"1234" and Birthdays Are the Most Common PINs

Research paper: "A birthday present every eleven wallets? The security of customer-chosen banking PINs," by Joseph Bonneau, Sören Preibusch, and Ross Anderson: Abstract: We provide the first published estimates of the difficulty of guessing a human-chosen 4-digit PIN. We begin with two large sets of 4-digit sequences chosen outside banking for online passwords and smartphone unlock-codes. We use a regression model to identify a small number of dominant factors influencing user choice. Using this model and a survey of over 1,100 banking customers, we estimate the distribution of banking PINs as well as the frequency of security-relevant behaviour such as sharing and reusing PINs. We find that guessing PINs based on the victims' birthday, which nearly all users carry documentation of, will enable a competent thief to gain use of an ATM card once for every 11-18 stolen wallets, depending on whether banks prohibit weak PINs such as 1234. The lesson for cardholders is to never use one's date of birth as a PIN. The lesson for card-issuing banks is to implement a denied PIN list, which several large banks still fail to do. However, blacklists cannot effectively mitigate guessing given a known birth date, suggesting banks should move away from customer-chosen banking PINs in the long term. Blog post....

read more...

Source: Schneier on Security - Tuesday, 21 February

Related articles:

• Less than a week ago
• 5Vote! Robot Motor Control Hacked Gadgets - 4 days ago
  • MBARI discovers new deep-sea hydrothermal vents using sonar-mapping robot - PhysOrg
  • MiniBot Class Reminder - SparkFun Electronics
  • Robot arm at MIT will weave its own web (w/ Video) - PhysOrg
• Older News
• 3Vote! 3 Axis Accelerometer based on the Freescale MMA7361L Hacked Gadgets - Wednesday, 25 April
  • DIY 3-axis Accelerometer - HACKOLOG
  • Freescale introduces 64-bit quad-core QorIQ P5040 processor for power-sensitive control plane applications - PhysOrg
  • Having fun with 3 axis accelerometer board - Embedds.com
• 9Vote! How to get 2 extra Pins from an Arduino Hacked Gadgets - Monday, 19 March
  • Sanguino – when more power is needed - Embedds.com
  • Producing Animations Using Arduino - HACKOLOG
  • IR based Arduino programmer - Embedds.com
• 3Vote! pyMCU – python controlled MCU Embedds.com - Thursday, 8 March
  • Arduino based alarm system that sends SMS - Embedds.com
  • PIC16F877A based AVR programmer - Embedds.com
  • “MS PAINT” on an LED DOTMATRIX DISPLAY - Embedds.com
• 6Vote! You Should Probably Change Your PIN Now; Here’s How to Remember Your New, Secure PIN Lifehacker - Thursday, 1 March
  • Internet safe spot planned at ".secure" domain - PhysOrg
  • Ravens remember relationships they had with others - PhysOrg
  • Plants can 'remember' drought and change responses to survive - PhysOrg
• 13Vote! Turning parallel LCD interface in to serial Embedds.com - Friday, 6 January
  • Driving Seven segment LED display using serial interface - Embedds.com
  • 'Jackie' the Ripper: Was the Infamous Serial Killer a Woman? - Yahoo Science News
  • Having fun with 3 axis accelerometer board - Embedds.com
• 18Vote! Add as many pins to AVR as you want with shift register Embedds.com - Monday, 14 November, 2011
  • 3 Axis Accelerometer based on the Freescale MMA7361L - Hacked Gadgets
  • How to get 2 extra Pins from an Arduino - Hacked Gadgets
  • pyMCU – python controlled MCU - Embedds.com
• 14Vote! Porting ITDB02 LCD shield library to ChipKIT Embedds.com - Monday, 7 November, 2011
  • Will Inflatable Spacecraft Shield Survive Re-Entry Burn? | Video - Space.com
  • Clean Up and Organize Your Music Library This Weekend - Lifehacker
  • Sip’n Puff Arduino Shield controls an iPod - Hacked Gadgets
• 12Vote! Attiny13 based double dice Embedds.com - Monday, 3 October, 2011
  • Hacked Chocolate Box has Blinking LEDs controlled by an ATTiny13 - Hacked Gadgets
  • Low budget AVR proximity sensor - Embedds.com
  • Double chemical action yields double success - PhysOrg
• 30Vote! Bilingual babies' vocabulary linked to early brain differentiation LabSpaces - Monday, 29 August, 2011
  • Babies' susceptibility to colds linked to immune response at birth - LabSpaces
  • Successful stem cell differentiation requires DNA compaction, study finds - e! Science News
  • Genetic packing: Successful stem cell differentiation requires DNA compaction, study finds - PhysOrg
• 33Vote! Study links bilingual babies' vocabulary to early brain differentiation PhysOrg - Monday, 29 August, 2011
  • Successful stem cell differentiation requires DNA compaction, study finds - e! Science News
  • Genetic packing: Successful stem cell differentiation requires DNA compaction, study finds - PhysOrg
  • Babies' brains benefit from music lessons, researchers find - e! Science News
• 22Vote! Common PINs Schneier on Security - Monday, 27 June, 2011
  • Robot Motor Control - Hacked Gadgets
  • 3 Axis Accelerometer based on the Freescale MMA7361L - Hacked Gadgets
  • How to get 2 extra Pins from an Arduino - Hacked Gadgets
• 19Vote! Recent financial crisis rooted in politics of creditworthiness, new study contends PhysOrg - Thursday, 2 June, 2011
  • Statistical analysis could predict bankrupt stocks - PhysOrg
  • War Of The Worlds: When Science, Politics Collide - LabSpaces
  • How does the global financial crisis affect consumer decision making? - PhysOrg