up 0 likes

Customer selected PINs are a disaster. There exists better research, based on actual cracked PINs rather than passwords, where the results are different though similar. The most common PINs were 1234, 5555 and 3333, followed by birthdate and ZIP code related numbers. It was claimed that if a thief has your wallet or access to your pesonal data he needs on average 6 trials to get to 50% of the PINs.

Banks should use random or cryptographically generated PINs.

A Finextra member
A Finextra member 13 August, 2013, 08:40Be the first to give this comment the thumbs up 0 likes

FYI for both my Swiss debit card and Swiss Visa card, my pin is 6 digits as opposed to the 4 I was used to in France/UK.  Not much more to remember, but more secure?

Jonathan Rosenne
Jonathan Rosenne - QSM Programming Ltd. - Tel Aviv 13 August, 2013, 09:46Be the first to give this comment the thumbs up 0 likes

6 digit cardholder selected PINs would only be marginally more secure. One would, I guess, still get a preponderance of 123456, 555555, 333333, birthdays and zip codes related PINs.

Brett King
Brett King - Moven - New York 13 August, 2013, 15:40Be the first to give this comment the thumbs up 0 likes


The problem with cryptographically generated PINs is memory load. We've got test after test of users who if they can't easily remember their PIN will write it down or store it in their phone.

With the memory load factor being a central hurdle to this problem the only solution is a simpler secure form, not more complex ones. Hence why biometrics are so core to a permanent solution to the Username/PWD/PIN connundrum. 

Brett King
BANK 3.0 

A Finextra member
A Finextra member 04 September, 2013, 10:19Be the first to give this comment the thumbs up 0 likes

Thanks for the comments. From my perspective, technological advancements mean biometrics are well on the way as a viable way for banks to enhance security and improve the customer experience. This must be the right thing to do from both an industry and consumer perspective. But we need to tread carefully; biometrics may provide a route to a more secure service, especially for remote channels, but the industry must ensure that there are common user interfaces based on standards if we are to retain customer confidence. In a world where consumers maintain multiple financial services relationships, it is up to the industry to ensure that the added security enhances the customer interaction rather than detracts from it.

Now hiring