Jump to content

55 posts in this topic

Posted

If you lost your ATM card on the street, how easy would it be for someone to correctly guess your PIN and proceed to clean out your savings account? Quite easy, according to data scientist Nick Berry, founder of Data Genetics, a Seattle technology consultancy.

Berry analyzed passwords from previously released and exposed tables and security breaches, filtering the results to just those that were exactly four digits long [0-9]. There are 10,000 possible combinations that the digits 0-9 can be arranged into to form a four-digit code. Berry analyzed those to find which are the least and most predictable. He speculates that, if users select a four-digit password for an online account or other web site, it's not a stretch to use the same number for their four-digit bank PIN codes.

What he found, he says, was a "staggering lack of imagination" when it comes to selecting passwords. Nearly 11% of the 3.4 million four-digit passwords he analyzed were 1234. The second most popular PIN in is 1111 (6% of passwords), followed by 0000 (2%). (Last year SplashData compiled a list of the most common numerical and word-based passwords and found that "password" and "123456" topped the list.)

Berry says a whopping 26.83% of all passwords could be guessed by attempting just 20 combinations of four-digit numbers (see first table). "It's amazing how predictable people are," he says.

We don't like hard-to-remember numbers and "no one thinks their wallet will get stolen," Berry says.

Many of the commonly used passwords are, of course, dates: birthdays, anniversaries, year of birth, etc. Indeed, using a year, starting with 19__, helps people remember their code, but it also increases its predictability, Berry says. His analysis shows that every single 19__ combination be found in the top 20% of the dataset.

[url="http://finance.yahoo.com/blogs/the-exchange/cracking-pin-code-easy-1-2-3-4-130143629.html"]more[/url]

Share this post


Link to post
Share on other sites

Posted

Seriously, how hard is it to randomly press 4 numbers and remember it?
1 person likes this

Share this post


Link to post
Share on other sites

Posted

Not really anything to be worried about unless the PIN actually is 1234, 1111, or 0000. You only get a couple tries before the ATM eats the card, so chances are the code won't be cracked in any timely manner.
7 people like this

Share this post


Link to post
Share on other sites

Posted

Is this USA based only, or are there crazy banks in other countries that don't have a security feature on the ATMs that just "eats" the card if you input the wrong pin three times and the only way to get the card back is to go to the bank?

Share this post


Link to post
Share on other sites

Posted

In the UK and most of mainland Europe I know it gives you 3 attempts before it noms your card!

Share this post


Link to post
Share on other sites

Posted

[quote name='Astra.Xtreme' timestamp='1356619602' post='595417902']
Not really anything to be worried about unless the PIN actually is 1234, 1111, or 0000. You only get a couple tries before the ATM eats the card, so chances are the code won't be cracked in any timely manner.
[/quote]
Only old ATMS eat the cards, the new ones are swipe only. However most block the card after 3 attempts.
1 person likes this

Share this post


Link to post
Share on other sites

Posted

True funny / sad story.

My secondary bank, Barclays, sent me a new debit card a couple of months after the last big article came online about the poor choice of pin codes that people were using.

Do you know the random code they sent me with the new card? 1986. Not only did it commit the mistake of starting with 19, but it also happened to be my year of birth. They got a very sarcastic email from me praising their competence and linking back to the online report.

They apoligised, at least.
2 people like this

Share this post


Link to post
Share on other sites

Posted

[quote]Berry says a whopping 26.83% of all passwords could be guessed by attempting just 20 combinations of four-digit numbers[/quote]
That's terrible, but most cards only allow you three attempts before blocking, don't they? Which means that out of those 20 combinations you only have 3 attempts, which is...a 15% (I was never good at maths) chance of cracking a card that uses one of those 20 combinations?

Share this post


Link to post
Share on other sites

Posted

exactly what I was going to say. it doesnt take a genius to realize its easy to guess wheny ou have unlimited tries, but as we have here in UK 2 incorrect attempt and card is gone.

Share this post


Link to post
Share on other sites

Posted

you'd need some form of cutting tool and a battery cause only my right hand knows my pin.

Share this post


Link to post
Share on other sites

Posted

i meant 3 sorry.

Share this post


Link to post
Share on other sites

Posted

[quote name='Draconian Guppy' timestamp='1356619947' post='595417916']
Only old ATMS eat the cards, the new ones are swipe only. However most block the card after 3 attempts.
[/quote]

all the new ATM's around me you still have to put your card into it and it takes it until you are done... and these are brand new systems

Share this post


Link to post
Share on other sites

Posted

[quote name='Azusa' timestamp='1356620105' post='595417934']
you'd need some form of cutting tool and a battery cause only my right hand knows my pin.
[/quote]
My pin code for my card is 6834. Now come and try to get the card from me (it's valid until 07/13, so take your time).

Share this post


Link to post
Share on other sites

Posted

[quote name='Azusa' timestamp='1356620105' post='595417934']
you'd need some form of cutting tool and a battery cause only my right hand knows my pin.
[/quote]

^ I have no idea what that means. Biometrics ... ?

Besides the 3 times limit, what about the security camera taking your picture ?

Unless it's winter and you are bundled up, someone is going to know your face.

Share this post


Link to post
Share on other sites

Posted

unless you are like my bank and if you mess up your pin 4 times they lock you out for 24 hours, mess it up 2 days in a row and you are locked out for a month, lock it out after that and they kill your card and ship you a new one.

Share this post


Link to post
Share on other sites

Posted

[quote name='Hum' timestamp='1356619167' post='595417882']
Berry says a whopping 26.83% of all passwords could be guessed by attempting just 20 combinations of four-digit numbers (see first table). "It's amazing how predictable people are," he says.
[/quote]
This guy obviously doesn't have a clue how smart cards (bank cards) work then, they're pretty similiar to SIM cards in that you have 3 attempts to input the correct pin, the bank machine transmits the PIN to the card, if it is wrong, it is not the bank machine that logs it but the smart card, after 3 wrong attempts, the smart card refuses to accept any more pin numbers and locks itself out (there is no PUK code for bank cards as there are SIM cards) and so the machine keeps it. Older cards would just refuse to accept any more PIN attempts but keep all the data in the smart card, newer cards destroy all data on the card when 3 attempts have been failed, because you can in theory reset the count or read off the data using a very powerful microscope though you'd have to know exactly where to look.

Share this post


Link to post
Share on other sites

Posted

[quote]
Besides the 3 times limit, [u][b]what about the security camera taking your picture[/b][/u] ?
[/quote]

Unfortunately: myth! I had my card cloned. Long story with people saying it can't be done, it's never done - oh look it's been done. Basically my bank trying to find any reason to pin the 4 *

Share this post


Link to post
Share on other sites

Posted

[quote name='neufuse' timestamp='1356620155' post='595417942']
all the new ATM's around me you still have to put your card into it and it takes it until you are done... and these are brand new systems
[/quote]
Yay! I guess that's one for Honduras, Central America :p

So we have poverty, bad public health care, education, insecurity, no value of life ( eg. getting shot for cellphone)... But we have swiping only ATMS :p

[img]http://www.gratiszona.com/timos/cajero2.jpg[/img]

[img]http://pix.elnuevodiario.com.ni/2010/06/250x250_1276145737_BAC%20empresas.jpg[/img]

Share this post


Link to post
Share on other sites

Posted

I'd not put my card anywhere near that machine. The plastic bezel on the front looks so fake and "stuck-on", like one of the "skimmers" that people use over here.

Not saying it is, but it looks it.
2 people like this

Share this post


Link to post
Share on other sites

Posted

[quote name='nik louch' timestamp='1356620955' post='595417970']
Unfortunately: myth! I had my card cloned. Long story with people saying it can't be done, it's never done - oh look it's been done. Basically my bank trying to find any reason to pin the 4 *

Share this post


Link to post
Share on other sites

Posted

on the topic of safety at the ATM am I the only one who looks for a bank that has them inside before using an ATM?

Share this post


Link to post
Share on other sites

Posted

The first image is a "sorta" of close up of the second, if you can see, they're not the same, the one we have is the second one, I just needed something that pointed out the "swiping" part :p

Not all our banks have these though, a couple still have the "insert and eat" type.

[quote name='Azusa' timestamp='1356621739' post='595418000'] on the topic of safety at the ATM am I the only one who looks for a bank that has them inside before using an ATM? [/quote]

In third world hell, I just avoid them, unless I really, really have too :s

Share this post


Link to post
Share on other sites

Posted

[quote]
In my opinion, the fact that it's been proven many times that the PIN can be bypassed easily is more worrying than people using common PIN codes.
[/quote]

It's part of the spec, the ability to bypass - it's a "fallback option" but thus negates all security. However, the onus of responsibility for the chargeback is placed on the terminal/merchant.

Share this post


Link to post
Share on other sites

Posted

Not sure what Banks you all use, mine USAA locks you out of the online side after 3 errors same as with an ATM, then it takes a phone call to unlock either, stopped trying to enter passwords while not fully awake

Share this post


Link to post
Share on other sites

Posted

[quote name='neufuse' timestamp='1356620155' post='595417942']
all the new ATM's around me you still have to put your card into it and it takes it until you are done... and these are brand new systems
[/quote]

All of the Bank of America ATM's here were recently changed to where you put the card in and it spits it back out right away, then you enter your pin. I think it is to stop people from forgetting to 1: Press "Done' and 2: Leaving their cards behind.

And if the person drives away now before pressing done, and they request any other transaction they have to re-put their pin number back in.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0

  • Recently Browsing   0 members

    No registered users viewing this page.