Skip to main content

A Birthday Present Every Eleven Wallets? The Security of Customer-Chosen Banking PINs

  • Conference paper

Part of the Lecture Notes in Computer Science book series (LNSC,volume 7397)

Abstract

We provide the first published estimates of the difficulty of guessing a human-chosen 4-digit PIN. We begin with two large sets of 4-digit sequences chosen outside banking for online passwords and smartphone unlock-codes. We use a regression model to identify a small number of dominant factors influencing user choice. Using this model and a survey of over 1,100 banking customers, we estimate the distribution of banking PINs as well as the frequency of security-relevant behaviour such as sharing and reusing PINs. We find that guessing PINs based on the victims’ birthday, which nearly all users carry documentation of, will enable a competent thief to gain use of an ATM card once for every 11–18 stolen wallets, depending on whether banks prohibit weak PINs such as 1234. The lesson for cardholders is to never use one’s date of birth as a PIN. The lesson for card-issuing banks is to implement a denied PIN list, which several large banks still fail to do. However, blacklists cannot effectively mitigate guessing given a known birth date, suggesting banks should move away from customer-chosen banking PINs in the long term.

Keywords

  • Input Function
  • Birth Date
  • Payment Card
  • Account Number
  • Graphical Password

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

This is a preview of subscription content, access via your institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (Canada)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (Canada)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (Canada)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. EMV Integrated Circuit Card Standard for Payment Systems version 4.2. EMVco (2008)

    Google Scholar 

  2. Issuer PIN Security Guidelines. Technical report, VISA (November 2010)

    Google Scholar 

  3. ISO 9564:2011 Financial services – Personal Identification Number (PIN) management and security. International Organisation for Standardisation (2011)

    Google Scholar 

  4. Bátiz-Lazo, B., Reid, R.J.: The Development of Cash-Dispensing Technology in the UK. IEEE Annals of the History of Computing 33, 32–45 (2011)

    CrossRef  MathSciNet  Google Scholar 

  5. Bond, M., Zieliński, P.: Decimalisation table attacks for PIN cracking. Technical Report UCAM-CL-TR-560, University of Cambridge (January 2003)

    Google Scholar 

  6. Bonneau, J., Just, M., Matthews, G.: What’s in a Name? Evaluating Statistical Attacks against Personal Knowledge Questions. In: Sion, R. (ed.) FC 2010. LNCS, vol. 6052, pp. 98–113. Springer, Heidelberg (2010)

    CrossRef  Google Scholar 

  7. Boztas, S.: Entropies, Guessing, and Cryptography. Technical Report 6, Department of Mathematics, Royal Melbourne Institute of Technology (1999)

    Google Scholar 

  8. Burr, W.E., Dodson, D.F., Polk, W.T.: Electronic Authentication Guideline. NIST Special Publication 800-63 (April 2006)

    Google Scholar 

  9. Cachin, C.: Entropy measures and unconditional security in cryptography. PhD thesis, ETH Zürich (1997)

    Google Scholar 

  10. Drimer, S., Murdoch, S.J., Anderson, R.: Optimised to Fail: Card Readers for Online Banking. In: Dingledine, R., Golle, P. (eds.) FC 2009. LNCS, vol. 5628, pp. 184–200. Springer, Heidelberg (2009)

    CrossRef  Google Scholar 

  11. Florêncio, D., Herley, C.: A large-scale study of web password habits. In: WWW 2007: Proceedings of the 16th International Conference on World Wide Web, pp. 657–666. ACM, New York (2007)

    CrossRef  Google Scholar 

  12. Ivan, A., Goodfellow, J.: Improvements in or relating to Customer-Operated Dispensing Systems. UK Patent #GB1197183 (1966)

    Google Scholar 

  13. Kuhn, M.: Probability Theory for Pickpockets—ec-PIN Guessing. Technical report, Purdue University (1997)

    Google Scholar 

  14. Massey, J.L.: Guessing and Entropy. In: Proceedings of the 1994 IEEE International Symposium on Information Theory, p. 204 (1994)

    Google Scholar 

  15. Morris, R., Thompson, K.: Password security: a case history. Commun. ACM 22(11), 594–597 (1979)

    CrossRef  Google Scholar 

  16. Murdoch, S.J., Drimer, S., Anderson, R., Bond, M.: Chip and PIN is Broken. In: IEEE Symposium on Security and Privacy, pp. 433–446 (2010)

    Google Scholar 

  17. Pliam, J.O.: On the Incomparability of Entropy and Marginal Guesswork in Brute-Force Attacks. In: Roy, B., Okamoto, E. (eds.) INDOCRYPT 2000. LNCS, vol. 1977, pp. 67–79. Springer, Heidelberg (2000)

    Google Scholar 

  18. Singh, S., Cabraal, A., Demosthenous, C., Astbrink, G., Furlong, M.: Password Sharing: Implications for Security Design Based on Social Practice. In: CHI 2007: Proceedings of the SIGCHI Conference on Human factors in Computing Systems, pp. 895–904. ACM, New York (2007)

    CrossRef  Google Scholar 

  19. Spafford, E.: Observations on Reusable Password Choices. In: Proceedings of the 3rd USENIX Security Workshop (1992)

    Google Scholar 

  20. van Oorschot, P.C., Thorpe, J.: On Predictive Models and User-Drawn Graphical Passwords. ACM Trans. Inf. Syst. Secur. 10(4), 1–33 (2008)

    CrossRef  Google Scholar 

  21. Weir, M., Aggarwal, S., Collins, M., Stern, H.: Testing metrics for password creation policies by attacking large sets of revealed passwords. In: Proceedings of the 17th ACM Conference on Computer and Communications Security, CCS 2010, pp. 162–175. ACM, New York (2010)

    CrossRef  Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2012 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Bonneau, J., Preibusch, S., Anderson, R. (2012). A Birthday Present Every Eleven Wallets? The Security of Customer-Chosen Banking PINs. In: Keromytis, A.D. (eds) Financial Cryptography and Data Security. FC 2012. Lecture Notes in Computer Science, vol 7397. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-32946-3_3

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-32946-3_3

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-32945-6

  • Online ISBN: 978-3-642-32946-3

  • eBook Packages: Computer ScienceComputer Science (R0)