back to article Crap PINs give wallet thieves 1-in-11 jackpot shot

Four-digit banking PINs are almost as insecure as website passwords, according to a study by Cambridge University computer scientists. The first-ever quantitative analysis of the difficulty of guessing four-digit banking PINs estimates the widespread practice of using a date of birth as a PIN code and other factor means that …

COMMENTS

This topic is closed for new posts.
  1. Anomalous Cowturd
    FAIL

    Simple solution...

    Allow for PINs longer than four digits. Better still, insist on them!

    Cheques to the usual address please Mr. Banker.

    1. deshepherd

      Re: Simple solution...

      Problem is that 4 digit PINs are deeply entrenched into the system ... you'd need to make changes to terminals etc worldwide to cope with the change (for example virtually all UK ATMs wait for 4 key presses for PIN entry). I lived for a time in the US at end of 90s and there you could have a longer PIN number on cards .... but every so often you'd read a travel article that would warn readers that before travelling to Europe they should change their PIN to a 4 digit number as otherwise they could find they were unable to use their cards when European card readers assumed a 4 digit pin.

      1. DrXym

        Re: Re: Simple solution...

        "Problem is that 4 digit PINs are deeply entrenched into the system ... "

        As Google recently found out with their NFC stuff. I guess much of the existing EPOS infrastructure simply can't cope with any other form of authentication.

        I have a feeling that if the 4 digit pin did change on point of sale that people would freak out if it required them to memorise more digits and probably wouldn't make any extra effort to choose a secure pin, e.g. they'd use their date of birth in a 6 digit form instead.

        The workaround is for banks to refuse to change a pin to a value which is formed from obvious permutations of their age or birthday to reduce the chances of it being guessable.

        Longer term maybe they should permit pins of any length, and perhaps a fingerprint reader next to the pin pad. Finger prints would have to be optional (since many credit cards are issued by post, company cards etc), but I assume if the option were there that many institutions would support it.

      2. Chemist

        Re: Re: Simple solution...

        ISO9564

        "The standard specifies that PINs shall be from four to twelve digits long, noting that longer PINs are more secure but harder to use. It also notes that not all systems support entry of PINs longer than six digits."

        Certainly my Swiss UBS card is 6 digits ( and I think could be longer ).

        I thought UK ATMs let you enter digits and then press <enter> rather than accepting a fixed number of presses.

        1. It'sa Mea... Mario

          Re: Re: Re: Simple solution... (ISO9564)

          "I thought UK ATMs let you enter digits and then press <enter> rather than accepting a fixed number of presses."

          Only some of them.

      3. Anonymous Coward
        Anonymous Coward

        Re: Re: Simple solution...

        I find that the 6-digit PINs I'm given here in Switzerland work in all UK ATMs and outlets, except for Clydesdale Bank cash machines in Scotland - most annoying.

        6 digits are as easy to remember as 4, though I suppose that doesn't necessarily get round the 'date of birth' problem. I don't know why the UK went with 4 in the first place. Are you allowed to change your PIN to a 6 digit one in the UK? Try it and see.

        1. Tom 35

          Re: Re: Re: Simple solution...

          My bank in Canada used to require 4 digit but just over a year ago switched to 4-6 digits. You can still have 4 if you want, or use 5 or 6 for better security.

    2. Ken Hagan Gold badge

      Re: Simple solution...

      Ignoring the technical feasibility for a moment, the sort of people who currently use their birthday will simply *write down* a longer PIN and keep the piece of paper in their wallet. Therefore, this will make the system less secure. Don't hold your breath for those cheques.

      The suggestions in the paper are reasonable. At the very least, persuading people to use someone else's birthday would at least make it less likely that their wallet contained their PIN written down on another document.

      Another useful suggestion might be for the banks to send a summary of these findings to their customers, rather than the usual vacuous warnings about keeping your PIN safe. If more people understood that using their own birthday meant they had a 1 in 11 chance of losing all their money, perhaps fewer of them would do it. They could also mention that 1 in 11 is about a million times more likely than winning the lottery.

      1. Anonymous Coward
        Anonymous Coward

        Re: Re: Simple solution...

        I agree with what you're saying but for those who use their own birthday as a PIN and keep details of their birthday in their wallet then the risk is pretty much 100%, not 1 in 11.

        For those who don't use their birthday then the risk is almost zero - the 1 in 11 chance is what the thief can expect when they nick a purse/wallet with a bank card and details of the owner's DOB i.e. 1 in 11 people use tehir DOB as their PIN.

      2. Anonymous Coward
        Anonymous Coward

        Re: Re: Simple solution...

        "They could also mention that 1 in 11 is about a million times more likely than winning the lottery."

        I reckon you might as well tell them 1 in eleventy-twelve! I mean, speaking as someone who has never done the lottery, I'd suggest the fact _they_ do demonstrates mathematically-speaking their brains are just floating up there on a fluffy cloud in the sunlight, way above the weather down here, eating marshmallows with Rocky and Bullwinkle perhaps (or anyway with the mental age equivalent to my real age when I had that annual! You know, when The Cat in the Hat seemed like a real person).

        1. Imsimil Berati-Lahn
          Childcatcher

          Waaaaah! :'(

          Cat in the hat _IS_ a real person. <sniff>

      3. 5.antiago

        Re: Re: Simple solution...

        @ Ken Hagan

        "Therefore, this will make the system less secure."

        No it won't. The core idea is that instead of everyone having 4 digits, people can choose different lengths. This adds a whole extra layer to the guessing game, making it more secure overall given the limited number of wrong guesses allowed before the game's up

        It could take loads more guesses just to get to one you already knew was based on your target's birthday; e.g 2nd February 1985 could become 02021985, 020285, 2285, 02285,20285, 0221985 etc etc, you get the idea.

      4. Anonymous Coward
        Anonymous Coward

        Re: Re: Simple solution...

        "At the very least, persuading people to use someone else's birthday would at least make it less likely that their wallet contained their PIN written down on another document."

        To add to that, the banks already know our DOB and the combinations it can be entered into a 4 digit pin is few: DDMM MMYY DDYY YYDD etc. etc. so why can't the banks check for this when the pin is being changed and say "Oi ... You ... Noooo, birthdays are NOT pins".

        Same with phone numbers etc.

    3. amanfromearth

      Re: Simple solution...

      Yay !

      WIth a 6 digit PIN I can have the Year, Month and day of my birthday. You are right - it is a big step forward.

    4. Nick Kew

      Solved (Re: Simple solution...)

      When I lived in Italy in the '90s I grew accustomed to their cards, with five-digit PINs.

      Clearly the UK four digits is not a universal standard, nor the only option supported by current or old technology.

    5. Andy Fletcher

      Re: Simple solution...

      I love it. A solution described as simple, when it in fact makes things more complicated. Do you work in local government?

    6. Anonymous Coward
      Anonymous Coward

      Re: Simple solution...

      My UK business bank card has a five digit PIN.

    7. Tom 13
      Coat

      Re: Simple solution...

      I would have thought the simple British solution would be to include a Bobbie with every PIN, thus also solving the unemployment problem.

  2. friedegg03
    Trollface

    In case I ever lost my wallet or had someone 'lose' it on my behalf, I used to leave a small piece of paper with 4 random numbers written on it...

    1. This post has been deleted by its author

    2. IR

      I've done that for years.

      Especially good if you make two of the numbers easy to read as other numbers: 6/0 and 1/7.

      They'll blow through the combinations before they spend a penny.

      1. Anonymous Coward
        Anonymous Coward

        Unless your card has one of those lovely little fraud friendly NFC chips that allow you to empty an account in £15 chunks :)

  3. Purlieu

    ATM's

    It's 10 tries on an ATM

    1. Annihilator

      Re: ATM's

      Don't know which country you're from, but in the UK it's most definitely 3, and not per session either.

      1. amanfromearth

        Re: Re: ATM's

        >> 10 tries

        Only in base 3

  4. brooxta
    FAIL

    Bogus research

    Anyone with an ounce of nous on security issues can see why the researchers should expect to be supplied with false responses from the people surveyed.

    1. 5.antiago

      Re: Bogus research

      Can you explain your reasoning?

      1. brooxta

        Re: Re: Bogus research

        As a bank card user I want to protect my PIN and keep my money safe. If I can make it hard to get to my money while giving the impression that it would be quite easy then that is to my advantage.

        If I have the chance to influence the results of a report from Cambridge that are likely to get reported more widely I would have a strong incentive to answer many questions indicating a low PIN strength/security.

        It lulls crooks into trying the easy option and failing, a little bit similar to the piece of paper in the wallet (described in a comment above) with false 4 digit PINs on it.

        1. Alexandicity

          Re: Re: Re: Bogus research

          While I get your point about people wanting to mislead the crooks via the study, they'd probably want to do it the other way around. They'd want to deter the crooks by indicating that the PINs are hard to guess while actually using very guessable codes. It is not to the general public's advantage, as I see it, to tell potential thieves and muggers that a code is easily breakable (even if it's not).

          But this all assumes that the majority of the respondents are that cunning and think in detail about security when answering questionnaires. I didn't read it, but I assume the study also had some manner of consideration of incorrect responses..?

  5. MontyMole

    Only certain types of date of bitth work as a pin.

    If it's ddmm then only Oct, Nov & Dec with the day >=10 work.

    If it's dmyy then only Jan-Sept with day <= 9 work.

    How does everyone else with a birthday that doesn't fit those parameters decide what to put in their pin?

    1. Annihilator
      WTF?

      If only there were a valueless digit that could be inserted in front of a single digit day or month...

      1. This post has been deleted by its author

    2. Blue eyed boy
      Happy

      > How does everyone else with a birthday that doesn't fit those parameters decide what to

      > put in their pin?

      My birthday (247XX) does not fit the pattern unless (as suggested upthread) longer PINs were permitted. I use a favourite number, one which has entered my life in quite a few contexts already, so why not add one more context? Naturally it's unrelated to my date of birth or any other "obvious" numerical parameter.

      And my list of favourite numbers includes one that is 11 digits long so enhanced PIN's wouldn't be a problem

    3. Nuke
      Headmaster

      Months in Hex

      I write the date in yy-m-dd format with the month in Hex when it is for my own reference. By good luck "a" (October) is the initial of "autumn", "b" (November) is for "bonfire" and "c" (December) is for "Chistmas".

      Eg I use it in some file names and it puts them in date order, like :-

      letter_11'a'24.odf [2011, October 24th]

      letter_11'b'07.odf [2011, November 7th]

      letter_12'1'17.odf [2012, January 17th]

      It might catch on .....

      1. Wombling_Free
        Trollface

        Re: Months in Hex

        Yep, it might, once they start putting ABCDE keys on ATM keypads.

        Seriously, most average Joes / Janes have enough trouble with complex machinery (lifts, escalators, doors, cutlery...) without making it any harder.

  6. Lee Dowling Silver badge

    Never understood the fuss. If you use the card often enough, the bank's PIN is more than enough to cater for and it is the only number you NEED to remember (and years ago, we were all memorising 5-10 phone numbers but we don't do that now). If you don't use your card that often, the only way is to write it somewhere (NOT WITH YOUR CARD!). Inconvenient, yes, but you also have to ask yourself why you're carrying around a card that you don't use and forget the PIN to. From a security point of view, that's probably worse than just leaving it in a safe at home.

    That said, I don't think I've ever heard of someone having their PIN guessed by a robber. Forced out of them, possibly. Card used on t'Internet, sure. Try a transaction in a store that lets you sign and is lax on CCTV, of course. But PIN's, in general, do their job. If you're stupid enough to write them on the card and/or use something that's quite obvious (year of birth), that's your tough luck.

    Longer PIN's? Almost all European countries accept them and the software change is entirely minimal BECAUSE almost all European countries, card manufacturers, banks, etc. already accept them. Why do you think you have to press the Enter button after the 4-digit PIN? To tell the machine you're finished. I've seen people type 6-digit PIN's into UK machines without a problem, but maybe it depends on the bank.

    We should all follow Joey-from-Friend's example - scratch the number on the ATM... :-)

    1. Anonymous Coward
      Anonymous Coward

      Maybe for Derren Brown

      Memorising PINs is fine for 1 or 2 cards, but not if you have 4 credit cards (various cashback/international charging deals) and 5 bank accounts (personal and company).

      And no I don't share a single PIN across the all, I used a specific combination of the numbers on the front, with an additional fix number added on to one of them. Guess that thieving twats!

      Tbh though, if people use stupid numbers then take their cash! Education, not longer PINs, is the key.

  7. Michael H.F. Wilkinson Silver badge

    5 digit PINs are being introduced here

    I would have no problems remembering 5 digit or longer ones.

    Regarding blacklisting, given that your bank knows your date of birth, surely they could forbid you to use a number derived from that date? That would not prevent you from using your wife's, or kids birthday, but those are not printed on your ID, as a rule, so at least some security is added.

  8. Old Tom
    Stop

    You carry your birth date around with you?

    "over 99 per cent of customers reported that their birth date is listed somewhere in the wallet or purse where they keep their cards"

    That has to be one of the most bollox statistics ever.

    1. alain williams Silver badge

      Re: You carry your birth date around with you?

      Like many people I carry my driver's license around with me (the plastic card one). So I am one of the 99%.

    2. Justicesays

      Re: You carry your birth date around with you?

      Driving license photocards probably, although I don't carry mine around.

      Maybe the insistence of supermarkets age checking 92 and 72 year olds when they try to buy alcohol means more people carry a driving license/proof of age card?

      I would imagine a bigger issue is the fact that "Verified by visa" allows the use of your DOB to bypass the "password security" it claims to offer. So why bother guessing PINs?

      1. Danny 14
        Thumb Up

        Re: Re: You carry your birth date around with you?

        good for you, some of us do actually look younger than 25 and regularly get asked when buying alcohol. So a driving licence is a quick ID card.

      2. John Robson Silver badge
        WTF?

        You use verified by VISA???

        Why?

        It's a pointless, rarely used (and therefore regularly forgotten) password that can be reset using publicly available information.

        If any transaction ever shows up as VbV then I KNOW it's fraudulent - so does my bank, I have several communications with them where I state that.

        (Actually I have once used VbV - I was on the phone to my bank at the time, and they purged the registration straight away)

        1. NogginTheNog
          Thumb Down

          Re: You use verified by VISA???

          Not by choice! I HATE VbV, and the MasterCard equivalent, but my frikkin' banks now insist on it (the 'cancel' button is no longer there on the signup screen) :-(

          1. Steve Foster

            Re: Re: You use verified by VISA???

            The initial Cancel may have disappeared, but the sign-up process for FbV (no, that's not a typo!) requires you to "I agree..." (or something like that), so you can still escape from it without botching the purchase you're in the middle of making.

      3. Laie Techie

        Re: Re: You carry your birth date around with you?

        > Driving license photocards probably, although I don't carry mine around.

        Here in the US it's against the law to drive without your drivers license with you.

    3. Old Tom
      Mushroom

      Re: You carry your birth date around with you?

      OK, so as someone who never carries ID around with me, I'm in a minority of ElReg commentards.

      However, stats from the first 10 thumbs (1 up and 9 down) plus myself imply that - based on a sample of 11 commentards - a massive 82% carry their birthdate around in their wallet. Somewhat short of the claimed 99+%.

      1. Annihilator
        Boffin

        @Old Tom - dodgy maths :-)

        "However, stats from the first 10 thumbs (1 up and 9 down) plus myself imply that - based on a sample of 11 commentards - a massive 82% carry their birthdate around in their wallet. Somewhat short of the claimed 99+%."

        You can't make that correlation I'm afraid. All we know of the upvoter is that they agree with you that the 99% figure appears bollox, they may still carry a drivers licence (or young person's railcard, or NUS card, or passport, or bus pass, or library card - I'm sure there are more) but just doubt everyone does.

        Besides, they're not *claming* anything. They're simply stating what the responders put in a small sample of 1300 people - for all we know they sampled people at a service station on the M4.

    4. Nuke
      WTF?

      Re: You carry your birth date around with you?

      Why are people voting Old Tom down? I too cannot believe that 99% of the populace carry their DoB around with them. Maybe 75%. Driving licence? Much fewer than 99% of adults have driving licences.

      As the Reg crowd were so hysterically against ID Cards, it is ironic that they should consider it perfectly normal to carry a driving licence around, which is a de facto ID card.

      1. Ken Hagan Gold badge

        Re: the Reg crowd

        "As the Reg crowd were so hysterically against ID Cards, it is ironic that they should consider it perfectly normal to carry a driving licence around, which is a de facto ID card"

        Odd that you can remember how hysterical we were but you can't remember that it was the non-optional nature of the beast and its associated database that we were against.

        It's quite normal to carry cash around, but I'd be opposed to a law that made it compulsory. (I gather some countries do insist on this so that "citizens" can pay fines on-the-spot without any of that tedious "due process" stuff.)

        1. Alan Firminger

          ID card campaign and Lord Olivier

          Relevant is Laurence Olivier's campaign to restore smoked haddock to the breakfast menu on his train from Brighton to London. This involved every contact that he had, and most of them were famous.

          BR (the train operator that was) relented and restored smoked haddock to the menu. On the first day with haddock available Lord Olivier took his seat in the dining car and the waiter came to him with a broad grin, Olivier perused the menu and asked for scrambled egg. The waiter was shocked "But after this great campaign so you could have smoked haddock, why don't you want some?" Olivier replied "I never wanted smoked haddock, I wanted the <b><u>choice."

  9. Lockwood

    My Halifax card years back had some paper that said that you could use any PIN except 0000 and 9999.

    The downside to removing the top X guessable ones:

    0000,1111,....

    0123,1234,....

    9876,8765,....

    is that the number of available numbers diminishes. This gives marginally better odds for guessing.

    1. This post has been deleted by its author

    2. Wombling_Free

      other easy guessables...

      7854, 9856, 4521, 6523, 1452, 6325, 7412, 1236, 6987, 8741, 8521, 8523, 2587, 2589, 7456, 6541

      See the common link? (17 numbers there that LOOK random, but aren't)

      or.... 3141 or 1414 or 2718? Recognise them? Definitely not random!

      It looks like once you remove the easy guessable and common dates you will be left with the Sony Random Number(TM)(R)(C) which of course is "4", making everyone's PIN '0004'

      Why not use a hash of arbitrary length PINs? If I want to use the first 26 numbers of SQR(2) or PI, why can't I?

      (not that either of those is a good choice, mind you..)

  10. Colin Miller

    Block customer's own DoB?

    As the bank knows your DoB, surely they can check if your PIN is DD/MM, MM/YY or MM/DD for your DoB.

    However, the ATM back-end computer doesn't need your DoB - it's only on the initial anti-laundering part. They could do a batch-job running through all recently-changed PINs and asking the back-end if the PIN one of these 3 values, and then send a stern reminder to the customer not to be so silly.

  11. Anonymous Coward
    Anonymous Coward

    un-design

    Over here they recently "upgraded" the things so that now you have to hit "ok" after entering the four digits. Still doesn't allow for changing any pin, nevermind for a longer one.

    Personally I don't mind defaulting to four digits, it's hard enough for many already. I do mind enforcing that lowest common denominator as the standard. Could've specified right away that all machinery had to allow for, say, three-to-eight digit numbers, customer choosable. Could even make it so that the customer can only pick the PIN length, who in return will be provided with a randomly-generated pin of the right length sans that top-100. This sounds sensible to me, which probably is why I'm not a banker.

  12. technohead95

    Leave it as it is. It's a 4 digit number, it's not hard to create a completely random number and remember the 4 digit number. It takes less than 5 minutes of elapsed time over a few hours to commit it to long term memory. If some thief managed to get hold of my card, I would really appreciate that they use some of their limited attempts on simple pins like DOB and number patterns. I have no sympathy for people who choose to use simple PINs. If your birth year is 1965 then why not swap two of the digits around e.g. 5961. This creates a much more difficult PIN while still retaining an easy to remember number. There's lot of other things you can do with the DOB pins to make it harder mix the day and month digits so you have DMDM or MDMD or DMMD. Add in the last two digits of your year and you have tons of combinations that all create an easy to remember PIN without making it easy for someone who may have your card and your DOB. If you still want more varied range then add your last two digits of your house number with your DOB, mix two of your digits of your telephone number. You can even vary the PIN for each card you have by varying a single digit. The digit could be random or could be one of the digits on the card itself (e.g. the last digit of the long number or one of the digits on the 3 digit security verification number). I could be here all day coming up with ideas of how to vary the PIN in easy to understand ways.

    1. Tom Wood

      That's all very well

      until you have a card you don't use very often and forget which system you used to derive the PIN...

      1. NogginTheNog

        Re: That's all very well

        Not if you use the same system on all your cards? That's the idea behind it surely, you don't need to memorise any numbers, only the system you use to derive them?

  13. The Mole

    Choice...

    Did they ask the obvious question of how many people had actually chosen their pin and how many people just use the pin provided by their bank (which is effectively random)?

    1. Anonymous Coward
      Anonymous Coward

      Effectively random?

      Rather than "effectively random", I would certainly hope that the PIN provided by the bank is actually, you know, er... random?

      1. Evil Auditor Silver badge

        Re: Effectively random?

        no, it's certainly not random. The closest they come is pseudorandom, i.e. the pin is generated by some sort of algorithm which make it appear random.

      2. Steve Knox
        Boffin

        Re: Effectively random?

        There has yet to be a fully proven truly random number generator -- primarily because testing to prove a number sequence is truly random is practically impossible*. There are many which are theoretically random (such as hardware random number generators) but they are usually qwuite slow and used primarily to seed a faster pseudorandom number generator rather than to produce final output.

        As that is what most computing systems do, pseudorandom numbers from a generator seeded from a hardware random number generator are most likely the source of the PIN generated by your bank. Not truly random, but effectively random.

        * There are statistical tests for randomness, but deterministic processes such as pseudorandom number generators can fool such tests. That is to say, a pseudorandom number generator generates a sequence of numbers which appear statistically to be random, but come from a deterministic process, which is by definition not truly random.

        1. Anonymous Coward
          Anonymous Coward

          Re: Re: Effectively random?

          FFS people, spare me the lectures on the fundamentals of pseudo-random number generators, the point was there actually is a well established way to generate robust random-as-in-impossible-to-predict numbers (cryptographically secure pseudo-RNG seeded by entropy from a physical source) and it's reasonable to expect that that's what the banks use.

          1. mr.K
            FAIL

            Re: Re: Re: Effectively random?

            Dude! Provided you are the same guy behind the Guy Fawkes mask as further above, you are the one bashing somebody else over what you perceive to be the correct phrase to use. When other people then argue that your nitpicking is actually wrong you do not get to complain about people nitpicking.

    2. Loyal Commenter Silver badge
      Facepalm

      Re: Choice...

      Did you read the article? I have to ask, because there is a big quote right in the middle, which forms about a third of the article, in bold text, starting with the words:

      "About a quarter stick with their bank-assigned random PIN"

    3. Iainn
      Mushroom

      Must read harder...

      It's in the article. In bold writing.

      "About a quarter stick with their bank-assigned random PIN"

    4. Alan Firminger

      "is effectively random"

      Yes, in this instance, the pseudo random number is effectively random provided the algorithm provides all possibilities. It has to be less the obvious numbers as already discussed. A typical bank will produce at least 10,000 cards each day so provided each cycle starts at a random point and they are allocated in the order requested the result is genuinely random.

  14. CT

    "repeated digits"

    The article mentions "repeated digits" as part of the "not-so-random" codes. Why? Surely random codes would occasionally* lead to repeated digits, and forbidding them would reduce still further the available pool of numbers.

    *someone with better stats than me can work out the frequency of occasionally.

    1. Steve Knox
      Boffin

      Re: "repeated digits"

      While random codes will occasionally lead to repeated digits (for a very simple example, any single digit repeated 4 times in a 4 digit PIN would statistically be expected to appear on average 10 times in 10,000), they would be expected to appear more often in self-selected PIN, because they're easy to come up with and to remember, and people often self-select for convenience.

      1. CT

        Re: Re: "repeated digits"

        yes, for 4 repeats, but what about only 2 repeats, abbc, acbb etc. That's a far bigger pool of PINs potentially eliminated. Perhaps the original article was referring to all 4 the same rather than just 2 repeats within a PIN, but I didn't read it like that.

    2. PatientOne

      Re: "repeated digits"

      Ok, 4 digits, 0-9, repeat digits allowed: 10000 combinations.

      4 digits, 0-9, no repeat digits: 5040 combinations.

      So about half as secure.

      It also suggests that the chance of getting a repeat digit is close to 50%

    3. Loyal Commenter Silver badge
      Boffin

      Re: "repeated digits"

      If my stats aren't too rusty:

      With a truly random number, The odds of two sequential digits (and only two) being the same are 27.9%, the odds of three sequential digits being the same are 1.9% and the odds of all four being the same are 0.1%

      You can quite easily work it out by considering the number of variations out of the 10000 possibilities, i.e. for each of ten possible values of the first digit, there is a one in ten possiblity of the second digit being the same, so 10% of all possible values, add on the percentages for the send and third digits being the same (also 10%), then the third and fourth (also 10%), gives 30% for two (or more) seqential digits.

      For three seqential digits, there are ten different values those digits can take, plus ten variations of the extra digit, i.e. 1 in 100. The extra digit can be either at the start or end, so there is a 2% chance of two (or more) digits being the same.

      There are exactly ten variations of four repeated digits, out of 10000 combinations, so 0.1%. To get the percentage of triple numbers not including all four being the same, take this off of the 2%, so 1.9% for two and only two repeated digits, and then take that off the 30% for double digits to get 27.9% for two and only two repeated digits.

      I'm sure there's an easier way to get those numbers. Any mathematicians out there?

      Interesting to note that statistically, more than a quarter of all pin numbers would have repeated digits if they are truly random. Anyone care to figure out the odds of two non-sequential digits being the same? I suspect it may even be more than 50%.

    4. Eaten Trifles
      Headmaster

      Re: "repeated digits"

      Out of 10000 possible four-digit numbers, 2710 contain at least one repeated (adjacent) digit.

  15. Tom Wood

    "The researchers modeled banking PIN selection using a combination of leaked data from non-banking sources"

    Don't know about people in general, but I use a "much more random" PIN for my bank cards than I do for a mobile phone unlock code, for instance.

    I wonder how many people use part of the card number as the PIN?

  16. Anonymous Coward
    Anonymous Coward

    PIN Encryption

    For my infrequently used cards I write the bank supplied default PIN on the rear of the card, but encrypt it by adding or subtracting another 4 digit number. Normally this is the last 4 digits of my phone number from 20 ish years ago - (4 relatively low value digits). I've always hoped that if someone steals my card, they will try the four digit number on the card directly a couple of times, then maybe reversed, then hey-presto it's locked out. Simples.

    of course, it would be more secure to use a 128 bit DES algorithm or a Nth power polynomial to encrypt it, but I would never be able to work that one out mentally, in a drunken stupor, when I need my taxi fare home.....

    1. The First Dave
      Linux

      Re: PIN Encryption

      A similar trick is to write down the PIN within a few other random digits - gives you enough of a reminder of which four digits are valid, while still hiding the purpose of the number and leaving several different schemes:

      9991234999999

      or

      919293949

      or

      999999432199

      where 9 is actually a random digit of course.

  17. Anonymous Coward
    Thumb Up

    Simple solution

    remove the ability to chose your own pin.

    If you don't have the ability to remember a 4 digit number then you shouldn't really be allowed to walk freely in society. If you have to write it down then accept the consequences when your wallet gets stolen.

    1. Tom Wood

      Re: Simple solution

      Remembering regularly-used numbers is easy.

      Remembering numbers for cards you might not use very often is less so. Many people might have several day-to-day cards plus others that they only use on holiday or on infrequent business trips or something...

  18. Jess--

    my pin for my main card is part of a phone number for where I used to live.

    however for someone to guess the number three things would have to happen.

    1. they know its part of a phone number

    2. they know the phone number that my parents had when I was 5 years old

    3. they know which part of the number I chose

    I would think that the odds of somebody guessing the number are around the same as their chances of getting it right by mashing their forehead against the number pad.

    of course the odds of somebody getting the number go up by a large margin if they ask nicely (while holding a knife etc)

    1. Vic

      > they know the phone number that my parents had when I was 5 years old

      My parents had a phone when I was 5 years old, but I couldn't have used just part of it.

      Even UK PINs require at least 4 digits...

      Vic.

      [Feeling kinda old tonight...]

      1. Jess--

        use the full number (area code and all) not just the three digit number for same exchange

        i.e.

        300 (same exchange)

        300300 (same area code)

        0327 300300 (outside area before the area code changes)

        01327 300300 (outside area since code changes)

        No the above number is not the number I use, If anyone calls it you should find it answered by some very friendly police in Daventry or Towcester.

  19. Anonymous Coward
    Anonymous Coward

    DoB = 6+ digits, PIN = 4 digits

    Date of birth is 6 digits, and you don't know which order is being used - some might use DDMMYY, others might use MMDDYY, geeks might use [YY]YYMMDD.

    PIN is 4 digits.

    The dodgy geezer has to pick the right format of DoB and then pick the right 4 digits from 6.

    Not so easy now?

    Or am I missing something?

    1. Steve Knox
      Boffin

      Re: DoB = 6+ digits, PIN = 4 digits

      There are 10,000 4-digit numbers, so if your PIN is truly random, there's a 1 in 10,000 chance of guessing it.

      However, if your PIN is 4 of the digits of your DOB, in a random order, there are significantly fewer combinations. Given that the numbers are known (since someone's DOB is relatively easy to find), and allowing for a 4-digit year, the criminal only has to choose an order. Allowing you to sort them in any order means the criminal has 8 choices for the 1st digit, 7 for the 2nd, 6 for the 3rd, and 5 for the 4th. This means 8*7*6*5 = 1,680 total choices instead of 10,000.

      So giving date of birth the best chance, it's still almost 6 times easier to crack than a random number (10,000 / 1,680 ) ~= 5.95

    2. Peter Jones 2

      Re: DoB = 6+ digits, PIN = 4 digits

      Most people will use MMYY or DDMM, so those are the first two I would try.

  20. Forget It
    FAIL

    5 digit PINS - abroard

    Beware of 5 digit PINS:

    Italian banks - give you one and don't let you change it.

    But as far as I've seen 1 or 2 digits are purposely repeated to make the PIN

    easier to remember - which obvious defeats part of the purpose.

    Beware also in some countries the only ATM you can find require a fixed

    length PIN to be entered either 4 and not 5 or 5 and not 4.

    So you can be denied access to cash abroad just by having the wrong length PIN!

  21. mark 63 Silver badge

    so the long and short of this story is that by possibly knowing your birthday the theives can reduce odds of

    10,000 : 1

    to

    10: 1 ???

    amazing

    1. Ken Hagan Gold badge

      Re: the long and short of this story

      Not by my reading it isn't. The reduction occurs because roughly 10% of people do both of (i) use their DoB as their PIN and (ii) carry this DoB elsewhere in their wallet. Therefore, a strategy of "use the DoB in the wallet" will succeed in 100% of those cases. Less amazing, and possibly not completely true, but (sadly) probably not completely false either.

  22. Stig2k

    Surely the simplest solution to the whole personal PIN number problem would be for researchers to calculate the most secure 4 digit sequence possible and then everybody uses that. I don't see how that could fail to work.

    1. GumboKing
      Coat

      Already sorted, the research shows that 1234 is the most secure.

      "That's the same code as I have on my luggage!"

  23. kbb

    Storage of PINs by the banks

    What interests me is that I can request a PIN *reminder* from my bank, not a PIN reset. Doesn't that mean they must be storing PINs in clear or reversible encryption rather than as a hash?

    1. Anonymous Coward
      Anonymous Coward

      Re: Storage of PINs by the banks

      pins aren't stored they are calculated in a HSM using your PAN and a derived Key, which I think is called the Pin Verification Key. your encyrpted PIN (in ATM transactions) is sent to your issuer with your PAN your issuer then can perform operations on the secret in the hsm to determine whether its is correct or not.

  24. Peter Jones 2
    Happy

    Here's what I use

    I have a personal UK debit card, 2 personal UK credit cards, a UK online banking access card, a Swiss debit card, a Swiss credit card and a Swiss online banking access card. All have PIN numbers, and I don't want to use the same number on them all. But I can't memorise 7 PINs plus all the other passwords I use every day. I use two cards frequently, and the others rarely. I can't be forgetting them when I'm abroad.

    So I use an algorithm for the cards that lets me carry the numbers in plain sight.

    4929 7014 5583 4826 <- Not my card

    The simplest algorithm could be to choose a block of four, but in common practice that is too vulnerable. Here are a few different ones that I could use

    One from each group = 4754

    First from first, second from second, etc = 4086

    Fourth from first, third from second, etc = 9154

    Two from the first group, two from the back = 12 combinations in each group, for 144 possible

    And so on. You can even use different algorithms for different types of cards, so in my example I can use one for debit cards and another for credit cards. Or one for UK and one for Swiss.

    The important thing is that you can simply remember the rules, and look at the card every time you use it. One rule for 7 cards means 7 PINs that are as random as anything the bank will generate, it is right in front of you and yet no-one will see it.

  25. spold Silver badge

    The problem is understated due to the fact that most people carry more than one card and most likely use the same PIN for each of them. So a thief has multiple opportunities to compromise the PIN (at which point all remaining cards in the wallet are compromised).

    One option is to use a common root PIN (say 3 digits or 5 digits depending on your PIN length) and then base the remaining digit (lets say make it the 3rd digit) card specific - e.g, base it on the CSV value printed on the card).

  26. Anonymous Coward
    Anonymous Coward

    YYYY

    I was hanging about a bus station once with the missus waiting for a bus. There were some lockers with a "choose your own 4 digit pin" style combination locks on them. Said to the missus, I bet I could open one of those. How so? she asks. Well, a lot of people are going to use their YOB. And a lot of long-distance bus users with baggage are going to be in their early twenties / late teens. So a fair few will be locked with '198x'. Some bloke came up, unlocked his locker and went off with his suitcase. I checked the lock - he'd used 198x.

    1. mark 63 Silver badge

      Re: YYYY

      too true

      Of the 2 numbers that have been shared with me for padlock combo's recently one was the current year , and the other was the the owners DOB , i think - she looked like a 1963 !

  27. b166er

    I've always used the bank assigned PIN, which seems random enough to me.

    Simple solution, give you a PIN and don't allow it to be changed.

  28. Anonymous Coward
    Anonymous Coward

    >"Approximately how often do you use your banking PIN to unlock a unicorn shed?"

    Hahaha sheer genius. "Several times a week", lol.

  29. Andus McCoatover
    Windows

    Here in Finland...

    it's a 4-digit number, allocated by the bank which I can't change. 3 wrong tries and the ATM swallows the card, blows the chip, or the shop cashier receives a message that she must retain it.

    Hard to remember?

    No - I write it on the back of the card, coded with an algorithm only I know (no, not inversion, shifting, etc. Much more evil) If I forget the number, I can always remember the algorithm, as it's the same for all 4 cards I own.

  30. Anonymous Coward
    Anonymous Coward

    weak PINs

    Actually, quite a few banking applications support rejection of weak PINs. However, not so many banks take advantage of the application support....

  31. RISC OS
    Joke

    Boldy steal cards where no man has stolen before

    If I was the stealing type, I would go to a start trek convention and lift a few wallets. Everyone there probably has 1701 as there PIN.

  32. pPPPP

    The solution is to lie about your date of birth when you get your driving licence. Then you can use your date of birth as your pin with confidence.

  33. Jolyon Smith

    Carrying ID... not always optional

    In NZ if you are driving and do not have your driver's license on you you risk being slapped with a $500 on the spot fine, e.g. if you get pulled over for speeding, or in a drink-drive spot check.

    I love reading about all the complicated schemes y'all have devised for hoodwinking the thieves. Especially the guy who has a pin for each card which is derived from the card numbers themselves plus some fiddle digit.

    Very clever. But what do you do if that algorithm throws out one of the easily guessed PIN's ?

    Complicated schemes for creating numbers is largely irrelevant to the guessability of the numbers even the most complex scheme produces (unless that scheme includes a mechanism for specifically excluding those guessable numbers).

    @ The Mole... spot on !

    As for remembering numbers, frequency of use is the key to that. I have no trouble remembering my PIN. I also have no trouble remembering the 16 digit card number, 4 digit expiry, specific "name on card" (I use different forms on different cards) and 3 digit CVV number of the TWO cards that I use most regularly for online purchases.

    4 digit PIN ? 6? 9? 12? meh - easy peasy.

  34. Spanners Silver badge
    Happy

    I use the Random one

    The first time I got a card for the "magic wall", the bank gave me a random number.. Memorising one set of 4 digits is as easy as another so I used it.

    Having a longer one might be good now.

  35. ratfox
    FAIL

    I had a 6-digits PIN on my creadit card since 1998

    Maybe the British industry should wake up a bit?

  36. Alan Firminger

    Error all the way down

    I, and all other others here, refer to 10,000 numbers being available.

    1 2 3

    4 5 6

    7 8 9

    9^4 = 6561

    Take away all the simple sequences and it is getting dangerously low.

    1. Vic

      Re: Error all the way down

      > 9^4 = 6561

      And 10^4 = 10000. What's your point?

      There are 10 digits on the PIN pad. There are 4 of those digits in (most of our) PINs. 10,000 combinations...

      Vic.

      1. Alan Firminger

        Re: Re: Error all the way down

        There are only nine digit buttons on an atm. Have I got to go a photograph one for you ? Or apologize ?

        1. Alan Firminger

          Re: Re: Re: Error all the way down

          You may well be right because we have to enter our full request for dosh with the same keys as perhaps 70.00 . I apologize now and will check on the street later.

          My thanks Paul

          1. Alan Firminger

            Sorry

            http://www.google.co.uk/search?tbm=isch&hl=en&source=hp&biw=1366&bih=680&q=atm+keypad&gbv=2&oq=atm+keypad&aq=f&aqi=g2g-m2g-S1g-mS1&aql=&gs_sm=3&gs_upl=3763l7295l0l9274l10l10l0l0l0l0l74l657l10l10l0

  37. This Side Up
    FAIL

    Re. Block customer's own DoB

    No, there are too many possible formats: ddmm, mmdd, dmyy, yyyy, yymd, mmyy, ... and you can't exclude all digits in the full DoB because there would be too few left. Then you have to think about telephone numbers, house numbers, children's/spouse's birthdays and so on. The more rules you impose the more numbers you exclude so the better chance of guessing correctly.

  38. Andrew Barratt

    Why not just insist less chance of failure.

    Everyone focuses on the Pin number, but why not just give someone 2 chances instead of 3. enter it incorrectly and card gets blocked.

    If they are daft enough to use a number associated with them #fail

    If they are daft enough to write number down # fail

    But if the ATMs were smart enough to slow the attacker down - 2 invalid attempts and the card gets blocked for 48 hrs. would be annoying enough to make it hard work.

    1. Vic

      Re: Why not just insist less chance of failure.

      > why not just give someone 2 chances instead of 3

      Not tried getting cash out when you're pissed, then?

      Vic.

      1. Andrew Barratt

        Re: Re: Why not just insist less chance of failure.

        of course :) certainly a good way to curb my vices!

        Always got mates with me though!

    2. Matthew 3

      Re: Why not just insist less chance of failure.

      Because the other week I had to use a supermarket's self-scanner chip-and-pin unit with one duff key. It was supplying two keypresses for each press (i.e. the PIN was being mis-entered even when the correct keys were pressed).

      It took two goes for me to realise that it was the device at fault rather than my typo. I gather that dozens of people locked out their PINs before the store thought to close that particular terminal.

  39. Anonymous Coward
    Anonymous Coward

    Hello? Is this where we type in our PIN number?

    8340

    How's that?

    1. Anonymous Coward
      Anonymous Coward

      Re: Hello? Is this where we type in our PIN number?

      8th March 1940 by any chance?

      (or 3rd August if you're a septic, I suppose)

  40. Anonymous Coward
    Anonymous Coward

    My PIN used to be the date I first met my girlfriend,..

    then the b!tch dumped me and I get reminded of it each time I go to the cash machine.Fail!

  41. Zog The Undeniable

    Longer PINs are not a problem for ATMs

    UK ATMS have to accept PINs of up to 12 digits under VISA and Mastercard scheme rules. Some overseas banks do use longer ones, although 12 is a bit silly.

  42. JaitcH
    Happy

    I write a 4-Digit Number on my Card

    No, not my pin, but any lazy thief might assume it IS my PIN and stick it, or a permutation, in thereby hastening the lock-up of my card.

    Whenever a web page offers to store my password, I always accept AFTER putting the wrong password in, so if anyone tries to access it, it simply doesn't work..

  43. Alan Brown Silver badge

    I write 4 digit numbers on my cards

    They have _nothing_ to do with my PINs - and a lot to do with the idea that most crims are dumb enough to try repeatedly entering them.

    Given that more secure codes would lead to more cases of crims standing over people at ATMs and threatening GBH whilst forcing them to withdraw money, wouldn't it be nice to have a "duress" code for ATM cards?

  44. Alexandicity

    My system for PINs

    Probably should be an AC for this post but oh well. I assume you all are upstanding readers who wouldn't dare try to nick my card and guess my code.

    I have 6 bank cards of which half are used frequently. The others I don't use so often and commonly used to forget their PINs (as a good bankee, I would never write them down). I have since build a system where each PIN is XXYY where the YY are the same to each card and XX are the two digits in two particular positions on the long card number. This way, each PIN is different, statistically random, yet easy to determine if you know the two common digits and the positions of the long number to read. I'm hoping there's no gaping hole in that strategy - the only vulnerability I see is if someone found out one of my PINs and somehow knew my strategy and got hold of a second card, they might be able to work out the second card's PIN.

This topic is closed for new posts.