Cracking Your PIN Code: Easy as 1-2-3-4

By Hum
in Back Page News

 Share

Recommended Posts

Grand Master

Hum

Posted
Posted

If you lost your ATM card on the street, how easy would it be for someone to correctly guess your PIN and proceed to clean out your savings account? Quite easy, according to data scientist Nick Berry, founder of Data Genetics, a Seattle technology consultancy.

Berry analyzed passwords from previously released and exposed tables and security breaches, filtering the results to just those that were exactly four digits long [0-9]. There are 10,000 possible combinations that the digits 0-9 can be arranged into to form a four-digit code. Berry analyzed those to find which are the least and most predictable. He speculates that, if users select a four-digit password for an online account or other web site, it's not a stretch to use the same number for their four-digit bank PIN codes.

What he found, he says, was a "staggering lack of imagination" when it comes to selecting passwords. Nearly 11% of the 3.4 million four-digit passwords he analyzed were 1234. The second most popular PIN in is 1111 (6% of passwords), followed by 0000 (2%). (Last year SplashData compiled a list of the most common numerical and word-based passwords and found that "password" and "123456" topped the list.)

Berry says a whopping 26.83% of all passwords could be guessed by attempting just 20 combinations of four-digit numbers (see first table). "It's amazing how predictable people are," he says.

We don't like hard-to-remember numbers and "no one thinks their wallet will get stolen," Berry says.

Many of the commonly used passwords are, of course, dates: birthdays, anniversaries, year of birth, etc. Indeed, using a year, starting with 19__, helps people remember their code, but it also increases its predictability, Berry says. His analysis shows that every single 19__ combination be found in the top 20% of the dataset.

more

Grand Master

Astra.Xtreme

Posted
Posted

Not really anything to be worried about unless the PIN actually is 1234, 1111, or 0000. You only get a couple tries before the ATM eats the card, so chances are the code won't be cracked in any timely manner.

Grand Master

Draconian Guppy

Posted
Posted

Not really anything to be worried about unless the PIN actually is 1234, 1111, or 0000. You only get a couple tries before the ATM eats the card, so chances are the code won't be cracked in any timely manner.

Only old ATMS eat the cards, the new ones are swipe only. However most block the card after 3 attempts.

Veteran

Wakers

Posted
Posted

True funny / sad story.

My secondary bank, Barclays, sent me a new debit card a couple of months after the last big article came online about the poor choice of pin codes that people were using.

Do you know the random code they sent me with the new card? 1986. Not only did it commit the mistake of starting with 19, but it also happened to be my year of birth. They got a very sarcastic email from me praising their competence and linking back to the online report.

They apoligised, at least.

  • oliver182 and gawicks
  • Like 2
Grand Master

Nick H. Supervisor

Posted
  • Supervisor
Posted
Berry says a whopping 26.83% of all passwords could be guessed by attempting just 20 combinations of four-digit numbers

That's terrible, but most cards only allow you three attempts before blocking, don't they? Which means that out of those 20 combinations you only have 3 attempts, which is...a 15% (I was never good at maths) chance of cracking a card that uses one of those 20 combinations?

Grand Master

neufuse Veteran

Posted
  • Veteran
Posted

Only old ATMS eat the cards, the new ones are swipe only. However most block the card after 3 attempts.

all the new ATM's around me you still have to put your card into it and it takes it until you are done... and these are brand new systems

Grand Master

Hum

Posted
  • Author
Posted

you'd need some form of cutting tool and a battery cause only my right hand knows my pin.

^ I have no idea what that means. Biometrics ... ?

Besides the 3 times limit, what about the security camera taking your picture ?

Unless it's winter and you are bundled up, someone is going to know your face.

Grand Master

LittleNeutrino Veteran

Posted
  • Veteran
Posted

unless you are like my bank and if you mess up your pin 4 times they lock you out for 24 hours, mess it up 2 days in a row and you are locked out for a month, lock it out after that and they kill your card and ship you a new one.

Grand Master

n_K

Posted
Posted

Berry says a whopping 26.83% of all passwords could be guessed by attempting just 20 combinations of four-digit numbers (see first table). "It's amazing how predictable people are," he says.

This guy obviously doesn't have a clue how smart cards (bank cards) work then, they're pretty similiar to SIM cards in that you have 3 attempts to input the correct pin, the bank machine transmits the PIN to the card, if it is wrong, it is not the bank machine that logs it but the smart card, after 3 wrong attempts, the smart card refuses to accept any more pin numbers and locks itself out (there is no PUK code for bank cards as there are SIM cards) and so the machine keeps it. Older cards would just refuse to accept any more PIN attempts but keep all the data in the smart card, newer cards destroy all data on the card when 3 attempts have been failed, because you can in theory reset the count or read off the data using a very powerful microscope though you'd have to know exactly where to look.

Grand Master

+Nik Louch Subscriber²

Posted
  • Subscriber²
Posted

Besides the 3 times limit, what about the security camera taking your picture ?

Unfortunately: myth! I had my card cloned. Long story with people saying it can't be done, it's never done - oh look it's been done. Basically my bank trying to find any reason to pin the 4 * ?50 withdrawals on me (4 spots around London, on a day I could prove I was in Leicester). I got the police involved (even though my bank tried to convince me otherwise and take the ?200 hit myself). I knew nobody would be caught/arrested but point of calling police involvement was to call the banks bluff. Anyway, police told me that there are no cameras in the majority of ATMs.

Grand Master

Draconian Guppy

Posted
Posted

all the new ATM's around me you still have to put your card into it and it takes it until you are done... and these are brand new systems

Yay! I guess that's one for Honduras, Central America :p

So we have poverty, bad public health care, education, insecurity, no value of life ( eg. getting shot for cellphone)... But we have swiping only ATMS :p

cajero2.jpg

250x250_1276145737_BAC%20empresas.jpg

Grand Master

+Nik Louch Subscriber²

Posted
  • Subscriber²
Posted

I'd not put my card anywhere near that machine. The plastic bezel on the front looks so fake and "stuck-on", like one of the "skimmers" that people use over here.

Not saying it is, but it looks it.

  • +Majesticmerc and +hedleigh
  • Like 2
Grand Master

Brian M. Veteran

Posted
  • Veteran
Posted

Unfortunately: myth! I had my card cloned. Long story with people saying it can't be done, it's never done - oh look it's been done. Basically my bank trying to find any reason to pin the 4 * ?50 withdrawals on me (4 spots around London, on a day I could prove I was in Leicester). I got the police involved (even though my bank tried to convince me otherwise and take the ?200 hit myself). I knew nobody would be caught/arrested but point of calling police involvement was to call the banks bluff. Anyway, police told me that there are no cameras in the majority of ATMs.

I had a similar issue with Lloyds TSB - had my card "cloned" and spent in France. Bank told me outright that they were not responsible, and I must have given my PIN to someone. I complained to the FSA, who found that Lloyds had authorised the transactions on my cloned card without chip and pin (when they got the signature from the retailer, it was actually an exact copy of mine from the card, but I could prove I wasn't in France at that time), and made Lloyds pay out the ?150, plus ?140 odd in compensation for my time.

In my opinion, the fact that it's been proven many times that the PIN can be bypassed easily is more worrying than people using common PIN codes.

Grand Master

Draconian Guppy

Posted
Posted

The first image is a "sorta" of close up of the second, if you can see, they're not the same, the one we have is the second one, I just needed something that pointed out the "swiping" part :p

Not all our banks have these though, a couple still have the "insert and eat" type.

on the topic of safety at the ATM am I the only one who looks for a bank that has them inside before using an ATM?

In third world hell, I just avoid them, unless I really, really have too :s

Grand Master

+Nik Louch Subscriber²

Posted
  • Subscriber²
Posted

In my opinion, the fact that it's been proven many times that the PIN can be bypassed easily is more worrying than people using common PIN codes.

It's part of the spec, the ability to bypass - it's a "fallback option" but thus negates all security. However, the onus of responsibility for the chargeback is placed on the terminal/merchant.

Grand Master

Anibal P

Posted
Posted

Not sure what Banks you all use, mine USAA locks you out of the online side after 3 errors same as with an ATM, then it takes a phone call to unlock either, stopped trying to enter passwords while not fully awake

Grand Master

xendrome

Posted
Posted

all the new ATM's around me you still have to put your card into it and it takes it until you are done... and these are brand new systems

All of the Bank of America ATM's here were recently changed to where you put the card in and it spits it back out right away, then you enter your pin. I think it is to stop people from forgetting to 1: Press "Done' and 2: Leaving their cards behind.

And if the person drives away now before pressing done, and they request any other transaction they have to re-put their pin number back in.

This topic is now closed to further replies.
 Share
Go to topic listing

  • Posts

    • Microsoft is making Windows 11's context menus faster, simpler, and configurable

      By +Nik Louch · Posted

      I don't hate the new menus, I am not a fan of the lack of features and how they went live when they clearly are not complete. The menu itself presents much better than the previous - but what's lacking (IMO) is: 1) Any kind of automated manipulation such as: "this goes on the new menu because you use this feature more often on this filetype" "this is rarely used and will fall back to the old menu" 2) Any kind of user manipulation such as: "a UI to add/remove/order items to the new menu"
    • AV2, successor to popular YouTube, Netflix, Amazon codec AV1, has a hard battle ahead

      By rdr2y2k · Posted

      as they say the best time to do it is now .
    • Microsoft is making Windows 11's context menus faster, simpler, and configurable

      By Yogurth · Posted

      The biggest issue in this version of Win 11 context menu, from usability standpoint, is the movable row with basic commands. Think of a car analogy...if You turn the week left the infotainment screen will move right and vice versa. With how it works now Microsoft made something forbidden in designing in any UI, software or hardware. I can't grasp who were the morons within Microsoft suggesting it was a good idea and gave it a green light.
    • LibreOffice 26.2.4

      By Copernic · Posted

      LibreOffice 26.2.4 by Razvan Serea LibreOffice is the free power-packed Open Source personal productivity suite for Windows, Macintosh and Linux, that gives you six feature-rich applications for all your document production and data processing needs: Writer, Calc, Impress, Draw, Math and Base. Support and documentation is free from our large, dedicated community of users, contributors and developers. You, too, can also get involved! Choosing Between LibreOffice Still and LibreOffice Fresh: LibreOffice Still is a good choice if you value stability, a longer support cycle, and a more conservative approach to software updates. It's suitable for businesses and organizations where reliability and compatibility are crucial. LibreOffice Fresh is ideal if you're an enthusiast or an early adopter who wants to stay on the cutting edge of LibreOffice development and is willing to accept more frequent updates and occasional minor issues. Features: Writer is the word processor inside LibreOffice. Use it for everything, from dashing off a quick letter to producing an entire book with tables of contents, embedded illustrations, bibliographies and diagrams. The while-you-type auto-completion, auto-formatting and automatic spelling checking make difficult tasks easy (but are easy to disable if you prefer). Writer is powerful enough to tackle desktop publishing tasks such as creating multi-column newsletters and brochures. The only limit is your imagination. Calc tames your numbers and helps with difficult decisions when you're weighing the alternatives. Analyze your data with Calc and then use it to present your final output. Charts and analysis tools help bring transparency to your conclusions. A fully-integrated help system makes easier work of entering complex formulas. Add data from external databases such as SQL or Oracle, then sort and filter them to produce statistical analyses. Use the graphing functions to display large number of 2D and 3D graphics from 13 categories, including line, area, bar, pie, X-Y, and net - with the dozens of variations available, you're sure to find one that suits your project. Impress is the fastest and easiest way to create effective multimedia presentations. Stunning animation and sensational special effects help you convince your audience. Create presentations that look even more professional than the standard presentations you commonly see at work. Get your collegues' and bosses' attention by creating something a little bit different. Draw lets you build diagrams and sketches from scratch. A picture is worth a thousand words, so why not try something simple with box and line diagrams? Or else go further and easily build dynamic 3D illustrations and special effects. It's as simple or as powerful as you want it to be. Base is the database front-end of the LibreOffice suite. With Base, you can seamlessly integrate into your existing database structures. Based on imported and linked tables and queries from MySQL, PostgreSQL or Microsoft Access and many other data sources, you can build powerful databases containing forms, reports, views and queries. Full integration is possible with the in-built HSQL database. Math is a simple equation editor that lets you lay-out and display your mathematical, chemical, electrical or scientific equations quickly in standard written notation. Even the most-complex calculations can be understandable when displayed correctly. E=mc2. LibreOffice also comes configured with a PDF file creator, meaning you can distribute documents that you're sure can be opened and read by users of almost any computing device or operating system. LibreOffice also comes configured with a PDF file creator, meaning you can distribute documents that you're sure can be opened and read by users of almost any computing device or operating system. Download: LibreOffice 64-bit | LibreOffice 32-bit ~300.0 MB (Open Source) View: LibreOffice Website | Screenshot | Release Notes Get alerted to all of our Software updates on Twitter at @NeowinSoftware
    • Amazon eero Pro 6E mesh Wi-Fi system 2-pack is 27% off

      By Ivan Jenic · Posted

      Amazon eero Pro 6E mesh Wi-Fi system 2-pack is 27% off by Ivan Jenic The Amazon eero Pro 6E mesh Wi-Fi system is currently $239.99 on Amazon for the 2-pack, down from $329.99. That's 27% off and $90 saved for a solid Wi-Fi solution that covers your entire home (purchase link down below). The 2-pack covers up to 4,000 square feet (372 square meters) and supports 100+ connected devices, which handles the vast majority of home setups without breaking a sweat. Wi-Fi 6E brings access to the 6 GHz band for lower latency across the network, and the 2.5 Gb Ethernet port supports gigabit+ internet plans if your ISP offers them. eero's TrueMesh technology handles traffic routing automatically, so you're not manually managing which devices connect to which node. You set up the entire thing through the eero app, and the entire process takes a few minutes. The system also receives automatic security updates in the background, so once you set it up, you don't have to worry about compatibility issues. If you're covering a larger home or want more nodes, the 3-pack is $329.99 and the 4-pack is $479.98, both at similar discount levels. It's worth mentioning that a newer model exists, which is likely the reason for the discount, but the Pro 6E is still perfectly capable hardware for most homes. Amazon eero Pro 6E mesh Wi-Fi system 2-pack - $239.99 | 27% off on Amazon This Amazon deal is US-specific and not available in other regions unless specified. This is a first-party seller link (at the time of article publishing); ensure that you also purchase from a first-party seller link only. If you don't like it or want to look at more options, check out the previous deals that we have covered, OR you can also visit Amazon US deals page. Get Prime (SNAP), Prime Video, Audible Plus or Kindle / Music Unlimited. Free for 30 days. As an Amazon Associate, we earn from qualifying purchases.

  • Recent Achievements

    • Week One Done
      I2D earned a badge
      Week One Done
    • Week One Done
      Dr Jared Dental Studio earned a badge
      Week One Done
    • Week One Done
      RG INVESTMENT GROUP earned a badge
      Week One Done
    • Very Popular
      The Norwegian Drone Pilot earned a badge
      Very Popular
    • Very Popular
      s0nic69 earned a badge
      Very Popular

  • Popular Contributors

    1. 1
      +primortal
      484
    2. 2
      PsYcHoKiLLa
      258
    3. 3
      Skyfrog
      84
    4. 4
      FloatingFatMan
      64
    5. 5
      Michael Scrip
      63
    Show More

  • Tell a friend

    Love Neowin? Tell a friend!