Schneier on Security
A blog covering security and security technology.
« Airport Security: Israel vs. the United States |
| Security Cartoon »
July 4, 2007
Why an ATM PIN Has Four Digits
In case you were wondering:
Mr Shepherd-Barron came up with the idea when he realised that he could remember his six-figure army number. But he decided to check that with his wife, Caroline.
"Over the kitchen table, she said she could only remember four figures, so because of her, four figures became the world standard," he laughs.
Posted on July 4, 2007 at 8:52 AM
• 62 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
My bank uses a 6 digit PIN.
It is much harder to remember...
Are there any statistics on whether 4 digit PINs are good enough? Even if a couple of digits are disclosed or observed, an ATM which swallows the card after three incorrect attempts is going to prevent brute-force attacks. The only way to reliably steal a PIN is to observe the entire entry (e.g. with a micro-camera at the ATM) and increasing PIN length doesn't prevent this attack.
I'd be interested to hear any arguments in favour of longer PINs.
I wonder why this was. I wished my PIN was +8 decimals. :-(
This is probably a dumb way to look at it, but can't we say that 4 digit PINs are good enough because they seem to be sufficient in the real world?
I'm not plugged into the world of ATM fraud, but I don't hear much about it, and the weakness of the PINs doesn't seem to be that much of a factor.
Obviously 4 digits wouldn't be anything for a computer doing a brute force attack -- but you can't stand at an ATM and cycle through them. Even if you had the time, I imagine the machine would eat the card at some point.
I'm not a security guy, and I don't claim any expertise, but one thing I've taken from this blog is that security is an economic problem -- you have scarce resources, and you have to plug the holes that are most serious first.
So if we have this long experience with 4 digit PINs and ATMs, and they work ok, then changing it probably isn't a good use of resources. There's probably some other part of the whole banking system that could use the help.
"[...] an ATM which swallows the card after three incorrect attempts is going to prevent brute-force attacks."
I have wondered if the banks do anything other than swallowing the card. Do they disable any farther attempts? If I made a stack of cloned cards, could I try over and over again (3 tries per card)?
If I know two of the digits (especially if I know their position) the number of cloned cards I need to make just went way down.
If you made a stack of cloned cards and sat there brute forcing the PIN, then even if you eventually figured it out I don't think the time spent would be worth the maximum amount withdrawable on an ATM that day. I'm not sure of the figure, but I don't think it is worth the payoff! Even if you were able to string it out for a few days before anyone noticed, its still not worth the time.
@stacy: "I have wondered if the banks do anything other than swallowing the card."
In Germany, they don't actually "swallow" the card, they lock the account (or, at least, the card number).
Had that case when I remembered the wrong PIN for the card. I got to keep the card, had to sign a form at the counter and they unlocked it.
btw, it is worth noting that they track the attempts between ATMs. I had 2 wrong attempts at one ATM and my third one a few days later at another ATM.
I'm just glad Bruce didn't say "PIN number".
@stacy: "I have wondered if the banks do anything other than swallowing the card."
In Canada, based on my experience, the account is locked and you have to attend at the branch where the card / account is registered to retrieve the card (or be issued a new one) and create a new PIN.
I once wondered if too easy pins were excluded from the pool - like 1234 - but I got my answer when my bank once issued me the pin 0000 (no longer valid for anything). Is this good or bad?
Truly random will also produce some of those easy to remember codes.
But brute force attacks may just start with such a code - if the attacker knows that the owner can choose the code, and if the attacker knows the owner cannot choose the code, he might try some "less likely" code such as 6216.
Again, if I was threatened to say the code, the attacker would just not believe 0000 - too improbable he'd say.
So, are easy codes a security problem if codes are issued at random?
My bank allows its customers to choose a 6-digit or a 4-digit PIN.
Interestingly, my 6-digit PIN works even at ATMs in countries where the banks only seem to give out 4-digit PINs.
My conclusion is that the system is designed and implemented for 6-digit PINs, but that most banks choose to limit their customers to 4-digit PINs.
I use my bankcard combined with one of those token-reader-thingies for online banking. Just as with any ATM it takes three wrong PIN entries to "block" the card. A secondary card (for instance the one my wife has) will still work. Every account has a number of cards associated to it. The card has a serial-number which can be blocked. Works pretty much exactly like CRL's and digital certificates.
(I live in the Netherlands. We are big on debit cards like most European countries)
In Italy, ATM circuit (here the circuit is called Bancomat) is based on 5-digit PIN, and, differently from germany, the only result for 3-errors-in-a-row is the lost of the card.
Greetings from the country of the sun.
Quote Nostromo: "Interestingly, my 6-digit PIN works even at ATMs in countries where the banks only seem to give out 4-digit PINs."
Or, only 4 digits of your PIN are used by your bank. Try entering the first 4 digits the next time at a foreign bank. :)
A paper has been referenced on this blog before, which shows that the 4 digit PIN has an entropy of less than 1000, if someone has access to the card. There are actually two PINs on the card, so if one master key is compromised, they can switch to the second PIN for everyone. What you enter is an offset from the encrypted PIN. By reading both encrypted PINs on the card, one can eliminate most possible PINs.
Which I could find the reference- I'm sure someone will.
@Erik N: "but I got my answer when my bank once issued me the pin 0000 (no longer valid for anything). Is this good or bad?"
It could be argued that the bad part is issuing you a PIN at all. Some banks -- very few, from what I have heard -- never issue a PIN at all. You must choose your PIN, and there is no PIN until you choose one.
This eliminates two weaknesses - one, that the PIN must somehow be securely sent to you, and, two, that when you receive a new card and PIN, you are now more likely to forget your new PIN, since it isn't "yours". (When you have chosen the PIN, it can be retained across card changes.)
As far as I know, most banks now let you *change* your PIN, so the infrastructure to allow you to set the PIN initially is already in place.
All PIN authorisation algorithms that I know of use a portion of the magnetic track and a secret key to calculate a PIN. Some algorithms use a pin offset value, which is stored on the card, to allow for PIN selection. The PIN is usually formatted into a PIN block and sent to a central host for authorisation. The PIN block format decides the length of the PIN that can be transmitted, but this is usually 4-12.
I just gave a presentation on passwords so your posting seems especially timely Bruce.
Readers of this blog might recall the (snopes verified) story about cameras watching ATM keypads:
My first ATM card used an 8-digit PIN, but the first digit could not be 0 or 1 and digits could not be repeated in neighboring positions. I was quite surprised to find that some banks still use 4-digit PINs.
Since banks already have all sorts of data about you, they could easily keep you from using easily-guessed numbers or sequences from your telephone number, address, zip/postal code, date of birth or social security number. This takes away most of the easily-guessed PIN problem.
Er ... sorry, wrong URL a minute ago.
Only slightly off topic but I would be interested in feedback on my password attack tree:
http://ucis.dal.ca/depts/security/events/... (PDF - page 9)
Can anyone reference 'the' definitive password attack tree? I've looked but in the end was unhappy with anything I could find and so came up with my own. Of course the answer probably is that each tree will reflect an individual organization/situation.
I always thought it was because of the "Seven plus or minus two" paper as well.
Bank Boston used to require PINs to be 6-12 digits. I learned that using more than 6 was a bad idea when I first traveled to Europe with a 7 digit PIN, and found that French ATMs only accepted 6 digits.
Mr Shepherd-Barron, now 82, is living off his monthly social security cheque and will die a pauper (unless his whale music invention pans out.)
Someone, somewhere, probably Dubya or Osama, has the PIN 0666 ;-)
Caroline must not have had a very good memory for numbers. It's obvious that most people have no problem memorizing a seven-digit (and in some cases ten-digit) number. Who doesn't know their own phone number by heart?
My PIN is 6 digits, but my bank uses the card at teller stations inside, and those readers will accept only 4-digit PINs! 6-digits work fine at ATMs, but gasoline pump card-readers accept only 4 digits in this part of California.
@Stu Savory "Someone, somewhere, probably Dubya or Osama, has the PIN 0666 ;-)"
A bit off topic to your comments and the thread, but... ...someone at BC Tel (now TELUS) in Vancouver, BC had a similar sense of humour... the exchange number for most of the federal government offices in Vancouver is 666
I'm just glad the banks don't use a one-time-pad.
Once I was at the bank and the people next to me were complaining to the cashier that they had accidentally entered the wrong PIN number and the ATM still delivered the cash. The cashier went out with them to try and indeed, any PIN number was accepted for this card. No-one knew how long this had been the case. When I left, they were on the phone with some back-end support person who didn't seem to believe the story. I checked my card on the way out and the ATM rejected incorrect codes. So it wasn't a system-wide error. As a software engineer (but not one who has experience with banking systems), it would be easier for me to understand how an error on the back-end would suspend PIN validation for everyone than how this could happen for just one card (or just some cards). Anyone has an idea of what could have happened?
My bank (Fleet at the time, now part of Bank of America) had a minimum of 6 digits, so I picked a 7-digit number that had any easy mnemonic for me to remember.
When I went to Europe a year later many of the ATMs had a hard limit of 6 digits when entering a PIN. At the Charles de Gaulle airport outside Paris an ATM ate my card since it had failed too many times. Luckily it was just after I'd arrived in Paris from London, and not right before I had left.
One of the more frustrating times in my life.
Actually, anyone can easily remember any length of PIN as long as you can set it up your self.
One way to do this is take a number from 1 to 9.
From it devise a formula to create the first 2 digits
From the first two digits and the original number, create another formula to get to the second pair of digits.
From the first answer and the second answer compute through a function the 3rd pair of digits.
And go on as long as you wish.
Write down the formula somewhere, or if it is simple you can remember it.
Works for me !
Actually, you could keep a sticker on the card with the starting digit .... Nobody has a 1 digit pin number !!!!! Except you :-) And hidden in plain sight, not bad hein !
With regard to brute forcing the PIN, even if the account isn't locked, Australian banks at least charge a fee to the account every time an incorrect PIN is entered, as high as $2. You'd drain the account you were trying to steal from. (This is, of course, not a lot of consolation for the person who owns the account, so here's hoping they lock it eventually.)
Ritchie - one former high-security workplace of mine had safe-style combination locks for different projects, the digits of whose code were a multiple of a logarithm to a particular base of the project code. So all you needed to remember were the base and the multiplier, and you could make use of the scientific calculator on the desk (complete with auto-power-off to avoid leaving the code visible) to generate the combination if you forgot it.
The international "PIN management and security" standards ISO 9564-1, -2, -3 allow for encryption of PINs of 4-12 digits.
It allows for all of:
- the customer to select his/her own PIN,
- the bank to assign a random PIN.
- the customer to change a PIN to a customer-selected value (either from a bank assigned or previous customer-selected value)
- "assigned derived PINs" where the PIN is derived from the account number (using a cryptographic method)
For initial bank-assigned PINs, the standard says (words to the effect of) the PIN must be printed and delivered in such a way that the bank staff can't see it, and must be mailed separately from the card.
ATMs, and othe machines, swallow the card, and disable the CARD number (not the account, which may have multiple card numbers associated with it!).
Car number plates (reg plates, whatever) are 7 digits in the UK because the average human brain can only remember a sequence of 7 'items' (digitis/numbers, fruits, colours, items of clothes, whatever).
It's like the game memory "I went shopping and bought...." - it gets very hard at 7+ items.
canada trust (before the td merge) used to allow up to 12 digits for a pin. and yes i used all 12 :)
PINs can be anywhere from 4 to 12 digits long, regardless of where you are. What number of digits your bank uses is actually the *default* number of digits your bank uses, not its official length that must always be used (at least at no banks that I've ever encountered).
hmm.. I use a non-easy 4-digit PIN for my ATM card since ages. I find it easier to limit the number of people who might get hold of my card than to make the number harder for them and myself.
Last time when I was in Sweden every ATM and pump station accepted only 4 digits. I wasn't able to enter more digits. But the card of my Swiss number account has 6 digits! The next time I will change the pin to 4 digits before I travel to Sweden.
As long as ATM cards are only usable in ATMs then 4-digits is plenty. However when places start using it where a physical presence in front of the machine is not required then automated attacks are feasible and it will be inadequate.
When I developed ATM software (many years ago) the industry standard was to allow 3 login attempts, then block the card electronically (requiring physical presence in the bank to unlock) and either keep or return the card itself (return card became common to save vandalism to the machine; people tend to get REALLY pissed when "their" card is not returned; even though it is the property of the bank and it is for their protection).
Personally I write 4 pseudorandom 4-digit numbers on the back of my ATM card figuring a hypothetical thief will try 3 of them under the assumpion that 1 of them is my PIN; the bank will then lock out my account and I should be good.
re: Card Capture
Most newer ATMs are moving toward removing the capturing of cards. They are moving toward Swipe, or DIP readers.
Reason: too many false positives.
Trivia for the day: Did you know that many of the US ATMs are made in Scotland?
It's a trade off. The vulnerability and cost of disclosure versus the risk and cost of forgetting. Both are burdensome and costly to customers and banks.
It may be more secure if longer, but it will be more cumbersome. It may be easier if shorter, but it will be less secure.
I wouldn't want to be a fraud handler at a bank that had 2 digit PINs. Nor would I want to be the help desk at a place with 16 digit PINs.
Just got back from Rotterdam (Netherlands), the ATMs there had 6 boxes but when I entered my UK 4 digit pin it was fine.
I think people can remember more if they get broken up. Phone numbers: xxx-xxxx and social security numbers xxx-xx-xxxx are good examples.
@ Erik N
"I once wondered if too easy pins were excluded from the pool - like 1234 - but I got my answer when my bank once issued me the pin 0000 (no longer valid for anything). Is this good or bad?"
Go look up the joke about "CORPORATE DIRECTIVE NUMBER 88-570471".
In Brazil is where bank phishing flourish. My Bank's ATM card comes with a chip and the 4 digit PIN that you can't change but, in the first use, you have to create online another 3 digits and, since then, you have to use the 2 groups to do anything.
Heard yesterday from a work colleague that somebody withdraw R$2,000 out of his account using his card, possibly cloned. The Bank reimbursed him.
That doesn't make any sense. People are quite capable of remembering number strings beyond 4 digits.
Before the advent of the cell phone with its mobile directory, people were capable of remembering phone numbers to be dialed at a whim. These numbers ranged from 7 digits for a local number on up to 11 digits (if you include the 1 and area code) for long distance.
People are asked for their social security number so often that many have their 9 digits memorized and often the 9 digits needed for a spouse's SSN.
"Who doesn't know their own phone number by heart?"
A phone number is actually 2 sets of 3 digit numbers plus 1 4 digit number.
If your phone number was 11 digits long, that is a single long string, you would have a much harder time remembering it.
I once read (in telephone by David Brooks?) that in the 20's the phone company discovered that remembering the 4 digits first then the exchange was much easier than the 3 then 4 grouping that we have.
Although it was easier, since people were already in the habit of the pattern, they decided not to change it.
I used to bank at Great Western in California. I had a 6 digit PIN. Great Western was acquired by Washington Mutual. My 6 digit PIN still worked, but they refused to allow me to sign up with online banking because their systems didn't support anything other than 4 digit PINs. Eventually, they changed my account number, forcing me to activate a new card. The PIN entry system they have forbade me from entering anything longer than 4 digits. When I complained, they said it was "for my security."
I agree that bank customer service personnel, along with most customer service personnel, have absolutely no understanding of security.
Along with the example above when a bank tols a customer the PIN could only be 4 digits for security reasons, I have an example.
I was told by a leading tax prepartion software vendor that the software had to run with full (and unneeded) administrator rights because it is "currently our software safe passage. Only you know the Administrator password. Otherwise, anyone who had access to your compluter could steal your important information."
What if I don't know the admin password. And if somebody does know my password or the admin password, it's not my machine anymore anyways.
What they really meant to say was: "We write ini file information to C:\Program Files. We know we're not supposed to do that, as it makes security difficult, but we are really lazy, and we figure most of our users run as admin anyways."
I wish PINs could be an arbitrary length. Oddly, enough my wireless phone carrier lets me have any length (or at least as long as I need) for a voicemail password. I guess it's their software safe passage.
I'm dyslexic, so I tend to remember PINs by following the pattern the PIN forms on the keypad, which I find easier than rembering the number. This worked fine until I traved in Asia, where the PIN pads have the numbers 'upsidedown' (think of the layout on a phone vs the layout on the numeric keypad on your keyboard).
Bank of America debit card, eleven-digit PIN. Sometimes the entry pads at retail stores and the like will only accept ten digits; the eleventh digit beeps but isn't actually accepted into the buffer. Transaction declined. Then I have to figure out what's going on, mutter in frustration, and tell them to charge it using the credit card protocol instead.
I have a regular wells fargo checking account, and my PIN is 7 digits...
if I entered the wrong PIN three consecutive times, the card gets captured right? however, if I entered the wrong pin four days ago and then i entered the wrong pin again today two times, will my card still get captured?
My niece is in college at Berkeley. She is a Citibank patron but used her debit card at a Bank of America ATM. She put in her 4 digit pin, got out $40 (plus paid the $3 fee) and walked away without officially ending her session and she forgot to retrieve her card. Apparently the next person in line walked up and proceeded to withdraw another $200 from my niece's account. I'm shocked the ATM didn't ask for the PIN to be re-entered for each subsequent transaction made. I thought that was the standard for ATMs but apparently not. Does anyone know of any recourse for this sort of theft?
Amy, This king of fraud is called Sesion DIP. It's happen when the ATM's doesn't ask for close the transaction. Recomendation: In these King of ATM you must be sure to finish your sesion.
My friend rang her local bank and they asked her for two digits of her pin number
(not her password) Is this correct? I thought we were not supposed to reveal any part of our pin number not even to the bank staff???
We live in the UK
Please can you kindly send your reply to my email address. thank you.
Is there any no on back side of atm card to find out forgotten pin no.? If its so then whats the procedure? Please help me out.
i entered wrong pin thrice so my card was blocked..i refreshed my pin number but now the bank staffs know my pin no. so is there any risk from them,,,i would like to receive a fast reply please..
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.