20 February 2012
Weak PIN codes, like a birth date or a simple string of numbers like “1111” or “1234” are a notorious vulnerability of banking cards. Now a group of British computer security researchers have collected data to show just how vulnerable they actually are.
A Cambridge University Computer Laboratory team collected statistics on how people choose banking PINs when they are permitted to select their own keys. The risk is that a thief who steals a wallet can then try to siphon money from a bank account by guessing the password, often with the aid of personal identification information like the birth date found in the wallet.
“A thief can expect to get lucky every 18th wallet — except for those banks which negligently allow their customers to choose really dumb PINs like 1111 and 1234,” said Ross Anderson, a Cambridge computer scientist. “There the thief cashes out once every 11 wallets.”
The researchers describing the criminal practice of guessing PIN numbers from stolen bank cards as “jackpotting.”
“There is every incentive for the bad guys to try guessing PINs on every card that they steal,” Dr. Anderson said. “There will be a certain percentage that will be guessed, particularly if a bank allows its customers to choose PINs.”
The researchers’ conclusions were not entirely bleak, however. They concluded that user choices of banking PINs were not as weak as with other security codes like passwords. Moreover, they also found that there were lower rates of reuse and sharing of PIN numbers than was frequently the case with passwords.
The group based its analysis on data from a trove of 32 million passwords stolen and then made public from the RockYou social gaming Web site in 2009 and a smaller database of iPhone log-in sequences, as well as an online survey conducted with more than 1,100 Internet users.
In a further experiment performed on the street with a BBC camera crew, the researchers took a sheet of paper with a list of common passwords on it and stopped passers-by to ask them if their PINs were on the list, or if they used date of birth as a PIN.
“It wasn’t a scientific experiment, but we got five out of 20 people,” said Joseph Bonneau, a member of the research group. “I was actually shocked.”
Shorter sequences and user-chosen passwords are more vulnerable. The researchers found that in the United States and in Europe different banks had different practices on what kinds of PINs were permitted. “In the U.S.A., we found that Bank of America and Wells Fargo let customers choose dumb PINs, while Citibank doesn’t,” Dr. Anderson said. “This side of the pond, there’s also diversity. Lloyds and the Co-op let you choose anything while Barclays, RBS and HSBC don’t.”
Their report, which will be presented later this month at a financial security conference, traces an idiosyncratic history of the use of passwords by financial institutions. “In the context of banking, PINs first appeared in separate British cash machines deployed in 1967, with six-digit PINs in the Barclays-De La Rue system rolled out in June, and four-digit PINs in the National-Chubb system in September,” the researchers write. “According to John Shepherd-Barron, leader of the De La Rue engineering team, after his wife was unable to remember six random digits he reduced the length to four.”
The authors note that because of ambiguous international standards, “PIN requirements vary significantly but the minimal four-digit length predominates.” There are, however, areas of the world where PINs that are longer than four digits are required. Moreover, while most banks allow user-defined PINs, there are exceptions, like banks in Germany.
The researchers wrote that there were two lessons to be drawn from their study. First, customers should never use date of birth as a PIN or password. Second, banks should institute blacklists of common passwords, or prohibit user selection of passwords entirely.