Wallet thieves have chance at guessing card PINs

Powered by SC Magazine
 

British researchers calculate probabilities.

A "competent" thief could guess the four-digit PIN of one payment card in every 11-18 wallets they stole, according to University of Cambridge researchers.

The research [pdf] is based on a mathematical analysis of two leaked datasets combined with the results of a survey of 1177 people.

The research project aimed to estimate the difficulty of guessing a human-chosen four-digit PIN.

Banks and credit card operators often allow customers to change their PIN, rather than use a supplied number.

Of those surveyed by researchers, 1108 had a PIN with exactly four digits. About 63 percent said the PIN was the one supplied by the bank or was one from a previous bank.

Another 21 percent used "pseudo-random" digits extrapolated from a phone number or other identification number.

Of those users found to have "non-random PINs", the highest proportion used a date for their four-digit PIN. Common were birthdays (theirs or a partner's) or an important life event.

In percentage terms, nearly seven percent of those surveyed based their PIN on their birth date.

The researchers said the incidence of birth dates as PINs - and the fact a stolen wallet often contained forms of identification with birth dates - could make "manual guessing by thieves [a] worthwhile" exercise.

"A lost or stolen wallet will be vulnerable up to 8.9 percent of the time in the absence of denied PIN lists, with birthday-based guessing the most effective strategy," the researchers said.

Banks could ameliorate some risk by blacklisting users from setting their PINs as a birthdate or an otherwise common set of numbers, such as 1234, the researchers said.

However, they also noted that "preventing birthday-based guessing requires a move away from customer-chosen PINs entirely".

Copyright © SC Magazine, Australia


Wallet thieves have chance at guessing card PINs
 
 
 
Top Stories
Photos: iTnews Benchmark Awards countdown begins
Just a few days left until entries close for 2014.
 
Australian Govt to rethink cyber security strategy
Six-year old policy to be refreshed.
 
The failure of the antivirus industry
[Blog post] Insights from AVAR 2014.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
Who do you trust most to protect your private data?







   |   View results
Your bank
  38%
 
Your insurance company
  3%
 
A technology company (Google, Facebook et al)
  8%
 
Your telco, ISP or utility
  7%
 
A retailer (Coles, Woolworths et al)
  2%
 
A Federal Government agency (ATO, Centrelink etc)
  20%
 
An Australian law enforcement agency (AFP, ASIO et al)
  15%
 
A State Government agency (Health dept, etc)
  5%
TOTAL VOTES: 1035

Vote