26 August 2016
Find out more

Letting customers choose PINs a gift to thieves - research

23 February 2012  |  8455 views  |  1 wallet

Banks that let customers pick their own PINs and fail to 'blacklist' the most common variations are putting them at risk, according to a paper from Cambridge University researchers.

Joseph Bonneau, Sören Preibusch and Ross Anderson analysed 32 million passwords stolen from the RockYou social gaming Web site in 2009 and 200,000 iPhone unlock codes before carrying out an online survey of more than 1100 people for what they claim is the first quantitative analysis of the difficulty of guessing four-digit banking PINs chosen by the cardholder.

The scientists' analysis of the data reveals that people take choosing their PINs seriously and what they pick is generally stronger and less likely to be replicated than other passwords.

However, a thief can expect to correctly "jackpot" one in every eleven stolen cards before it is blocked if the victim chose their own PIN and the bank has no blacklisted numbers. This is largely down to the numbers of people that use their birth date - a piece of information often carried in wallets and so available to a pickpocket.

Banks that do blacklist common numbers, such as 1111 and 1234, reduce the chances of the number being cracked to one in every 18. If thieves do not have the victims' birth date, blacklisting the top 100 PINs reduces the guessing rate for a thief substantially, bringing it down to just 0.2%.

Anderson told the New York Times that Bank of America and Wells Fargo in the US and Lloyds and the Co-op in Britain do not have blacklists, letting customers choose 'dumb' PINs and so heightening their risk.

"We advise users not to use PINs based on a date of birth, and those banks which do not currently employ blacklists to immediately do so. Still, preventing birthday-based guessing requires a move away from customer-chosen PINs entirely," concludes the paper.

You can read a blog on the research from Joseph Bonneau here and the full paper here.

KeywordsFINDEX

Comments: (1)

Keith Richbell
Keith Richbell - eftpos Payments Australia Ltd. (ePAL) - Sydney | 23 February, 2012, 21:58

This is about as helpful as being told "the sky is blue and the sea is green". Shame Cambridge University can't find something more important to waste their time and money on.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Comment on this story (membership required)

Finextra news in your inbox

For Finextra's free daily newsletter, breaking news flashes and weekly jobs board: sign up now

Related stories

Google Wallet PIN vulnerability exposed

Google Wallet PIN vulnerability exposed

09 February 2012  |  12127 views  |  0 comments
Chip and PIN eftpos fraudster jailed for three years

Chip and PIN eftpos fraudster jailed for three years

14 October 2011  |  5727 views  |  0 comments
Card fraud is number one security worry for Brits

Card fraud is number one security worry for Brits

06 May 2011  |  10748 views  |  1 comments | 1 linkedin
UK card fraud losses at 10 year low

UK card fraud losses at 10 year low

06 October 2010  |  13281 views  |  2 comments
Fraudsters rigging Chip and PIN terminals to steal data - report

Fraudsters rigging Chip and PIN terminals to steal data - report

13 October 2008  |  13998 views  |  0 comments
PIN devices vulnerable to 'tapping' attacks, researchers warn

PIN devices vulnerable to 'tapping' attacks, researchers warn

27 February 2008  |  10852 views  |  0 comments
Game over for Chip and PIN?

Game over for Chip and PIN?

05 January 2007  |  15711 views  |  0 comments

Related blogs

Create a blog about this story (membership required)
02 March 2012
Visit VocaLink.comVisit www.abe-eba.euVisit capgemini.com

Top topics

Most viewed Most shared
hands typing furiouslyBlockchain: what to expect for 2017?
8505 views 0 | 55 tweets | 46 linkedin
hands typing furiouslyBig Data's Three Big Trends in 2016
7156 views 5 | 22 tweets | 13 linkedin
hands typing furiouslyHow Banks Are Losing Millions by Ignoring...
6758 views 10 | 23 tweets | 8 linkedin
Nordea looking for AI and blockchain breakthroughsNordea looking for AI and blockchain break...
6216 views comments | 17 tweets | 19 linkedin

Featured job

Find your next job