Jump to content



Photo

Cracking Your PIN Code: Easy as 1-2-3-4

data genetics splashdata security birth year

  • Please log in to reply
54 replies to this topic

#1 Hum

Hum

    totally wAcKed

  • 62,137 posts
  • Joined: 05-October 03
  • Location: Odder Space
  • OS: Windows XP, 7

Posted 27 December 2012 - 14:39

If you lost your ATM card on the street, how easy would it be for someone to correctly guess your PIN and proceed to clean out your savings account? Quite easy, according to data scientist Nick Berry, founder of Data Genetics, a Seattle technology consultancy.

Berry analyzed passwords from previously released and exposed tables and security breaches, filtering the results to just those that were exactly four digits long [0-9]. There are 10,000 possible combinations that the digits 0-9 can be arranged into to form a four-digit code. Berry analyzed those to find which are the least and most predictable. He speculates that, if users select a four-digit password for an online account or other web site, it's not a stretch to use the same number for their four-digit bank PIN codes.

What he found, he says, was a "staggering lack of imagination" when it comes to selecting passwords. Nearly 11% of the 3.4 million four-digit passwords he analyzed were 1234. The second most popular PIN in is 1111 (6% of passwords), followed by 0000 (2%). (Last year SplashData compiled a list of the most common numerical and word-based passwords and found that "password" and "123456" topped the list.)

Berry says a whopping 26.83% of all passwords could be guessed by attempting just 20 combinations of four-digit numbers (see first table). "It's amazing how predictable people are," he says.

We don't like hard-to-remember numbers and "no one thinks their wallet will get stolen," Berry says.

Many of the commonly used passwords are, of course, dates: birthdays, anniversaries, year of birth, etc. Indeed, using a year, starting with 19__, helps people remember their code, but it also increases its predictability, Berry says. His analysis shows that every single 19__ combination be found in the top 20% of the dataset.

more


#2 +Nik L

Nik L

    Where's my pants?

  • 34,002 posts
  • Joined: 14-January 03

Posted 27 December 2012 - 14:41

Seriously, how hard is it to randomly press 4 numbers and remember it?

#3 Astra.Xtreme

Astra.Xtreme

    Electrical Engineer

  • 8,046 posts
  • Joined: 02-January 04
  • Location: Milwaukee, WI

Posted 27 December 2012 - 14:46

Not really anything to be worried about unless the PIN actually is 1234, 1111, or 0000. You only get a couple tries before the ATM eats the card, so chances are the code won't be cracked in any timely manner.

#4 Pupik

Pupik

    Neowinian Senior

  • 6,141 posts
  • Joined: 09-December 05

Posted 27 December 2012 - 14:48

Is this USA based only, or are there crazy banks in other countries that don't have a security feature on the ATMs that just "eats" the card if you input the wrong pin three times and the only way to get the card back is to go to the bank?

#5 +Nik L

Nik L

    Where's my pants?

  • 34,002 posts
  • Joined: 14-January 03

Posted 27 December 2012 - 14:49

In the UK and most of mainland Europe I know it gives you 3 attempts before it noms your card!

#6 Draconian Guppy

Draconian Guppy

    LippyZillaD Council

  • 13,964 posts
  • Joined: 22-August 04
  • Location: Neowin

Posted 27 December 2012 - 14:52

Not really anything to be worried about unless the PIN actually is 1234, 1111, or 0000. You only get a couple tries before the ATM eats the card, so chances are the code won't be cracked in any timely manner.

Only old ATMS eat the cards, the new ones are swipe only. However most block the card after 3 attempts.

#7 Wakers

Wakers

    Neowinian Senior

  • 1,860 posts
  • Joined: 30-July 07

Posted 27 December 2012 - 14:52

True funny / sad story.

My secondary bank, Barclays, sent me a new debit card a couple of months after the last big article came online about the poor choice of pin codes that people were using.

Do you know the random code they sent me with the new card? 1986. Not only did it commit the mistake of starting with 19, but it also happened to be my year of birth. They got a very sarcastic email from me praising their competence and linking back to the online report.

They apoligised, at least.

#8 Nick H.

Nick H.

    Neowinian Senior

  • 11,367 posts
  • Joined: 28-June 04
  • Location: Switzerland

Posted 27 December 2012 - 14:54

Berry says a whopping 26.83% of all passwords could be guessed by attempting just 20 combinations of four-digit numbers

That's terrible, but most cards only allow you three attempts before blocking, don't they? Which means that out of those 20 combinations you only have 3 attempts, which is...a 15% (I was never good at maths) chance of cracking a card that uses one of those 20 combinations?

#9 Soldiers33

Soldiers33

    Neowinian Senior

  • 2,433 posts
  • Joined: 01-September 06
  • Location: London
  • OS: Windows 7 Professional

Posted 27 December 2012 - 14:54

exactly what I was going to say. it doesnt take a genius to realize its easy to guess wheny ou have unlimited tries, but as we have here in UK 2 incorrect attempt and card is gone.

#10 Azusa

Azusa

    Neowinian Senior

  • 10,000 posts
  • Joined: 07-December 04

Posted 27 December 2012 - 14:55

you'd need some form of cutting tool and a battery cause only my right hand knows my pin.

#11 Soldiers33

Soldiers33

    Neowinian Senior

  • 2,433 posts
  • Joined: 01-September 06
  • Location: London
  • OS: Windows 7 Professional

Posted 27 December 2012 - 14:55

i meant 3 sorry.

#12 vetneufuse

neufuse

    Neowinian Senior

  • 16,723 posts
  • Joined: 16-February 04

Posted 27 December 2012 - 14:55

Only old ATMS eat the cards, the new ones are swipe only. However most block the card after 3 attempts.


all the new ATM's around me you still have to put your card into it and it takes it until you are done... and these are brand new systems

#13 Pupik

Pupik

    Neowinian Senior

  • 6,141 posts
  • Joined: 09-December 05

Posted 27 December 2012 - 14:57

you'd need some form of cutting tool and a battery cause only my right hand knows my pin.

My pin code for my card is 6834. Now come and try to get the card from me (it's valid until 07/13, so take your time).

#14 OP Hum

Hum

    totally wAcKed

  • 62,137 posts
  • Joined: 05-October 03
  • Location: Odder Space
  • OS: Windows XP, 7

Posted 27 December 2012 - 14:57

you'd need some form of cutting tool and a battery cause only my right hand knows my pin.


^ I have no idea what that means. Biometrics ... ?

Besides the 3 times limit, what about the security camera taking your picture ?

Unless it's winter and you are bundled up, someone is going to know your face.

#15 Geoffrey B.

Geoffrey B.

    LittleNeutrino

  • 15,852 posts
  • Joined: 25-July 05
  • Location: Ohio
  • OS: Windows 8.1u1
  • Phone: Nokia Lumia 928 WP8.1

Posted 27 December 2012 - 15:01

unless you are like my bank and if you mess up your pin 4 times they lock you out for 24 hours, mess it up 2 days in a row and you are locked out for a month, lock it out after that and they kill your card and ship you a new one.