Abstract
We provide the first published estimates of the difficulty of guessing a human-chosen 4-digit PIN. We begin with two large sets of 4-digit sequences chosen outside banking for online passwords and smartphone unlock-codes. We use a regression model to identify a small number of dominant factors influencing user choice. Using this model and a survey of over 1,100 banking customers, we estimate the distribution of banking PINs as well as the frequency of security-relevant behaviour such as sharing and reusing PINs. We find that guessing PINs based on the victims’ birthday, which nearly all users carry documentation of, will enable a competent thief to gain use of an ATM card once for every 11–18 stolen wallets, depending on whether banks prohibit weak PINs such as 1234. The lesson for cardholders is to never use one’s date of birth as a PIN. The lesson for card-issuing banks is to implement a denied PIN list, which several large banks still fail to do. However, blacklists cannot effectively mitigate guessing given a known birth date, suggesting banks should move away from customer-chosen banking PINs in the long term.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
EMV Integrated Circuit Card Standard for Payment Systems version 4.2. EMVco (2008)
Issuer PIN Security Guidelines. Technical report, VISA (November 2010)
ISO 9564:2011 Financial services – Personal Identification Number (PIN) management and security. International Organisation for Standardisation (2011)
Bátiz-Lazo, B., Reid, R.J.: The Development of Cash-Dispensing Technology in the UK. IEEE Annals of the History of Computing 33, 32–45 (2011)
Bond, M., Zieliński, P.: Decimalisation table attacks for PIN cracking. Technical Report UCAM-CL-TR-560, University of Cambridge (January 2003)
Bonneau, J., Just, M., Matthews, G.: What’s in a Name? Evaluating Statistical Attacks against Personal Knowledge Questions. In: Sion, R. (ed.) FC 2010. LNCS, vol. 6052, pp. 98–113. Springer, Heidelberg (2010)
Boztas, S.: Entropies, Guessing, and Cryptography. Technical Report 6, Department of Mathematics, Royal Melbourne Institute of Technology (1999)
Burr, W.E., Dodson, D.F., Polk, W.T.: Electronic Authentication Guideline. NIST Special Publication 800-63 (April 2006)
Cachin, C.: Entropy measures and unconditional security in cryptography. PhD thesis, ETH Zürich (1997)
Drimer, S., Murdoch, S.J., Anderson, R.: Optimised to Fail: Card Readers for Online Banking. In: Dingledine, R., Golle, P. (eds.) FC 2009. LNCS, vol. 5628, pp. 184–200. Springer, Heidelberg (2009)
Florêncio, D., Herley, C.: A large-scale study of web password habits. In: WWW 2007: Proceedings of the 16th International Conference on World Wide Web, pp. 657–666. ACM, New York (2007)
Ivan, A., Goodfellow, J.: Improvements in or relating to Customer-Operated Dispensing Systems. UK Patent #GB1197183 (1966)
Kuhn, M.: Probability Theory for Pickpockets—ec-PIN Guessing. Technical report, Purdue University (1997)
Massey, J.L.: Guessing and Entropy. In: Proceedings of the 1994 IEEE International Symposium on Information Theory, p. 204 (1994)
Morris, R., Thompson, K.: Password security: a case history. Commun. ACM 22(11), 594–597 (1979)
Murdoch, S.J., Drimer, S., Anderson, R., Bond, M.: Chip and PIN is Broken. In: IEEE Symposium on Security and Privacy, pp. 433–446 (2010)
Pliam, J.O.: On the Incomparability of Entropy and Marginal Guesswork in Brute-Force Attacks. In: Roy, B., Okamoto, E. (eds.) INDOCRYPT 2000. LNCS, vol. 1977, pp. 67–79. Springer, Heidelberg (2000)
Singh, S., Cabraal, A., Demosthenous, C., Astbrink, G., Furlong, M.: Password Sharing: Implications for Security Design Based on Social Practice. In: CHI 2007: Proceedings of the SIGCHI Conference on Human factors in Computing Systems, pp. 895–904. ACM, New York (2007)
Spafford, E.: Observations on Reusable Password Choices. In: Proceedings of the 3rd USENIX Security Workshop (1992)
van Oorschot, P.C., Thorpe, J.: On Predictive Models and User-Drawn Graphical Passwords. ACM Trans. Inf. Syst. Secur. 10(4), 1–33 (2008)
Weir, M., Aggarwal, S., Collins, M., Stern, H.: Testing metrics for password creation policies by attacking large sets of revealed passwords. In: Proceedings of the 17th ACM Conference on Computer and Communications Security, CCS 2010, pp. 162–175. ACM, New York (2010)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Bonneau, J., Preibusch, S., Anderson, R. (2012). A Birthday Present Every Eleven Wallets? The Security of Customer-Chosen Banking PINs. In: Keromytis, A.D. (eds) Financial Cryptography and Data Security. FC 2012. Lecture Notes in Computer Science, vol 7397. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-32946-3_3
Download citation
DOI: https://doi.org/10.1007/978-3-642-32946-3_3
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-32945-6
Online ISBN: 978-3-642-32946-3
eBook Packages: Computer ScienceComputer Science (R0)