25 September 2016
Find out more

Letting customers choose PINs a gift to thieves - research

23 February 2012  |  8466 views  |  1 wallet

Banks that let customers pick their own PINs and fail to 'blacklist' the most common variations are putting them at risk, according to a paper from Cambridge University researchers.

Joseph Bonneau, Sören Preibusch and Ross Anderson analysed 32 million passwords stolen from the RockYou social gaming Web site in 2009 and 200,000 iPhone unlock codes before carrying out an online survey of more than 1100 people for what they claim is the first quantitative analysis of the difficulty of guessing four-digit banking PINs chosen by the cardholder.

The scientists' analysis of the data reveals that people take choosing their PINs seriously and what they pick is generally stronger and less likely to be replicated than other passwords.

However, a thief can expect to correctly "jackpot" one in every eleven stolen cards before it is blocked if the victim chose their own PIN and the bank has no blacklisted numbers. This is largely down to the numbers of people that use their birth date - a piece of information often carried in wallets and so available to a pickpocket.

Banks that do blacklist common numbers, such as 1111 and 1234, reduce the chances of the number being cracked to one in every 18. If thieves do not have the victims' birth date, blacklisting the top 100 PINs reduces the guessing rate for a thief substantially, bringing it down to just 0.2%.

Anderson told the New York Times that Bank of America and Wells Fargo in the US and Lloyds and the Co-op in Britain do not have blacklists, letting customers choose 'dumb' PINs and so heightening their risk.

"We advise users not to use PINs based on a date of birth, and those banks which do not currently employ blacklists to immediately do so. Still, preventing birthday-based guessing requires a move away from customer-chosen PINs entirely," concludes the paper.

You can read a blog on the research from Joseph Bonneau here and the full paper here.

KeywordsFINDEX

Comments: (1)

Keith Richbell
Keith Richbell - eftpos Payments Australia Ltd. (ePAL) - Sydney | 23 February, 2012, 21:58

This is about as helpful as being told "the sky is blue and the sea is green". Shame Cambridge University can't find something more important to waste their time and money on.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Comment on this story (membership required)

Finextra news in your inbox

For Finextra's free daily newsletter, breaking news flashes and weekly jobs board: sign up now

Related stories

Google Wallet PIN vulnerability exposed

Google Wallet PIN vulnerability exposed

09 February 2012  |  12158 views  |  0 comments
Chip and PIN eftpos fraudster jailed for three years

Chip and PIN eftpos fraudster jailed for three years

14 October 2011  |  5748 views  |  0 comments
Card fraud is number one security worry for Brits

Card fraud is number one security worry for Brits

06 May 2011  |  10770 views  |  1 comments | 1 linkedin
UK card fraud losses at 10 year low

UK card fraud losses at 10 year low

06 October 2010  |  13295 views  |  2 comments
Fraudsters rigging Chip and PIN terminals to steal data - report

Fraudsters rigging Chip and PIN terminals to steal data - report

13 October 2008  |  14017 views  |  0 comments
PIN devices vulnerable to 'tapping' attacks, researchers warn

PIN devices vulnerable to 'tapping' attacks, researchers warn

27 February 2008  |  10882 views  |  0 comments
Game over for Chip and PIN?

Game over for Chip and PIN?

05 January 2007  |  15738 views  |  0 comments

Related blogs

Create a blog about this story (membership required)
02 March 2012
Visit capgemini.comFind out moreVisit dh.com

Top topics

Most viewed Most shared
Co-habitation with banks key to fintech futureCo-habitation with banks key to fintech fu...
13318 views comments | 34 tweets | 34 linkedin
hands typing furiouslyGoogle's Larry Page buys a 'major global b...
12769 views 0 | 31 tweets | 25 linkedin
RBS tests demonstrate ability of Ethereum to support a national domestic payments systemRBS tests demonstrate ability of Ethereum...
10392 views comments | 42 tweets | 27 linkedin
Banks test blockchain for reference data managementBanks test blockchain for reference data m...
8118 views comments | 16 tweets | 24 linkedin
Deutsche Bank teams up with accelerator to back fintech startupsDeutsche Bank teams up with accelerator to...
7001 views comments | 12 tweets | 5 linkedin

Featured job

to £100K base, double OTE
London, UK

Find your next job