by Bill Snyder

ATM PIN Numbers: Easier to Steal than You Think

Feb 23, 20123 mins
Data and Information SecurityData BreachSecurity

Researchers find that a smart bad guy has a one-in-10 chance of guessing the PIN that guards your bank account.

I’ve always thought that losing one’s ATM card was an inconvenience, but not a likely source of pain, since even a bad guy who finds it wouldn’t have much luck guessing the PIN. Oops. Not true, it turns out, according to researchers at the Computer Laboratory of University of Cambridge.

They found that the odds of cracking a lost card’s four-digit pin are just under 10 percent if you’ve been foolish enough to select “a really dumb pin,” they said. If you’ve been smarter, the odds decrease to about 1 in 18.

Because my checking account was compromised recently, I’m very aware of scams and hacks that might lead to another painful incident, so this one got my attention.

The very worst PIN you can pick is one of the most common: your birthday. If you do, and your lost wallet contains your driver’s license — and whose doesn’t — you’re in trouble. “The lesson for cardholders is to never use one’s date of birth as a PIN. The lesson for card-issuing banks is to implement a denied PIN list, which several large banks still fail to do,” said the researchers. Another very common dumb PIN is a simple number sequence, like 1234, which also should be banned, they said, but often isn’t.

The researchers noted that different banks have different standards covering PINs they’ll accept. They found, for example, that Bank of America and Wells Fargo let customers choose “1234” as a PIN, while Citibank does not. Similarly in England, the venerable Loyd’s bank and The Co-Op Bank allowed the dumb pin, while others would not.

ATMs aren’t the only place that PINs play a security role. Four-digit codes are also used on keypads used to unlock doors, smartphones and voice mail accounts.

In 2009, some 32 million passwords were stolen from an online gaming site called RockYou and then made public. Those passwords, plus a smaller database of iPhone log-ins and an online survey of some 1,100 Web users form the basis of the University of Cambridge research paper.

The survey found about one-third of the people interviewed who have more than one ATM-accessible account use the same PIN. And 53 percent share their PIN number with someone else, usually a family member.

It also revealed that people aren’t very imaginative when it comes to choosing their PIN:  29% used their own birth date, 26% the birth date of a partner or family member, and 25% an important life event like an anniversary or graduation. If someone, say a teenager who wants to supplement his or her allowance with a quick trip to your bank account, manages to get your ATM card, it wouldn’t take a huge amount of brain power to guess that you’ve used one of those important dates as a PIN.

Ultimately, the best defense is really up to the banks, the researchers conclude. We’d all be safer if users were simply given a complex code and not allowed to select their own PINs. Of course, a lot of us would have trouble remembering those random numbers and would do really dumb stuff like writing them on the back of the ATM card or on a slip of paper in our wallet.