September 13, 2012 at 03:31Is it difficult to guess the PIN code?
- Transfer
Despite the important role of PIN codes in the global infrastructure, no academic studies have yet been conducted on how, in fact, people choose PIN codes. Researchers at the University of Cambridge Sören Preibusch and Ross Anderson corrected the situation by publishing the world's first quantitative analysis of the difficulty of guessing a 4-digit banking PIN.
Using data on password leaks from non-banking sources and online questioning, scientists found that users are more serious about choosing PIN codes than choosing passwords for websites: most codes contain an almost random set of numbers. Nevertheless, among the source data there are both simple combinations and birthdays - that is, with some luck, an attacker can just guess the cherished code.
The starting point of the study was a set of 4-digit sequences in passwords from the RockYou database (1.7 million), and a database of 200 thousand PIN codes from the iPhone screen lock program (the database was provided by application developer Daniel Amitay). In the charts built on this data, interesting patterns appear - dates, years, repeating digits, and even PIN codes ending in 69. Based on these observations, scientists built a linear regression model that estimates the popularity of each PIN code depending on 25 factors, such as whether the code is a DDMM date, whether it is an increasing sequence, and so on. 79% and 93% of the PIN codes in each set correspond to these general conditions.
So, users choose 4-digit codes based on just a few simple factors. If bank PINs were chosen this way, 8–9% of them could be guessed in just three attempts! But, of course, people are more attentive to bank codes. Due to the lack of any large set of real banking data, the researchers interviewed more than 1300 people to assess how real the PIN-codes differ from those already considered. Given the specifics of the study, the respondents were asked not about the codes themselves, but only about their compliance with any of the above factors (increase, DDMM format, etc.).
It turned out that people really much more carefully choose bank PIN codes. About a quarter of respondents use a random PIN generated by the bank. More than a third choose their PIN using an old phone number, student card number, or other set of numbers that looks random. According to the results, 64% of cardholders use a pseudo-random PIN code, which is much more than 23-27% in previous experiments with non-bank codes. Another 5% use a digital pattern (for example, 4545), and 9% prefer a pattern on the keyboard (for example, 2684). In general, an attacker with six attempts (three with an ATM and three with a payment terminal) has less than 2% chance of guessing the PIN code of someone else's card.
| Factor | Example | Rockyou | iPhone | Poll |
|---|---|---|---|---|
| Dates | ||||
| DDMM | 2311 | 5.26 | 1.38 | 3.07 |
| DMGG | 3876 | 9.26 | 6.46 | 5.54 |
| MMDD | 1123 | 10.00 | 9.35 | 3.66 |
| MMGG | 0683 | 0.67 | 0.20 | 0.94 |
| Yyyy | 1984 | 33.39 | 7.12 | 4.95 |
| Total | 58.57 | 24.51 | 22.76 | |
| Keyboard pattern | ||||
| adjacent | 6351 | 1.52 | 4.99 | - |
| square | 1425 | 0.01 | 0.58 | - |
| angles | 9713 | 0.19 | 1.06 | - |
| cross | 8246 | 0.17 | 0.88 | - |
| diagonal line | 1590 | 0.10 | 1.36 | - |
| horizontal line | 5987 | 0.34 | 1.42 | - |
| word | 5683 | 0.70 | 8.39 | - |
| vertical line | 8520 | 0.06 | 4.28 | - |
| Total | 3.09 | 22.97 | 8.96 | |
| Digital pattern | ||||
| ends at 69 | 6869 | 0.35 | 0.57 | - |
| digits only 0-3 | 2000 | 3.49 | 2.72 | - |
| digits only 0-6 | 5155 | 4.66 | 5.96 | - |
| repeating pairs | 2525 | 2.31 | 4.11 | - |
| same numbers | 6666 | 0.40 | 6.67 | - |
| descending sequence | 3210 | 0.13 | 0.29 | - |
| increasing sequence | 4567 | 3.83 | 4.52 | - |
| Total | 15.16 | 24.85 | 4.60 | |
| Random set of numbers | 23.17 | 27.67 | 63.68 | |
Everything would be fine, but, unfortunately, a significant part of the respondents (23%) choose a PIN code in the form of a date, and almost a third of them use their birth date. This significantly changes the matter, because almost all (99%) of the respondents answered that they keep various identification cards on which this date is printed in a wallet with bank cards. If an attacker knows the birthday of the cardholder, then with a competent approach, the probability of guessing the PIN code takes off up to 9%.
As a solution, the authors suggest that banks ban 100 of the most popular PIN codes - in the general case, this will reduce the probability of guessing to 0.2%.
100 most popular PIN codes
0000, 0101–0103, 0110, 0111, 0123, 0202, 0303, 0404, 0505, 0606, 0707, 0808, 0909, 1010, 1101–1103, 1110–1112, 1123, 1201–1203, 1210–1212, 1234, 1956–2015, 2222, 2229, 2580, 3333, 4444, 5252, 5683, 6666, 7465, 7667.
PS In practice, of course, it is much easier for an attacker to spy your PIN code than to guess it. But you can protect yourself from peeping - even, it would seem, in a hopeless situation: