A birthday present every eleven wallets? The security of customer-chosen banking PINs

Joseph Bonneau, Sören Preibusch, Ross Anderson

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

We provide the first published estimates of the difficulty of guessing a human-chosen 4-digit PIN. We begin with two large sets of 4-digit sequences chosen outside banking for online passwords and smartphone unlock-codes. We use a regression model to identify a small number of dominant factors influencing user choice. Using this model and a survey of over 1,100 banking customers, we estimate the distribution of banking PINs as well as the frequency of security-relevant behaviour such as sharing and reusing PINs. We find that guessing PINs based on the victims' birthday, which nearly all users carry documentation of, will enable a competent thief to gain use of an ATM card once for every 11-18 stolen wallets, depending on whether banks prohibit weak PINs such as 1234. The lesson for cardholders is to never use one's date of birth as a PIN. The lesson for card-issuing banks is to implement a denied PIN list, which several large banks still fail to do. However, blacklists cannot effectively mitigate guessing given a known birth date, suggesting banks should move away from customer-chosen banking PINs in the long term.

Original languageEnglish (US)
Title of host publicationFinancial Cryptography and Data Security - 16th International Conference, FC 2012, Revised Selected Papers
Pages25-40
Number of pages16
Volume7397 LNCS
DOIs
StatePublished - 2012
Event16th International Conference on Financial Cryptography and Data Security, FC 2012 - Kralendijk, Bonaire, Netherlands
Duration: Mar 2 2012Mar 2 2012

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume7397 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349

Other

Other16th International Conference on Financial Cryptography and Data Security, FC 2012
CountryNetherlands
CityKralendijk, Bonaire
Period3/2/123/2/12

Fingerprint

Banking
Customers
Smartphones
Automatic teller machines
Digit
Date
Password
Large Set
Estimate
Regression Model
Sharing
Banks
Term
Model

ASJC Scopus subject areas

  • Theoretical Computer Science
  • Computer Science(all)

Cite this

Bonneau, J., Preibusch, S., & Anderson, R. (2012). A birthday present every eleven wallets? The security of customer-chosen banking PINs. In Financial Cryptography and Data Security - 16th International Conference, FC 2012, Revised Selected Papers (Vol. 7397 LNCS, pp. 25-40). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 7397 LNCS). https://doi.org/10.1007/978-3-642-32946-3_3

A birthday present every eleven wallets? The security of customer-chosen banking PINs. / Bonneau, Joseph; Preibusch, Sören; Anderson, Ross.

Financial Cryptography and Data Security - 16th International Conference, FC 2012, Revised Selected Papers. Vol. 7397 LNCS 2012. p. 25-40 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 7397 LNCS).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Bonneau, J, Preibusch, S & Anderson, R 2012, A birthday present every eleven wallets? The security of customer-chosen banking PINs. in Financial Cryptography and Data Security - 16th International Conference, FC 2012, Revised Selected Papers. vol. 7397 LNCS, Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 7397 LNCS, pp. 25-40, 16th International Conference on Financial Cryptography and Data Security, FC 2012, Kralendijk, Bonaire, Netherlands, 3/2/12. https://doi.org/10.1007/978-3-642-32946-3_3
Bonneau J, Preibusch S, Anderson R. A birthday present every eleven wallets? The security of customer-chosen banking PINs. In Financial Cryptography and Data Security - 16th International Conference, FC 2012, Revised Selected Papers. Vol. 7397 LNCS. 2012. p. 25-40. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). https://doi.org/10.1007/978-3-642-32946-3_3
Bonneau, Joseph ; Preibusch, Sören ; Anderson, Ross. / A birthday present every eleven wallets? The security of customer-chosen banking PINs. Financial Cryptography and Data Security - 16th International Conference, FC 2012, Revised Selected Papers. Vol. 7397 LNCS 2012. pp. 25-40 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).
@inproceedings{42d594e4c0e341c395ed05eaae04d2b9,
title = "A birthday present every eleven wallets? The security of customer-chosen banking PINs",
abstract = "We provide the first published estimates of the difficulty of guessing a human-chosen 4-digit PIN. We begin with two large sets of 4-digit sequences chosen outside banking for online passwords and smartphone unlock-codes. We use a regression model to identify a small number of dominant factors influencing user choice. Using this model and a survey of over 1,100 banking customers, we estimate the distribution of banking PINs as well as the frequency of security-relevant behaviour such as sharing and reusing PINs. We find that guessing PINs based on the victims' birthday, which nearly all users carry documentation of, will enable a competent thief to gain use of an ATM card once for every 11-18 stolen wallets, depending on whether banks prohibit weak PINs such as 1234. The lesson for cardholders is to never use one's date of birth as a PIN. The lesson for card-issuing banks is to implement a denied PIN list, which several large banks still fail to do. However, blacklists cannot effectively mitigate guessing given a known birth date, suggesting banks should move away from customer-chosen banking PINs in the long term.",
author = "Joseph Bonneau and S{\"o}ren Preibusch and Ross Anderson",
year = "2012",
doi = "10.1007/978-3-642-32946-3_3",
language = "English (US)",
isbn = "9783642329456",
volume = "7397 LNCS",
series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",
pages = "25--40",
booktitle = "Financial Cryptography and Data Security - 16th International Conference, FC 2012, Revised Selected Papers",

}

TY - GEN

T1 - A birthday present every eleven wallets? The security of customer-chosen banking PINs

AU - Bonneau, Joseph

AU - Preibusch, Sören

AU - Anderson, Ross

PY - 2012

Y1 - 2012

N2 - We provide the first published estimates of the difficulty of guessing a human-chosen 4-digit PIN. We begin with two large sets of 4-digit sequences chosen outside banking for online passwords and smartphone unlock-codes. We use a regression model to identify a small number of dominant factors influencing user choice. Using this model and a survey of over 1,100 banking customers, we estimate the distribution of banking PINs as well as the frequency of security-relevant behaviour such as sharing and reusing PINs. We find that guessing PINs based on the victims' birthday, which nearly all users carry documentation of, will enable a competent thief to gain use of an ATM card once for every 11-18 stolen wallets, depending on whether banks prohibit weak PINs such as 1234. The lesson for cardholders is to never use one's date of birth as a PIN. The lesson for card-issuing banks is to implement a denied PIN list, which several large banks still fail to do. However, blacklists cannot effectively mitigate guessing given a known birth date, suggesting banks should move away from customer-chosen banking PINs in the long term.

AB - We provide the first published estimates of the difficulty of guessing a human-chosen 4-digit PIN. We begin with two large sets of 4-digit sequences chosen outside banking for online passwords and smartphone unlock-codes. We use a regression model to identify a small number of dominant factors influencing user choice. Using this model and a survey of over 1,100 banking customers, we estimate the distribution of banking PINs as well as the frequency of security-relevant behaviour such as sharing and reusing PINs. We find that guessing PINs based on the victims' birthday, which nearly all users carry documentation of, will enable a competent thief to gain use of an ATM card once for every 11-18 stolen wallets, depending on whether banks prohibit weak PINs such as 1234. The lesson for cardholders is to never use one's date of birth as a PIN. The lesson for card-issuing banks is to implement a denied PIN list, which several large banks still fail to do. However, blacklists cannot effectively mitigate guessing given a known birth date, suggesting banks should move away from customer-chosen banking PINs in the long term.

UR - http://www.scopus.com/inward/record.url?scp=84865812253&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84865812253&partnerID=8YFLogxK

U2 - 10.1007/978-3-642-32946-3_3

DO - 10.1007/978-3-642-32946-3_3

M3 - Conference contribution

AN - SCOPUS:84865812253

SN - 9783642329456

VL - 7397 LNCS

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 25

EP - 40

BT - Financial Cryptography and Data Security - 16th International Conference, FC 2012, Revised Selected Papers

ER -