Photo: Flickr / Tony Webster
Here’s further proof your birth date shouldn’t double as your debit card PIN:A new study finds that when a scammer lifts your wallet, the personal identification info inside makes it easy for him to crack your bank card’s PIN and drain your account.
It’s called “jackpotting”—the criminal practice of trying to guess a PIN from stolen bank cards—and it’s putting thousands of American and European bank customers at risk for fraud.
While it’s partly due to customers’ stupidity, banks’ lax standards for user-chosen PINs aren’t helping matters.
“A thief can expect to get lucky every 18th wallet—except for those banks which negligently allow their customers to choose really dumb PINs like 1111 and 1234,” Ross Anderson, the Cambridge computer scientist behind the study, told New York Times’ Bits blogger John Markoff. “There, the thief cashes out once every 11 wallets.”
In the study, researchers analysed 32 million passwords that were stolen and then publicized on the social gaming site RockYou in 2009, in addition to a small database of iPhone log-ins and an online survey of 1,100 web users.
Despite seeing low rates of password reuse and sharing, the researchers determined shorter PINs and user-chosen passwords can make bank accounts more vulnerable to crime.
“In the U.S.A., we found that Bank of America and Wells Fargo let customers choose dumb PINS, while Citibank doesn’t,” said Dr. Anderson.
Most respondents used four-digit PINs and memorable dates as passwords, leading the researchers to conclude that banks should begin publicizing denied PINs and implement local restrictions on ATMs as well as the cards.
Ultimately, the researchers hope banks will move away from user-chosen PINs altogether.