For as long as people have been choosing ATM PINs, banks have been advising them not to use an easily guessed four-digit number — no birthdates, anniversaries, Social Security numbers, house numbers, phone numbers, no repeating integers, no simple sequences. And for just as long, people have been using birthdates, anniversaries, Social Security numbers, house numbers, phone numbers, repeating integers and simple sequences as PINs.
Not all people with plastic violate The First Commandment of PINs. But enough do that a blog this week listing the 20 most-used PINs caused a stir online. The blog was posted by DataGenetics, a technology consultancy that mines trends from large databases.
For this particular mining project, the blogger used available databases that had been exposed by hackers to determine that the PIN used by nearly 11 percent of all cardholders is 1234. This sequence is followed in popularity by 1111 (6 percent), 0000 (1.8 percent) and 1212 (1.2 percent). Every combination of numbers that started with 19 appeared in the top fifth of the dataset, suggesting that a significant number of people use a year date for their PIN, which increases the probability that it could be discovered.
But together, the top four represent nearly 20 percent of cardholders. Which ultimately raises the question: "Why don't banks disallow the most predictable PINs?" Actually, there are several reasons why most don't. The biggest:
The customer comes first
An FI doesn't want to start out a relationship with a new customer by telling him what he can't do before he's even slid his minimum deposit across the desk.
Story continues below...
The American Bankers Association doesn't take a position on the question of banning PIN options. "Every institution makes their own determination as to how to communicate with their customers regarding ATM safety, generally, and PIN safety, specifically," said Doug Johnson, vice president of risk management policy at the ABA. Instead, he said, banks usually choose to provide educational materials and let the customer make an informed decision.
This is the route that Pittsburgh-based PNC bank takes with customers. Fred Solomon, VP of corporate communications at PNC, cited tips for PIN safety from the bank's website. Number one on the list: "Pick personal identification numbers (PINs) you can easily remember that are not birthday dates, house or phone numbers, or repetitions of a single number. Never write your PIN down on a slip of paper that you keep in your purse or wallet."
If a customer uses a PIN that includes personal information, that can be almost as good as a slip of paper with a PIN written on it, since most people carry their drivers license and bankcard in the same wallet. "If you've [used] some derivation of your birth date and a thief has your wallet, they've essentially got access to your PIN," Johnson said.
Safeguards in the system
But the crook is still going to have to do some lucky guessing at the ATM; the card number might be one of the top four. Or it might be one of the other 9,996 possible four-digit combinations. And in most cases, a thief gets only three attempts before the ATM confiscates the card. This substantially reduces the risk of an account breach.
The myriad (literally — a myriad is 10,000) of potential PINs and the minute odds that a thief will guess anybody's in just a few tries partly explains why the world continues to stick with a four-digit PIN, said Robert Siciliano, CEO of IDTheftSecurity.com and a McAfee consultant.
"[T]here's really no reason to expand beyond 4 digits. Beyond that, the more digits … allowed or required means inevitable customer service calls."
Which gets back to that "easily remembered" advice from PNC Bank. Who doesn't remember their own birthdate — or the first four integers of the numbering system?
Ultimately, banks have bigger things to worry about than making sure customers don't use their birthdate for their PIN. "Frankly, it's ATM skimming that is the larger threat than theft of PIN — or guessing of PIN," said Johnson. "It's really the combined effort of our institutions to ensure that customers are aware of the ways that they can keep themselves safe at the ATM overall — not just the PIN."
For the record, 8068 came in dead last on the list of commonly chosen PIN numbers. But now that the word is out, it won't stay in that spot for long. Because, as the DataGenetics blogger pointed out, "People are notoriously bad at generating random passwords."
For more on this topic, visit the security research center.