Experts: Many 4-Digit PINs Not Hard to Guess

Security researchers from University of Cambridge performed a study to find out how vulnerable 4-digit banking PINs are to “guessing attacks” and the results revealed that a significant percentage of individuals use their own birth dates to form the code that should protect their financial assets.

While most people use random PINs, or at least ones that are hard to figure out, there are still enough that use some weak ones, such as “1234” or even their own birth dates, raising the chances for an opportunistic thief to succeed in guessing them.

The experts surveyed 1,300 Internet users to determine precisely the “strength” of their PINs. Of course, they weren’t requested to provide the actual digits, instead they were asked certain questions that could allow for a categorization.

The figures showed that around 25% of the respondents use the random sequence assigned to them by the bank when they received the credit card. More than one third use something related to phone numbers, or other IDs they already know, but statistically speaking these practices don’t expose card holders to the dangers of guessing attacks.

It turns out that 63.7% utilize a pseudorandom PIN and 5% rely on a numeric pattern such as “2323”. Around 9% use a password choosing technique that’s popular among many users, the one where they remember the position of the keys on the keypad, instead of the actual digits.

While this gives an attacker a possible rate of success lower than 2%, the other 23% of subjects tip the balance in the attacker’s favor. This last 23% chose a PIN that represents a date, around 30% using their own birth dates.

Since 99% of respondents admitted that their birth date is listed somewhere in their wallet, the attacker’s rate of success jumps to 9%.

Researchers suggest that banks should blacklist the top 100 PINs, maneuver which would decrease the guessing rate down to 0.2%. However, the use of birth dates still represents a major threat to the integrity of one’s bank account in case he/she physically loses the card. 

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.