Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
Personal identification number
(section)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
==PIN security== Financial PINs are often four-digit numbers in the range 0000–9999, resulting in 10,000 possible combinations. Switzerland issues six-digit PINs by default.<ref>{{Cite book|last1=Wang|first1=Ding|last2=Gu|first2=Qianchen|last3=Huang|first3=Xinyi|last4=Wang|first4=Ping|title=Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security |chapter=Understanding Human-Chosen PINs |date=2017-04-02|chapter-url=https://dl.acm.org/doi/10.1145/3052973.3053031|series=Asia CCS '17|language=en|location=Abu Dhabi United Arab Emirates|publisher=ACM|pages=372–385|doi=10.1145/3052973.3053031|isbn=978-1-4503-4944-4|s2cid=14259782}}</ref> Some systems set up default PINs and most allow the customer to set up a PIN or to change the default one, and on some a change of PIN on first access is mandatory. Customers are usually advised not to set up a PIN-based on their or their spouse's birthdays, on driver license numbers, consecutive or repetitive numbers, or some other schemes. Some financial institutions do not give out or permit PINs where all digits are identical (such as 1111, 2222, ...), consecutive (1234, 2345, ...), numbers that start with one or more zeroes, or the last four digits of the cardholder's [[social security number]] or birth date.{{citation needed|date=August 2014}} Many PIN verification systems allow three attempts, thereby giving a card thief a putative 0.03% [[probability]] of guessing the correct PIN before the card is blocked. This holds only if all PINs are equally likely and the attacker has no further information available, which has not been the case with some of the many PIN generation and verification algorithms that financial institutions and ATM manufacturers have used in the past.<ref name="kuhn">{{cite journal | author=Kuhn, Markus | date=July 1997 | title=Probability theory for pickpockets — ec-PIN guessing | url=http://www.cl.cam.ac.uk/~mgk25/ec-pin-prob.pdf | access-date = 2006-11-24}} </ref> Research has been done on commonly used PINs.<ref> {{cite web | url=https://www.theguardian.com/money/blog/2012/sep/28/debit-cards-currentaccounts | title=The most common PINs: is your bank account vulnerable? | author = Nick Berry | date = 28 September 2012 <!-- 12.28 BST --> | publisher = Guardian newspaper website | access-date = 2013-02-25}}</ref> The result is that without forethought, a sizable portion of users may find their PIN vulnerable. "Armed with only four possibilities, hackers can crack 20% of all PINs. Allow them no more than fifteen numbers, and they can tap the accounts of more than a quarter of card-holders."<ref name="SS1">{{cite web |last=Lundin|first=Leigh| title=PINs and Passwords, Part 1| url=http://www.sleuthsayers.org/2013/08/pins-and-passwords-part-1.html |work=Passwords| publisher=SleuthSayers| location=[[Orlando, Florida|Orlando]]| date=2013-08-04| quote=Armed with only four possibilities, hackers can crack 20% of all PINs.}}</ref> Breakable PINs can worsen with length, to wit: {{Blockquote| The problem with guessable PINs surprisingly worsens when customers are forced to use additional digits, moving from about a 25% probability with fifteen numbers to more than 30% (not counting 7-digits with all those phone numbers). In fact, about half of all 9-digit PINs can be reduced to two dozen possibilities, largely because more than 35% of all people use the all too tempting 123456789. As for the remaining 64%, there's a good chance they're using their [[Social Security Number]], which makes them vulnerable. (Social Security Numbers contain their own well-known patterns.)<ref name="SS1" />}} ===Implementation flaws=== In 2002, two PhD students at [[University of Cambridge|Cambridge University]], Piotr Zieliński and Mike Bond, discovered a security flaw in the PIN generation system of the [[IBM 3624]], which was duplicated in most later hardware. Known as the [[decimalization table attack]], the flaw would allow someone who has access to a bank's computer system to determine the PIN for an ATM card in an average of 15 guesses.<ref name="decimalization"> {{cite journal |author1=Zieliński, P |author2=Bond, M |name-list-style=amp | title = Decimalisation table attacks for PIN cracking | version =02453 | publisher = University of Cambridge Computer Laboratory | date = February 2003 | url = http://www.cl.cam.ac.uk/TechReports/UCAM-CL-TR-560.pdf | access-date = 2006-11-24}}</ref><ref name="decimalization-media">{{cite web | url=http://www.cl.cam.ac.uk/~mkb23/media-coverage.html | title=Media coverage | publisher=University of Cambridge Computer Laboratory | access-date=2006-11-24 | archive-date=2018-10-20 | archive-url=https://web.archive.org/web/20181020060141/https://www.cl.cam.ac.uk/~mkb23/media-coverage.html | url-status=dead }}</ref>
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)