A Birthday Present Every Eleven Wallets? The Security of Customer-Chosen Banking PINs

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7397)


We provide the first published estimates of the difficulty of guessing a human-chosen 4-digit PIN. We begin with two large sets of 4-digit sequences chosen outside banking for online passwords and smartphone unlock-codes. We use a regression model to identify a small number of dominant factors influencing user choice. Using this model and a survey of over 1,100 banking customers, we estimate the distribution of banking PINs as well as the frequency of security-relevant behaviour such as sharing and reusing PINs. We find that guessing PINs based on the victims’ birthday, which nearly all users carry documentation of, will enable a competent thief to gain use of an ATM card once for every 11–18 stolen wallets, depending on whether banks prohibit weak PINs such as 1234. The lesson for cardholders is to never use one’s date of birth as a PIN. The lesson for card-issuing banks is to implement a denied PIN list, which several large banks still fail to do. However, blacklists cannot effectively mitigate guessing given a known birth date, suggesting banks should move away from customer-chosen banking PINs in the long term.


Input Function Birth Date Payment Card Account Number Graphical Password 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    EMV Integrated Circuit Card Standard for Payment Systems version 4.2. EMVco (2008)Google Scholar
  2. 2.
    Issuer PIN Security Guidelines. Technical report, VISA (November 2010)Google Scholar
  3. 3.
    ISO 9564:2011 Financial services – Personal Identification Number (PIN) management and security. International Organisation for Standardisation (2011)Google Scholar
  4. 4.
    Bátiz-Lazo, B., Reid, R.J.: The Development of Cash-Dispensing Technology in the UK. IEEE Annals of the History of Computing 33, 32–45 (2011)MathSciNetCrossRefGoogle Scholar
  5. 5.
    Bond, M., Zieliński, P.: Decimalisation table attacks for PIN cracking. Technical Report UCAM-CL-TR-560, University of Cambridge (January 2003)Google Scholar
  6. 6.
    Bonneau, J., Just, M., Matthews, G.: What’s in a Name? Evaluating Statistical Attacks against Personal Knowledge Questions. In: Sion, R. (ed.) FC 2010. LNCS, vol. 6052, pp. 98–113. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  7. 7.
    Boztas, S.: Entropies, Guessing, and Cryptography. Technical Report 6, Department of Mathematics, Royal Melbourne Institute of Technology (1999)Google Scholar
  8. 8.
    Burr, W.E., Dodson, D.F., Polk, W.T.: Electronic Authentication Guideline. NIST Special Publication 800-63 (April 2006)Google Scholar
  9. 9.
    Cachin, C.: Entropy measures and unconditional security in cryptography. PhD thesis, ETH Zürich (1997)Google Scholar
  10. 10.
    Drimer, S., Murdoch, S.J., Anderson, R.: Optimised to Fail: Card Readers for Online Banking. In: Dingledine, R., Golle, P. (eds.) FC 2009. LNCS, vol. 5628, pp. 184–200. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  11. 11.
    Florêncio, D., Herley, C.: A large-scale study of web password habits. In: WWW 2007: Proceedings of the 16th International Conference on World Wide Web, pp. 657–666. ACM, New York (2007)CrossRefGoogle Scholar
  12. 12.
    Ivan, A., Goodfellow, J.: Improvements in or relating to Customer-Operated Dispensing Systems. UK Patent #GB1197183 (1966)Google Scholar
  13. 13.
    Kuhn, M.: Probability Theory for Pickpockets—ec-PIN Guessing. Technical report, Purdue University (1997)Google Scholar
  14. 14.
    Massey, J.L.: Guessing and Entropy. In: Proceedings of the 1994 IEEE International Symposium on Information Theory, p. 204 (1994)Google Scholar
  15. 15.
    Morris, R., Thompson, K.: Password security: a case history. Commun. ACM 22(11), 594–597 (1979)CrossRefGoogle Scholar
  16. 16.
    Murdoch, S.J., Drimer, S., Anderson, R., Bond, M.: Chip and PIN is Broken. In: IEEE Symposium on Security and Privacy, pp. 433–446 (2010)Google Scholar
  17. 17.
    Pliam, J.O.: On the Incomparability of Entropy and Marginal Guesswork in Brute-Force Attacks. In: Roy, B., Okamoto, E. (eds.) INDOCRYPT 2000. LNCS, vol. 1977, pp. 67–79. Springer, Heidelberg (2000)Google Scholar
  18. 18.
    Singh, S., Cabraal, A., Demosthenous, C., Astbrink, G., Furlong, M.: Password Sharing: Implications for Security Design Based on Social Practice. In: CHI 2007: Proceedings of the SIGCHI Conference on Human factors in Computing Systems, pp. 895–904. ACM, New York (2007)CrossRefGoogle Scholar
  19. 19.
    Spafford, E.: Observations on Reusable Password Choices. In: Proceedings of the 3rd USENIX Security Workshop (1992)Google Scholar
  20. 20.
    van Oorschot, P.C., Thorpe, J.: On Predictive Models and User-Drawn Graphical Passwords. ACM Trans. Inf. Syst. Secur. 10(4), 1–33 (2008)CrossRefGoogle Scholar
  21. 21.
    Weir, M., Aggarwal, S., Collins, M., Stern, H.: Testing metrics for password creation policies by attacking large sets of revealed passwords. In: Proceedings of the 17th ACM Conference on Computer and Communications Security, CCS 2010, pp. 162–175. ACM, New York (2010)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  1. 1.Computer LaboratoryUniversity of CambridgeUK

Personalised recommendations