A birthday present every eleven wallets? The security of customer-chosen banking PINs

Joseph Bonneau, Sören Preibusch, Ross Anderson

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

We provide the first published estimates of the difficulty of guessing a human-chosen 4-digit PIN. We begin with two large sets of 4-digit sequences chosen outside banking for online passwords and smartphone unlock-codes. We use a regression model to identify a small number of dominant factors influencing user choice. Using this model and a survey of over 1,100 banking customers, we estimate the distribution of banking PINs as well as the frequency of security-relevant behaviour such as sharing and reusing PINs. We find that guessing PINs based on the victims' birthday, which nearly all users carry documentation of, will enable a competent thief to gain use of an ATM card once for every 11-18 stolen wallets, depending on whether banks prohibit weak PINs such as 1234. The lesson for cardholders is to never use one's date of birth as a PIN. The lesson for card-issuing banks is to implement a denied PIN list, which several large banks still fail to do. However, blacklists cannot effectively mitigate guessing given a known birth date, suggesting banks should move away from customer-chosen banking PINs in the long term.

Original languageEnglish (US)
Title of host publicationFinancial Cryptography and Data Security - 16th International Conference, FC 2012, Revised Selected Papers
Pages25-40
Number of pages16
DOIs
StatePublished - 2012
Event16th International Conference on Financial Cryptography and Data Security, FC 2012 - Kralendijk, Bonaire, Netherlands
Duration: Mar 2 2012Mar 2 2012

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume7397 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349

Other

Other16th International Conference on Financial Cryptography and Data Security, FC 2012
CountryNetherlands
CityKralendijk, Bonaire
Period3/2/123/2/12

ASJC Scopus subject areas

  • Theoretical Computer Science
  • Computer Science(all)

Fingerprint Dive into the research topics of 'A birthday present every eleven wallets? The security of customer-chosen banking PINs'. Together they form a unique fingerprint.

Cite this