Wallet thieves have chance at guessing card PINs

Powered by SC Magazine
 

British researchers calculate probabilities.

A "competent" thief could guess the four-digit PIN of one payment card in every 11-18 wallets they stole, according to University of Cambridge researchers.

The research [pdf] is based on a mathematical analysis of two leaked datasets combined with the results of a survey of 1177 people.

The research project aimed to estimate the difficulty of guessing a human-chosen four-digit PIN.

Banks and credit card operators often allow customers to change their PIN, rather than use a supplied number.

Of those surveyed by researchers, 1108 had a PIN with exactly four digits. About 63 percent said the PIN was the one supplied by the bank or was one from a previous bank.

Another 21 percent used "pseudo-random" digits extrapolated from a phone number or other identification number.

Of those users found to have "non-random PINs", the highest proportion used a date for their four-digit PIN. Common were birthdays (theirs or a partner's) or an important life event.

In percentage terms, nearly seven percent of those surveyed based their PIN on their birth date.

The researchers said the incidence of birth dates as PINs - and the fact a stolen wallet often contained forms of identification with birth dates - could make "manual guessing by thieves [a] worthwhile" exercise.

"A lost or stolen wallet will be vulnerable up to 8.9 percent of the time in the absence of denied PIN lists, with birthday-based guessing the most effective strategy," the researchers said.

Banks could ameliorate some risk by blacklisting users from setting their PINs as a birthdate or an otherwise common set of numbers, such as 1234, the researchers said.

However, they also noted that "preventing birthday-based guessing requires a move away from customer-chosen PINs entirely".

Copyright © SC Magazine, Australia


Wallet thieves have chance at guessing card PINs
 
 
 
Top Stories
Beyond ACORN: Cracking the infosec skills nut
[Blog post] Could the Government's cybercrime focus be a catalyst for change?
 
The iTnews Benchmark Awards
Meet the best of the best.
 
Telstra hands over copper, HFC in new $11bn NBN deal
Value of 2011 deal remains intact.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
Who do you trust most to protect your private data?







   |   View results
Your bank
  39%
 
Your insurance company
  4%
 
A technology company (Google, Facebook et al)
  8%
 
Your telco, ISP or utility
  7%
 
A retailer (Coles, Woolworths et al)
  3%
 
A Federal Government agency (ATO, Centrelink etc)
  20%
 
An Australian law enforcement agency (AFP, ASIO et al)
  14%
 
A State Government agency (Health dept, etc)
  6%
TOTAL VOTES: 1818

Vote
Do you support the abolition of the Office of the Information Commissioner?