Nearly 10 percent of four-digit ATM PIN codes used for banking purposes could be guessed by an opportunistic thief before the card is blocked, according to research carried out by Cambridge University.
In what appears to be the first study of its kind, the researchers say that the widespread usage of dates of birth as PIN codes is primarily to blame for the weakness. The researchers used a combination of leaked data from non-banking sources (specifically 200,000 smartphone unlock-codes and the 1.7 million entries in the RockYou dataset) and an online survey as the data set for the research. In the survey, 1,300 people were asked if their ATM PIN code fell into fell into one of the general categories the team had identified (no, they were't asked for their PIN codes!).
Cambridge University researcher Joseph Bonneau explains the findings:
About a quarter stick with their bank-assigned random PIN and over a third choose their PIN using an old phone number, student ID, or other sequence of numbers which is, at least to a guessing attack, statistically random. In total, 63.7% use a pseudorandom PIN, much more than the 23–27% we estimated for our base datasets. Another 5% use a numeric pattern (like 4545) and 9% use a pattern on the entry keypad, also lower than the other two datasets. Altogether, this gives an attacker with 6 guesses (3 at an ATM and 3 with a CAP reader) less than a 2% chance of success. Unfortunately, the final group of 23% of users chose a PIN representing a date, and nearly a third of these used their own birthday. This is a game-changer because over 99% of customers reported that their birth date is listed somewhere in the wallet or purse where they keep their cards. If an attacker knows the cardholder’s date of birth and guesses optimally, the chances of successfully guessing jump to around 9%.
What's also interesting is that the researchers say that blacklisting the top 100 PINs can drive the guessing rate down to around 0.2% in the general case. They recommend blacklisting the following PIN codes:
0000, 0101-0103, 0110, 0111, 0123, 0202, 0303, 0404, 0505, 0606, 0707, 0808, 0909, 1010, 1101-1103, 1110-1112, 1123, 1201-1203, 1210-1212, 1234, 1956-2015, 2222, 2229, 2580, 3333, 4444, 5252, 5683, 6666, 7465, 7667.
If you want more meat to the research, II suggest you check out the associated research paper 'A birthday present every eleven wallets? The security of customer-chosen banking PINs' [PDF].
If you are using any of these, you might want to change it ... soon!