Poor ATM PIN codes give the bad guys a 1-in-11 chance at getting your money

Summary:A PIN code based on the victims' birthday will enable a competent thief to gain use of an ATM card once for every 11 - 18 stolen wallets.

Nearly 10 percent of four-digit ATM PIN codes used for banking purposes could be guessed by an opportunistic thief before the card is blocked, according to research carried out by Cambridge University.

In what appears to be the first study of its kind, the researchers say that the widespread usage of dates of birth as PIN codes is primarily to blame for the weakness. The researchers used a combination of leaked data from non-banking sources (specifically 200,000 smartphone unlock-codes and the 1.7 million entries in the RockYou dataset) and an online survey as the data set for the research. In the survey, 1,300 people were asked if their ATM PIN code fell into fell into one of the general categories the team had identified (no, they were't asked for their PIN codes!).

Cambridge University researcher Joseph Bonneau explains the findings:

About a quarter stick with their bank-assigned random PIN and over a third choose their PIN using an old phone number, student ID, or other sequence of numbers which is, at least to a guessing attack, statistically random. In total, 63.7% use a pseudorandom PIN, much more than the 23–27% we estimated for our base datasets. Another 5% use a numeric pattern (like 4545) and 9% use a pattern on the entry keypad, also lower than the other two datasets. Altogether, this gives an attacker with 6 guesses (3 at an ATM and 3 with a CAP reader) less than a 2% chance of success. Unfortunately, the final group of 23% of users chose a PIN representing a date, and nearly a third of these used their own birthday. This is a game-changer because over 99% of customers reported that their birth date is listed somewhere in the wallet or purse where they keep their cards. If an attacker knows the cardholder’s date of birth and guesses optimally, the chances of successfully guessing jump to around 9%.

What's also interesting is that the researchers say that blacklisting the top 100 PINs can drive the guessing rate down to around 0.2% in the general case. They recommend blacklisting the following PIN codes:

0000, 0101-0103, 0110, 0111, 0123, 0202, 0303, 0404, 0505, 0606, 0707, 0808, 0909, 1010, 1101-1103, 1110-1112, 1123, 1201-1203, 1210-1212, 1234, 1956-2015, 2222, 2229, 2580, 3333, 4444, 5252, 5683, 6666, 7465, 7667.

If you want more meat to the research, II suggest you check out the associated research paper 'A birthday present every eleven wallets? The security of customer-chosen banking PINs' [PDF].

If you are using any of these, you might want to change it ... soon!

Topics: Security


Adrian Kingsley-Hughes is an internationally published technology author who has devoted over a decade to helping users get the most from technology -- whether that be by learning to program, building a PC from a pile of parts, or helping them get the most from their new MP3 player or digital camera.Adrian has authored/co-authored technic... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.