Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

Bank Customers Favor Birthdate PINs

Too many people use a date for their bank card PIN, giving attackers an edge in figuring out the number, reports Cambridge University researchers.

Why don't banks block overused or insecure passwords and PIN codes?

That's one question posed by a study conducted by Cambridge University security researchers Joseph Bonneau, Soren Preibusch, and Ross Anderson, who've conducted what they said is "the first-ever quantitative analysis of the difficulty of guessing four-digit banking PINs." Their research has implications not just for ATM cards, but also for any mobile device set to require a numeric password.

The big warning from their research is that based on current PIN-picking patterns, would-be attackers have a 9% chance of correctly guessing a person's ATM code.

How did the researchers reach that conclusion? Since banks don't share customers' PIN codes for statistical analysis purposes, the researchers turned to the leak of 32 million RockYou passwords, which includes 1.7 million four-digit sequences. In addition, they said that developer Daniel Amitay "graciously" shared a set of 200,000 iPhone unlock codes that he'd amassed. With all of that data in hand, they assessed PIN popularity using 25 factors, including whether the data included a date (in DDMM format), as well as whether numbers ascended, and also surveyed more than 1,000 people about their PIN-management habits.

[ As smartphones turn into wallets, the risk to your bank account rises. See What One-Time Passwords Could Do For Mobile. ]

The good news from the study is that "people are considerably more careful when choosing banking PINs" than passwords, said Bonneau in a blog post. "About a quarter stick with their bank-assigned random PIN and over a third choose their PIN using an old phone number, student ID, or other sequence of numbers which is, at least to a guessing attack, statistically random." Meanwhile, 5% use a numeric pattern--such as "3535"--while 9% use a visual pattern on the keypad. Both of those approaches have only a 2% chance of being guessed.

But the researchers found that 23% of users base their PIN on a date, "and nearly a third of these used their own birthday." What attacker could easily guess someone's birthdate or birth year? Actually, the answer is elementary. According to the survey conducted by the group, 99% of people surveyed said they carry something in their wallet--most often their driver's license--that lists their birthdate. As a result, attackers have a 9% chance of guessing a birthdate-based PIN code.

In other words, "a competent thief will gain use of a payment card once every 11 to 18 stolen wallets, depending on the proportion of banks using a denied PIN list," according to the researchers.

What can be done to strengthen four-digit PIN codes? For starters, the researchers propose blacklisting--that is, preventing users from selecting--100 specific PINs, including "0000" and "1010." Doing so would decrease the overall chance of an attacker guessing a PIN code to just 0.2%, yet numerous financial institutions apparently don't have such controls in place. "In both the U.S. and U.K. we found banks which allowed us to change to 1234," said Bonneau.

Another security-improvement recommendation is to prevent users from using their birthdates as a PIN code, although the researchers questioned whether such a control could be easily implemented. "Too many PINs can be interpreted as dates to blacklist them all, and customer-specific blacklisting using knowledge of the customer's birthday seems impractical," said Bonneau.

The Cambridge University researchers plan to present their related research paper, "A Birthday Present Every Eleven Wallets? The Security Of Customer-Chosen Banking PINs," at next week's Financial Cryptography and Data Security 2012 conference.

To protect company and customer data, we need to determine what makes it so vulnerable and appealing. We also need to understand how hackers operate, and what tools and processes they rely on. In our How (And Why) Attackers Choose Their Targets report, we explain how to ensure the best defense by thinking like an attacker and identifying the weakest link in your own corporate data chain. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Number 6
50%
50%
Number 6,
User Rank: Apprentice
2/23/2012 | 10:48:15 PM
re: Bank Customers Favor Birthdate PINs
No comment about how secure a 4 digit PIN is in the first place. Sure, blacklist 100 of those numbers, reducing the number of possible PIN's by 10% to only 900. Brilliant.

Do banks use 4 digit combination locks on their front doors?
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15208
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
CVE-2020-15209
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
CVE-2020-15210
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
CVE-2020-15211
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
CVE-2020-15212
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...