Banks that let customers pick their own PINs and fail to 'blacklist' the most common variations are putting them at risk, according to a paper from Cambridge University researchers.
Joseph Bonneau, Sören Preibusch and Ross Anderson analysed 32 million passwords stolen from the RockYou social gaming Web site in 2009 and 200,000 iPhone unlock codes before carrying out an online survey of more than 1100 people for what they claim is the first quantitative analysis of the difficulty of guessing four-digit banking PINs chosen by the cardholder.
The scientists' analysis of the data reveals that people take choosing their PINs seriously and what they pick is generally stronger and less likely to be replicated than other passwords.
However, a thief can expect to correctly "jackpot" one in every eleven stolen cards before it is blocked if the victim chose their own PIN and the bank has no blacklisted numbers. This is largely down to the numbers of people that use their birth date - a piece of information often carried in wallets and so available to a pickpocket.
Banks that do blacklist common numbers, such as 1111 and 1234, reduce the chances of the number being cracked to one in every 18. If thieves do not have the victims' birth date, blacklisting the top 100 PINs reduces the guessing rate for a thief substantially, bringing it down to just 0.2%.
Anderson told the New York Times that Bank of America and Wells Fargo in the US and Lloyds and the Co-op in Britain do not have blacklists, letting customers choose 'dumb' PINs and so heightening their risk.
"We advise users not to use PINs based on a date of birth, and those banks which do not currently employ blacklists to immediately do so. Still, preventing birthday-based guessing requires a move away from customer-chosen PINs entirely," concludes the paper.
You can read a blog on the research from Joseph Bonneau here and the full paper here.