Consumers, Banks Make It Easy for Criminals to Steal PINs

Simon Zhen

By , Staff Writer
Posted on Thu Feb 23, 2012, Last Updated on Thu Feb 23, 2012

More Columns »

Consumers, Banks Make It Easy for Criminals to Steal PINs

William Grootonk / Flickr source

Using easy-to-guess codes such as “0000” or your birth date as your PIN make it easy for thieves to steal your money. Yet thousands of people employ such easy-to-remember numbers. It’s a remarkably bad idea. And a group of researchers says that banks are as much to blame as are hapless consumers.

In a study conducted by computer security researchers at the University of Cambridge, the majority of respondents used important dates when they were allowed to choose their PINs for their ATM or debit cards.

Furthermore, some banks don’t blacklist certain PINs, allowing customers to pick weak PINs.

“The widespread security role assigned to 4-digit PINs is a historical accident which has received surprisingly little scrutiny,” they wrote in their report.

The primary risk is that a crook steals your wallet — which is full of information that can be used to guess your PIN.

How customers pick their PINs

Nearly 64 percent of respondents had randomly selected their PINs. Of these respondents, 63 percent said they used the PIN that was assigned by the bank or a previous bank. Another 21 percent used random digits from other numbers assigned to them, such as phone numbers or government-issued documentation.

Approximately 23 percent of respondents used a date format. Users’ date of birth, dates of birth of a family member and dates of significant life events were among the top PIN selection methods for these respondents.

About 9 percent used a pattern on the keypad and another 5 percent used a numeric pattern.

More than a third of users employed the same PIN across multiple cards.

Is your PIN easy to guess?

The researchers found that 99 percent of bank customers carried an item in their wallet or purse that contained their date of birth. You most likely do as well.

“A competent thief will gain use of a payment card once every 11-18 stolen wallets, depending on the proportion of banks using a denied PIN list,” the report concluded.

Banks play a role in the scheme of things — they can set limits to which PINs customers can use.

The researchers found that Bank of America, HSBC and Wells Fargo allowed them to pick the PIN “1234.” Citi forbade that request.

“We advise users not to use PINs based on a date of birth, and those banks which do not currently employ blacklists to immediately do so,” the researchers said.

Eventually, the entire banking industry should stop letting customers pick their PINs, the researchers suggested.

Although there are many factors that point to the lack of PIN security, the researchers said that bank customers’ choice of PINs was not as bad their selection of passwords.

But, if your PIN is somehow related to your birth date, it should be changed to cut off this security loophole.

 

Post a Comment