12 February 2016

Letting customers choose PINs a gift to thieves - research

23 February 2012  |  8343 views  |  1 wallet

Banks that let customers pick their own PINs and fail to 'blacklist' the most common variations are putting them at risk, according to a paper from Cambridge University researchers.

Joseph Bonneau, Sören Preibusch and Ross Anderson analysed 32 million passwords stolen from the RockYou social gaming Web site in 2009 and 200,000 iPhone unlock codes before carrying out an online survey of more than 1100 people for what they claim is the first quantitative analysis of the difficulty of guessing four-digit banking PINs chosen by the cardholder.

The scientists' analysis of the data reveals that people take choosing their PINs seriously and what they pick is generally stronger and less likely to be replicated than other passwords.

However, a thief can expect to correctly "jackpot" one in every eleven stolen cards before it is blocked if the victim chose their own PIN and the bank has no blacklisted numbers. This is largely down to the numbers of people that use their birth date - a piece of information often carried in wallets and so available to a pickpocket.

Banks that do blacklist common numbers, such as 1111 and 1234, reduce the chances of the number being cracked to one in every 18. If thieves do not have the victims' birth date, blacklisting the top 100 PINs reduces the guessing rate for a thief substantially, bringing it down to just 0.2%.

Anderson told the New York Times that Bank of America and Wells Fargo in the US and Lloyds and the Co-op in Britain do not have blacklists, letting customers choose 'dumb' PINs and so heightening their risk.

"We advise users not to use PINs based on a date of birth, and those banks which do not currently employ blacklists to immediately do so. Still, preventing birthday-based guessing requires a move away from customer-chosen PINs entirely," concludes the paper.

You can read a blog on the research from Joseph Bonneau here and the full paper here.


Comments: (1)

Keith Richbell
Keith Richbell - eftpos Payments Australia Ltd. (ePAL) - Sydney | 23 February, 2012, 21:58

This is about as helpful as being told "the sky is blue and the sea is green". Shame Cambridge University can't find something more important to waste their time and money on.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Comment on this story (membership required)
Log in to receive notifications when someone posts a comment

Finextra news in your inbox

For Finextra's free daily newsletter, breaking news flashes and weekly jobs board, sign up now.

Related blogs

Create a blog about this story (membership required)
02 March 2012

Related stories

09 February, 2012
14 October, 2011
06 May, 2011
06 October, 2010
13 October, 2008
27 February, 2008
05 January, 2007

Top topics

Most viewed Most shared
UK sets out open banking API frameworkUK sets out open banking API framework
14719 views comments | 99 tweets | 89 linkedin
Deutsche Bank calls for co-operation with fintech firms on B2B servicesDeutsche Bank calls for co-operation with...
8002 views comments | 28 tweets | 30 linkedin
How to accelerate your fintech startupHow to accelerate your fintech startup
7540 views comments | 33 tweets | 9 linkedin
Is Paym a failure?Is Paym a failure?
6328 views 16 comments | 20 tweets | 16 linkedin
Visa issues API to offer consumer control over card transactionsVisa issues API to offer consumer control...
5958 views comments | 17 tweets | 28 linkedin

Featured job

to $120K base, double OTE, benefits
New York City, NY or Boston, MA (USA)

Find your next job