Tomcat
Professional
- Messages
- 2,689
- Reaction score
- 922
- Points
- 113
Cambridge University researchers Sören Preibusch and Ross Anderson have corrected the situation by publishing the world's first quantitative analysis of the difficulty of guessing a 4-digit bank PIN.
Using data on password leaks from non-bank sources and online surveys, scientists found that users take the choice of PIN codes much more seriously than the choice of passwords for websites: most codes contain an almost random set of numbers. However, among the initial data there are also simple combinations and birthdays - that is, with some luck, an attacker can simply guess the treasured code.
The starting point of the study was a set of 4-digit password sequences from the RockYou database (1.7 million), and a database of 200 thousand PIN codes from the iPhone screen lock program (the database was provided by the application developer Daniel Amitay). In the graphs built from this data, interesting patterns emerge - dates, years, repeating numbers, and even PIN codes ending in 69. Based on these observations, scientists built a linear regression model that estimates the popularity of each PIN code depending on 25 factors, such as whether the code is a DDMM date, whether it is an ascending sequence, and so on. 79% and 93% of PIN codes in each set meet these general conditions.
So, users choose 4-digit codes based on just a few simple factors. If bank PIN codes were chosen this way, 8-9% of them could be guessed in just three attempts! But, of course, people are much more attentive to bank codes. In the absence of any large set of real banking data, the researchers surveyed more than 1,300 people to assess how different real PIN codes were from those already considered. Given the specifics of the study, respondents were not asked about the codes themselves, but only about their compliance with any of the above factors (increasing, DDMM format, etc.).
It turned out that people really choose their bank PIN codes much more carefully. About a quarter of respondents use a random PIN generated by the bank. More than a third choose their PIN using an old phone number, student ID number, or another set of numbers that appears random. According to the results, 64% of cardholders use a pseudo-random PIN, which is much higher than the 23-27% in previous experiments with non-bank codes. Another 5% use a digital pattern (eg 4545), and 9% prefer a keyboard pattern (eg 2684). In general, an attacker with six attempts (three with an ATM and three with a payment terminal) has less than 2% chance of guessing the PIN code of someone else's card.
| Factor | Example | RockYou | iPhone | Survey |
|---|---|---|---|---|
| Dates | ||||
| DDMM | 2311 | 5.26 | 1.38 | 3.07 |
| DMGG | 3876 | 9.26 | 6.46 | 5.54 |
| MMDD | 1123 | 10.00 | 9.35 | 3.66 |
| MMYY | 0683 | 0.67 | 0.20 | 0.94 |
| YYYY | 1984 | 33.39 | 7.12 | 4.95 |
| Total | 58.57 | 24.51 | 22.76 | |
| Keyboard pattern | ||||
| adjacent | 6351 | 1.52 | 4.99 | — |
| square | 1425 | 0.01 | 0.58 | — |
| angles | 9713 | 0.19 | 1.06 | — |
| cross | 8246 | 0.17 | 0.88 | — |
| diagonal line | 1590 | 0.10 | 1.36 | — |
| horizontal line | 5987 | 0.34 | 1.42 | — |
| word | 5683 | 0.70 | 8.39 | — |
| vertical line | 8520 | 0.06 | 4.28 | — |
| Total | 3.09 | 22.97 | 8.96 | |
| Digital pattern | ||||
| ends with 69 | 6869 | 0.35 | 0.57 | — |
| only numbers 0-3 | 2000 | 3.49 | 2.72 | — |
| only numbers 0-6 | 5155 | 4.66 | 5.96 | — |
| repeating pairs | 2525 | 2.31 | 4.11 | — |
| same numbers | 6666 | 0.40 | 6.67 | — |
| descending sequence | 3210 | 0.13 | 0.29 | — |
| increasing sequence | 4567 | 3.83 | 4.52 | — |
| Total | 15.16 | 24.85 | 4.60 | |
| Random dialing of numbers | 23.17 | 27.67 | 63.68 |
Everything would be fine, but, unfortunately, a significant portion of respondents (23%) choose a PIN code in the form of a date - and almost a third of them use their date of birth. This changes things significantly, because almost all (99%) respondents answered that they keep various identification documents with this date printed on them in their wallet with bank cards. If an attacker knows the cardholder’s birthday, then with a competent approach, the probability of guessing the PIN code soars to 9%.
As a solution, the authors suggest that banks ban the 100 most popular PIN codes - in general, this will reduce the probability of guessing to 0.2%.
100 most popular PIN codes
0000, 0101–0103, 0110, 0111, 0123, 0202, 0303, 0404, 0505, 0606, 0707, 0808, 0909, 1010, 1101–1103, 1110–1112, 1123, 1203, 1210–1212, 1234, 1956–2015, 2222, 2229, 2580, 3333, 4444, 5252, 5683, 6666, 7465, 7667.
PS In practice, of course, it is much easier for an attacker to spy on your PIN code than to guess it. But you can also protect yourself from peeping, even in a seemingly hopeless situation:
