[Owasp-mobile] A birthday present every eleven wallets? The security of customer-chosen banking PINs

Jeffrey Walton noloader at gmail.com
Sat Feb 25 17:12:15 UTC 2012

[From JR on a corproate list. I wonder how applicable this is to
mobile devices guarded by PINs]


Abstract. We provide the first published estimates of the difficulty
of guessing a human-chosen 4-digit PIN. We begin with two large sets
of 4-digit sequences chosen outside banking for online passwords and
smartphone unlock-codes. We use a regression model to identify a small
number of dominant factors in uencing user choice. Using this model
and a survey of over 1,100 banking customers, we estimate the
distribution of banking PINs as well as the frequency of
security-relevant behaviour such as sharing and reusing PINs. We found
that guessing PINs based on the victims' birthday, which nearly all
users carry documentation of, will enable a competent thief to gain
use of an ATM card once for every 11-18 stolen wallets, depending on
whether banks prohibit weak PINs such as 1234. The lesson for
cardholders is to never use one's date of birth as a PIN. The lesson
for card-issuing banks is to implement a denied PIN list, which
several large banks still fail to do. However, blacklists cannot
effectively mitigate guessing given a known birth date, suggesting
banks should move away from customer-chosen banking PINs in the long

More information about the Owasp-mobile mailing list