Is it difficult to guess the PIN?
Despite the important role of PIN-codes in the global infrastructure, no academic research has been carried out on how people choose PIN-codes.Researchers from the University of Cambridge SΓΆren Preibusch and Ross Anderson rectified the situation by publishing the world's first quantitative analysis of the difficulty of guessing a 4-digit bank PIN.
Using data on password leaks from non-banking sources and online questioning, scientists found out that users are more serious about choosing PIN codes than choosing passwords for websites: most of the codes contain an almost random set of numbers. However, among the source data, there are simple combinations and birthdays β that is, with some luck, an attacker can simply guess the cherished code.
')
The starting point of the study was a set of 4-digit sequences in passwords from the RockYou database (1.7 million), and a database of 200 thousand PIN codes from the iPhone screen lock program (the database was provided by the developer of the application Daniel Amitay). Interesting patterns emerge in the graphs based on this data - dates, years, repeating numbers, and even PIN codes ending in 69. Based on these observations, scientists constructed a linear regression model that estimates the popularity of each PIN code depending on 25 factors β for example, is the code a date in the DDMM format, is it an increasing sequence, and so on. 79% and 93% of PIN-codes in each of the sets correspond to these general conditions.
So, users choose 4-digit codes based on just a few simple factors. If banking PIN codes were chosen this way, 8β9% of them could have been guessed in just three attempts! But, of course, people treat bank codes much more closely. Due to the absence of any large set of real banking data, the researchers interviewed more than 1,300 people to assess how real PIN codes differ from those already reviewed. Taking into account the specifics of the study, respondents were not asked about the codes themselves, but only about their relevance to any of the above factors (growth, DDMM format, etc.).
It turned out that people really much more carefully choose bank PIN codes. About a quarter of respondents use a random PIN generated by the bank. More than a third choose their PIN using their old phone number, student ID number, or other set of numbers that looks random. According to the results, 64% of cardholders use a pseudo-random PIN-code, which is much more than 23-27% in previous experiments with non-banking codes. Another 5% use a digital pattern (for example, 4545), and 9% prefer a pattern on the keyboard (for example, 2684). In general, an attacker with six attempts (three with an ATM and three with a payment terminal) has less than 2% chance to guess the PIN of someone else's card.
| Factor | Example | Rockyou | iphone | Poll |
|---|---|---|---|---|
| Dates | ||||
| DDMM | 2311 | 5.26 | 1.38 | 3.07 |
| DMYY | 3876 | 9.26 | 6.46 | 5.54 |
| MMDD | 1123 | 10.00 | 9.35 | 3.66 |
| MMGG | 0683 | 0.67 | 0.20 | 0.94 |
| Yyyy | 1984 | 33.39 | 7.12 | 4.95 |
| Total | 58.57 | 24.51 | 22.76 | |
| Keyboard pattern | ||||
| adjacent | 6351 | 1.52 | 4.99 | - |
| square | 1425 | 0.01 | 0.58 | - |
| corners | 9713 | 0.19 | 1.06 | - |
| cross | 8246 | 0.17 | 0.88 | - |
| diagonal line | 1590 | 0.10 | 1.36 | - |
| horizontal line | 5987 | 0.34 | 1.42 | - |
| word | 5683 | 0.70 | 8.39 | - |
| vertical line | 8520 | 0.06 | 4.28 | - |
| Total | 3.09 | 22.97 | 8.96 | |
| Digital pattern | ||||
| ends at 69 | 6869 | 0.35 | 0.57 | - |
| 0-3 only | 2000 | 3.49 | 2.72 | - |
| only digits 0-6 | 5155 | 4.66 | 5.96 | - |
| duplicate pairs | 2525 | 2.31 | 4.11 | - |
| same numbers | 6666 | 0.40 | 6.67 | - |
| decreasing sequence | 3210 | 0.13 | 0.29 | - |
| increasing sequence | 4567 | 3.83 | 4.52 | - |
| Total | 15.16 | 24.85 | 4.60 | |
| Random set of numbers | 23.17 | 27.67 | 63.68 | |
Everything would be fine, but, unfortunately, a significant part of the respondents (23%) choose a PIN-code as a date - and almost a third of them use their date of birth. This significantly changes the situation, because almost all (99%) respondents answered that they kept in a wallet with bank cards various identity cards on which this date was printed. If the attacker knows the cardholder's birthday, then with the right approach, the probability of guessing the PIN-code soars up to 9%.
As a solution, the authors suggest that banks prohibit the 100 most popular PIN codes, in general, this will reduce the probability of guessing to 0.2%.
100 most popular PIN codes
0000, 0101β0103, 0110, 0111, 0123, 0202, 0303, 0404, 0505, 0606, 0707, 0808, 0909, 1010, 1101-1103, 1110β1112, 1123, 1201β1203, 1210β1212, 1234, 1956β2015, 2222, 2229, 2580, 3333, 4444, 5252, 5683, 6666, 7465, 7667.
PS In practice, of course, it is much easier for an attacker to spy on your PIN code than to guess it. But it is possible to protect oneself from peeping - even, it would seem, in an impossible situation:
Source: https://habr.com/ru/post/151388/
All Articles