If a pickpocket stole your wallet and tried to use your bank card at an ATM, you'd like to think he wouldn't be able to guess your PIN and that your cash would be safe until you canceled your card.
But that's a foolish assumption, according to a team of British researchers, who say that if you chose your own personal identification number, there's almost a 10 percent chance it will be guessed.
"The widespread security role assigned to four-digit PINs is a historical accident which has received surprisingly little scrutiny," researchers Joseph Bonneau, Sören Preibusch and Ross Anderson from the University of Cambridge wrote in their paper, titled: "A birthday present every 11 wallets? The security of customer-chosen banking PINs."
The Cambridge computer researchers analyzed 32 million passwords stolen from the RockYou gaming website in 2009, as well as from a data set of 204,508 iPhone passcodes and interviews with 1,108 Internet users. What they found should alarm everyone who uses their birthday or any other easily guessable number — 1234, 1111 — as their PIN.
"We find that guessing PINs based on the victim's birthday, which nearly all users carry documentation of, will enable a competent thief to gain use of an ATM card once for every 11-18 stolen wallets, depending on whether banks prohibit weak PINs such as 1234," the researchers wrote. "The lesson for cardholders is to never use one's date of birth as a PIN."
The researchers said nearly 7 percent of people used their birthdate as their PIN.
The 1-in-18 statistic concerns PINs assigned by the bank; when customers choose their own four-digit PIN, "then the thief cashes out once every 11 wallets," Anderson told the New York Times.
In both the RockYou and the iPhone data sets, "1234" was the most commonly used single PIN. Aside from the inherent vulnerability of such a weak PIN, 53 percent of those surveyed told the researchers they shared their PIN with another person, and of the 40 percent of online banking users with more than one payment card, 34 percent said they used the same PIN for all cards. More than a third of respondents admitted they use their banking PIN in other authentication systems, such as for voice mail or Internet passwords.
To address the problem, the researchers called for banks to institute blacklists of common passwords and to prohibit customers from selecting their own passwords.
In the meantime, however, there are several ways you can avoid the security pitfalls associated with weak PINs and email passwords. If you worry that your ATM PIN leaves you vulnerable — is it your birth date? — call your bank and change it to a more random four-digit sequence. Make sure you don't reuse passwords or repurpose your ATM PIN for any other accounts. For a list of the best password-management software, click here.
Related on SecurityNewsDaily:
Copyright 2012 SecurityNewsDaily, a TechMediaNetwork company. All rights reserved.