A while back I wrote an article on the 25 worst passwords and a lot of readers were surprised to see how simple some of the passwords that people chose were: 123456, password, qwerty… Now a group of British computer security researchers have collected data to show just how vulnerable banking PINs actually are.
A Cambridge University Computer Laboratory team collected statistics on how people choose banking PINs when they are permitted to select their own keys. The risk is that a thief who steals a wallet can then try to siphon money from a bank account by guessing the password, often with the aid of personal identification information like the birth date found in the wallet.
It seems that when the bank enforced a policy on how to create a strong PIN, thieves can expect to cash in on every 18th wallet stolen. If the bank allowed its customers to choose weak PINs, the thieves can expect to get lucky every 11 wallets. The researchers describing the criminal practice of guessing PIN numbers from stolen bank cards as “jackpotting.”
Fortunately, the conclusions of the report are not entirely bleak. They discovered that most people’s choice of banking PINs were not as weak as with other choices such as security passwords. Shorter sequences and user-chosen passwords are more vulnerable.
The researchers found that in the United States and in Europe different banks had different practices on what kinds of PINs were permitted. In the U.S.A., Bank of America and Wells Fargo let customers choose dumb PINs, while Citibank doesn’t. In the UK, Lloyds and the Co-op let you choose anything while Barclays, RBS and HSBC don’t.
If this has you worried maybe a quick re-read of my post on how to choose a strong password might be in order.
