Cracking Your PIN Code: Easy as 1-2-3-4


Recommended Posts

Hum

If you lost your ATM card on the street, how easy would it be for someone to correctly guess your PIN and proceed to clean out your savings account? Quite easy, according to data scientist Nick Berry, founder of Data Genetics, a Seattle technology consultancy.

Berry analyzed passwords from previously released and exposed tables and security breaches, filtering the results to just those that were exactly four digits long [0-9]. There are 10,000 possible combinations that the digits 0-9 can be arranged into to form a four-digit code. Berry analyzed those to find which are the least and most predictable. He speculates that, if users select a four-digit password for an online account or other web site, it's not a stretch to use the same number for their four-digit bank PIN codes.

What he found, he says, was a "staggering lack of imagination" when it comes to selecting passwords. Nearly 11% of the 3.4 million four-digit passwords he analyzed were 1234. The second most popular PIN in is 1111 (6% of passwords), followed by 0000 (2%). (Last year SplashData compiled a list of the most common numerical and word-based passwords and found that "password" and "123456" topped the list.)

Berry says a whopping 26.83% of all passwords could be guessed by attempting just 20 combinations of four-digit numbers (see first table). "It's amazing how predictable people are," he says.

We don't like hard-to-remember numbers and "no one thinks their wallet will get stolen," Berry says.

Many of the commonly used passwords are, of course, dates: birthdays, anniversaries, year of birth, etc. Indeed, using a year, starting with 19__, helps people remember their code, but it also increases its predictability, Berry says. His analysis shows that every single 19__ combination be found in the top 20% of the dataset.

more

Link to post
Share on other sites
+Dick Montage

Seriously, how hard is it to randomly press 4 numbers and remember it?

  • Like 1
Link to post
Share on other sites
Astra.Xtreme

Not really anything to be worried about unless the PIN actually is 1234, 1111, or 0000. You only get a couple tries before the ATM eats the card, so chances are the code won't be cracked in any timely manner.

  • Like 7
Link to post
Share on other sites
Pupik

Is this USA based only, or are there crazy banks in other countries that don't have a security feature on the ATMs that just "eats" the card if you input the wrong pin three times and the only way to get the card back is to go to the bank?

Link to post
Share on other sites
+Dick Montage

In the UK and most of mainland Europe I know it gives you 3 attempts before it noms your card!

Link to post
Share on other sites
Draconian Guppy

Not really anything to be worried about unless the PIN actually is 1234, 1111, or 0000. You only get a couple tries before the ATM eats the card, so chances are the code won't be cracked in any timely manner.

Only old ATMS eat the cards, the new ones are swipe only. However most block the card after 3 attempts.

  • Like 1
Link to post
Share on other sites
Wakers

True funny / sad story.

My secondary bank, Barclays, sent me a new debit card a couple of months after the last big article came online about the poor choice of pin codes that people were using.

Do you know the random code they sent me with the new card? 1986. Not only did it commit the mistake of starting with 19, but it also happened to be my year of birth. They got a very sarcastic email from me praising their competence and linking back to the online report.

They apoligised, at least.

  • Like 2
Link to post
Share on other sites
Nick H.
Berry says a whopping 26.83% of all passwords could be guessed by attempting just 20 combinations of four-digit numbers

That's terrible, but most cards only allow you three attempts before blocking, don't they? Which means that out of those 20 combinations you only have 3 attempts, which is...a 15% (I was never good at maths) chance of cracking a card that uses one of those 20 combinations?

Link to post
Share on other sites
Soldiers33

exactly what I was going to say. it doesnt take a genius to realize its easy to guess wheny ou have unlimited tries, but as we have here in UK 2 incorrect attempt and card is gone.

Link to post
Share on other sites
Azusa

you'd need some form of cutting tool and a battery cause only my right hand knows my pin.

Link to post
Share on other sites
Soldiers33

i meant 3 sorry.

Link to post
Share on other sites
neufuse

Only old ATMS eat the cards, the new ones are swipe only. However most block the card after 3 attempts.

all the new ATM's around me you still have to put your card into it and it takes it until you are done... and these are brand new systems

Link to post
Share on other sites
Pupik

you'd need some form of cutting tool and a battery cause only my right hand knows my pin.

My pin code for my card is 6834. Now come and try to get the card from me (it's valid until 07/13, so take your time).

Link to post
Share on other sites
Hum

you'd need some form of cutting tool and a battery cause only my right hand knows my pin.

^ I have no idea what that means. Biometrics ... ?

Besides the 3 times limit, what about the security camera taking your picture ?

Unless it's winter and you are bundled up, someone is going to know your face.

Link to post
Share on other sites
Geoffrey B.

unless you are like my bank and if you mess up your pin 4 times they lock you out for 24 hours, mess it up 2 days in a row and you are locked out for a month, lock it out after that and they kill your card and ship you a new one.

Link to post
Share on other sites
n_K

Berry says a whopping 26.83% of all passwords could be guessed by attempting just 20 combinations of four-digit numbers (see first table). "It's amazing how predictable people are," he says.

This guy obviously doesn't have a clue how smart cards (bank cards) work then, they're pretty similiar to SIM cards in that you have 3 attempts to input the correct pin, the bank machine transmits the PIN to the card, if it is wrong, it is not the bank machine that logs it but the smart card, after 3 wrong attempts, the smart card refuses to accept any more pin numbers and locks itself out (there is no PUK code for bank cards as there are SIM cards) and so the machine keeps it. Older cards would just refuse to accept any more PIN attempts but keep all the data in the smart card, newer cards destroy all data on the card when 3 attempts have been failed, because you can in theory reset the count or read off the data using a very powerful microscope though you'd have to know exactly where to look.

Link to post
Share on other sites
+Dick Montage

Besides the 3 times limit, what about the security camera taking your picture ?

Unfortunately: myth! I had my card cloned. Long story with people saying it can't be done, it's never done - oh look it's been done. Basically my bank trying to find any reason to pin the 4 * ?50 withdrawals on me (4 spots around London, on a day I could prove I was in Leicester). I got the police involved (even though my bank tried to convince me otherwise and take the ?200 hit myself). I knew nobody would be caught/arrested but point of calling police involvement was to call the banks bluff. Anyway, police told me that there are no cameras in the majority of ATMs.

Link to post
Share on other sites
Draconian Guppy

all the new ATM's around me you still have to put your card into it and it takes it until you are done... and these are brand new systems

Yay! I guess that's one for Honduras, Central America :p

So we have poverty, bad public health care, education, insecurity, no value of life ( eg. getting shot for cellphone)... But we have swiping only ATMS :p

cajero2.jpg

250x250_1276145737_BAC%20empresas.jpg

Link to post
Share on other sites
+Dick Montage

I'd not put my card anywhere near that machine. The plastic bezel on the front looks so fake and "stuck-on", like one of the "skimmers" that people use over here.

Not saying it is, but it looks it.

  • Like 2
Link to post
Share on other sites
Brian M.

Unfortunately: myth! I had my card cloned. Long story with people saying it can't be done, it's never done - oh look it's been done. Basically my bank trying to find any reason to pin the 4 * ?50 withdrawals on me (4 spots around London, on a day I could prove I was in Leicester). I got the police involved (even though my bank tried to convince me otherwise and take the ?200 hit myself). I knew nobody would be caught/arrested but point of calling police involvement was to call the banks bluff. Anyway, police told me that there are no cameras in the majority of ATMs.

I had a similar issue with Lloyds TSB - had my card "cloned" and spent in France. Bank told me outright that they were not responsible, and I must have given my PIN to someone. I complained to the FSA, who found that Lloyds had authorised the transactions on my cloned card without chip and pin (when they got the signature from the retailer, it was actually an exact copy of mine from the card, but I could prove I wasn't in France at that time), and made Lloyds pay out the ?150, plus ?140 odd in compensation for my time.

In my opinion, the fact that it's been proven many times that the PIN can be bypassed easily is more worrying than people using common PIN codes.

Link to post
Share on other sites
Azusa

on the topic of safety at the ATM am I the only one who looks for a bank that has them inside before using an ATM?

Link to post
Share on other sites
Draconian Guppy

The first image is a "sorta" of close up of the second, if you can see, they're not the same, the one we have is the second one, I just needed something that pointed out the "swiping" part :p

Not all our banks have these though, a couple still have the "insert and eat" type.

on the topic of safety at the ATM am I the only one who looks for a bank that has them inside before using an ATM?

In third world hell, I just avoid them, unless I really, really have too :s

Link to post
Share on other sites
+Dick Montage

In my opinion, the fact that it's been proven many times that the PIN can be bypassed easily is more worrying than people using common PIN codes.

It's part of the spec, the ability to bypass - it's a "fallback option" but thus negates all security. However, the onus of responsibility for the chargeback is placed on the terminal/merchant.

Link to post
Share on other sites
Anibal P

Not sure what Banks you all use, mine USAA locks you out of the online side after 3 errors same as with an ATM, then it takes a phone call to unlock either, stopped trying to enter passwords while not fully awake

Link to post
Share on other sites
xendrome

all the new ATM's around me you still have to put your card into it and it takes it until you are done... and these are brand new systems

All of the Bank of America ATM's here were recently changed to where you put the card in and it spits it back out right away, then you enter your pin. I think it is to stop people from forgetting to 1: Press "Done' and 2: Leaving their cards behind.

And if the person drives away now before pressing done, and they request any other transaction they have to re-put their pin number back in.

Link to post
Share on other sites
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

  • Similar Content

    • By Usama Jawad96
      Microsoft open sources CodeQL queries used in Solorigate investigation
      by Usama Jawad

      Last week, Microsoft finally completed its Solorigate investigation, concluding that while some code files for Azure, Intune, and Exchange were accessed, no customer data was compromised. The cyberattack had caused major concern around the globe because it targeted the United States' federal departments, the UK, the European Parliament, and thousands of other organizations. Supply chain attacks were executed on SolarWinds, Microsoft, and VMware, with Microsoft President Brad Smith calling it "a moment of reckoning".

      Now, Microsoft has open sourced the CodeQL queries that it utilized in the Solorigate investigation.

      Image via Kevin Ku from Pexels For those unaware, CodeQL is code analysis engine which depends upon code semantics and syntax. It develops a database built around the model of the compiling code, which can then be queried just like a regular database. It can be used both for static analysis and retroactive inspection of code.

      CodeQL queries were used by Microsoft in its Solorigate investigation in order to analyze its code in a scalable manner and pinpoint indicators of compromise (IoCs) and other coding patterns used by Solorigate attackers directly on a code-level.

      Microsoft essentially built multiple CodeQL databases from various build pipelines, and then aggregated them in a single infrastructure to enable system-wide querying capabilities. This enabled the firm to detect malicious activity in code within hours of a coding pattern being described.

      Given that this is more of a syntactic and semantic technique that depends upon identifying similarities in coding patterns such as the variable names used, Microsoft has emphasized that if you find the same patterns in your own code base, that does not necessarily mean that it's compromised. Multiple programmers can of course have the same coding style.

      At the same time, it is also important to remember that a malicious actor is not constrained to a single coding style. Essentially, if the attacker deviates significantly from their usual implant pattern, they would be able to circumvent Microsoft's CodeQL queries. Regarding the syntactic and semantic code pattern identification capabilities of the CodeQL engine, the Redmond tech giant notes that:

      More information about using Microsoft's CodeQL queries is available here. You can find out more about how to deploy queries here.

    • By Abhay V
      Google announces a bunch of new Android features
      by Abhay Venkatesh



      Google today announced a few new features coming to Android, both via updates to select apps and the OS itself. The features related to security, accessibility, and more, and the rollout is similar to how the company introduced added capabilities to older Android versions late last year.

      The first on the list today is the addition of the Password Checkup tool natively to Android, something that first debuted as an extension and then made it to the Chrome browser itself. As the name suggests, the feature helps users keep a tab on the integrity of their saved passwords by notifying them if their credentials have been exposed. This allows users to act on compromised credentials and avoid using passwords that might have been exposed on the web.



      Now, the feature integrates with Autofill on Android 9 and newer, notifying users of any potential password exposures and a guide to reset them. Additionally, Autofill can also generate unique passwords and secure that information via biometric authentication, making it a great overall tool for password management.

      Next up is a nifty new update to the Messages app that brings the ability to schedule messages to be sent later. Long pressing the send button will now provide an option to set the date and time to deliver the text message. The option to schedule messages has been present for users on Samsung devices via the default Messages app that ships with those devices. Alternatively, users have had to rely on third-party offerings such as Pulse SMS for the feature. The updated Messages app is now rolling out to users on Android 7 and newer.

      As for accessibility improvements, the search giant announced a new update to TalkBack, its screen reader for those with impaired vision. The updates include new multi-finger gestures on Pixel and Samsung phones that can be used to perform preset commands like selecting and editing text. There are also new swipe commands for reading through just the headlines or through entire paragraphs. The firm is also adding 25 voice commands to help with actions such as finding particular text on the screen and more. Lastly, there are two new languages for the Braille keyboard.



      Google assistant is also receiving some updates that let users interact with it better on the lock screen. The company is adding a new card layout to review Assistant commands right from the lock screen, including alarm and timer options, sending messaging using voice, and more. The firm adds that users can “get things done on [their] phone without needing to be right next to it”.

      Another highly awaited feature announced today is the rollout of a dark theme for Maps. While Maps automatically switches to a darker theme when navigating, a proper dark mode has been teased for a while. Users will finally be able to switch to the darker side permanently from the settings, a welcome addition for those that prefer the theming option to conserve battery on AMOLED displays, or just as a matter of preference.

      Lastly, the Mountain View company announced new Android Auto features such as “car-inspired backgrounds” and Assistant actions – features that began rolling out earlier this month. For long journeys, the in-car system is also adding voice-activated trivia games. Other new features include a split-screen view of Maps and audio controls – like on Apple CarPlay – on wide screens and a new privacy screen to “control when Android Auto appears on your car display”. These Android Auto features are rolling out to users running Android 6 or newer.

    • By indospot
      Samsung now promises four years of security updates for Galaxy devices
      by João Carrasqueira

      Longer-lasting software support has long been one of the factors pointed out when talking about the advantages of iOS compared to Android. In recent years, we've seen an increasing amount of effort from some companies to keep devices updated, with Google itself offering three years of feature and security updates for its Pixel devices.

      Now, Samsung is trying to take things a step further by offering a minimum of four years of security updates for its Galaxy devices. Depending on the device you have and how old it is, security updates may be rolled out on a monthly or quarterly basis, but either way, getting security updates for four years is a welcome boon if you want your devices to last longer.

      This isn't just a benefit for the latest devices coming out this year, either, nor does it target just flagships. Samsung provides a decently long list of devices that will be eligible for the extended security update period, going back to the Galaxy S10 and Note10 families, the Galaxy A series, and a wide range of tablets. Here's the full list provided by Samsung:

      It's worth noting that this support period is even longer than what Google promises for its own Pixel phones - though it should be remembered that these are minimum support periods, and Google has supported some of its phones for longer than the minimum. Either way, if you happen to own or you're considering getting one of these devices, you may rest assured your phone or tablet will be kept safe for a while longer. This doesn't, however, include new Android feature updates, so you won't necessarily getting Android 12 or 13 when those versions are released.

    • By Usama Jawad96
      Clubhouse confirms security breach, deploys new safeguards
      by Usama Jawad

      Private social app Clubhouse allows users to engage in informal conversations. The invite-only iOS application is used by Elon Musk with Facebook also looking to clone the chat service. However, concerns were raised around Clubhouse a couple of weeks ago with the Stanford Internet Observatory (SIO) citing numerous potential security weaknesses in the service. Today, Clubhouse has confirmed a security breach and placed new safeguards to prevent similar incidents in the future.

      In a statement to Bloomberg, a Clubhouse spokesperson mentioned that a user was able to siphon live audio from multiple private rooms and stream them on their website. This incident, which took place over the weekend, was possible due to the attacker through a system utilizing the same JavaScript toolkit that is used to compile the Clubhouse application. While the identity of the involved party has not been disclosed, the spokesperson clarified that the user has been banned permanently from the app.

      This situation feeds into the security concerns raised by the SIO a few days ago. One of these was Clubhouse user and chatroom IDs were being transmitted over the internet in plaintext instead of being encrypted.

      Furthermore, SIO also revealed that the backend of the platform is handled by a Shanghai-based startup called Agora Inc. The Chinese company states that it "temporarily" stores raw audio data for processing in its servers but it is currently unknown how long this time period is and where the servers are situated. In a statement to The Verge, the firm confirmed that it does not route traffic produced by non-Chinese users through China. However, Agora declined to go into details about the security mechanisms and protocols in place to prevent security breaches, such as the one that took place over the weekend.

      Source: Bloomberg | Image via Walk the Chat

    • By Usama Jawad96
      Apple starts taking countermeasures against new macOS malware strain
      by Usama Jawad

      A recently discovered macOS malware has caught the attention of the security community due to its highly sophisticated nature and the mystery surrounding its missing payload. Dubbed "Silver Sparrow", the malware was discovered a few days ago and is known to have infected 30,000 Intel and M1 Mac devices spread across 153 countries. Now, it appears that Apple is taking steps to mitigate potential threats posed by Silver Sparrow.

      Apple has reached out to Apple Insider to confirm that it has revoked the certificates of the developer accounts that were used to sign the malicious package. While this restricts the spread of this particular Silver Sparrow variant, it still leaves the door open for similar packages signed with a different certificate.

      Furthermore, Apple has noted that it has many security measures in place at both hardware and software level. Furthermore, the company also releases software updates regularly which contain patches against potential threats such as Silver Sparrow.

      That said, Apple as well as the cybersecurity community will likely be keeping an eye on this particular strain and its potential offshoots, given that it is seemingly in development by an advanced malicious actor. On infected machines, Silver Sparrow communicates with control servers once every 24 hours, awaiting binaries to receive and execute. It also has ephemeral self-destruct mechanisms in place that remove any trace of your machine being infected, even if your machine has already been attacked.

      Source: Apple Insider