More often than you might imagine, financial institutions deploy inadequate security protection, the type of inadequacy where the word ‘woefully’ often finds itself used. I don’t know how much Discover has beefed up its on-line security since I last owned a card, but its password protection was weaker than some porn sites (so I’m told, ahem). It took Capital One and Washington Mutual a while to come up to speed, but my present bank still allows only a ten character password.
If a bank left the keys in their door at night or even left it unlocked, you could hardly blame the curious– or the wicked– for coming inside and wandering around. But that’s happened in the on-line financial world. Institutions lobby for harsh penalties, but their rantings and ravings are meant to detract attention from their own failings.
But a third party is involved, you, the customer. What do you have in your wallet?
From the aspect of a consumer, we can use the following to protect ourselves. From the standpoint of crime writers, we can use the information below to plot clues within a story.
… and PINs
Think about your PIN number, ‘PIN’ singular because most people use one for everything, even their security alarm code. And past behavior suggests people will continue using an easily exposed code even after reading an article like this.
But wait. Doesn't a 4-digit PIN imply guessing one is only a 1-in-10,000 chance?
Not at all. Knowing a little about you (Social Security Number, birth date, etc.) might help hackers, but the PINs and alarm codes of one in four customers can be reduced to sixteen or so numbers.
Does yours begin with 1? Or 19?
The vast majority of PIN numbers begin with 1 or 0. If yours starts with 1, you’ve reduced the possibilities from 10,000 to 1000. If 19, your herd's shrunk to 100.
Do you use the internationally ubiquitous top N° 1 PIN? 1234? Or another of the popular sequential variants, 4321, 5678, 6789?
Does your number begin with 19xx, perhaps a date? The possible numbers are now one hundred, probably a lot less, maybe twenty possibilities if you’re young and eighty possibilities if you aren’t, but a few more if the number represents month-and-day (MMDD) or day-and-month (DDMM). Popular dates that go beyond birthdays include George Orwell's literary 1984 and historical years 1492 and 1776.
Take 2486, which has two strikes against it: It not only comprises semi-sequential even numbers, but it's also a visual pattern, a diamond on a keypad. Other popular visuals are a square (1397), a cross (2046), an X (1937), and the most popular of all, a straight line down the middle (2580). Visual patterns produce deceptively random-looking numbers, but statistics demonstrate they offer little security. And let's face it: Security and convenience find themselves at odds with each other.
'heat' map |
statistical moiré |
Using graphing tools and such visuals as 'heat maps', researchers can determine less than obvious patterns. Some stand out like stars in the sky while others exhibit a warp and woof of woven fabric revealing unconscious human subtleties we're unaware of.
People love couplets, paired digits such as 1010, 1212, the ever-popular 6969, Intel’s 8080, or that Zager and Evans song, 2525. Even when not using 9898 or 2323, people exhibit a preference for pairs one numeric step apart such as 2389 (2-3,8-9) or 5478 (5-4,7-8)) instead of 2479 or 5668. Perhaps we still hear childhood chants in our head from when we learned to count.
A few users exhibit a distinct lack of imagination, to wit: 0001. Others look to pop culture for inspiration, especially fans of James Bond (0007 or 0070), Star Trek (1701), or George Lucas (1138). The 1980s hit 867-5309 peaked at #4 on both the Billboard Hot 100 chart and the hottest 7-digit PIN list.
Some people can’t be bothered at all: 0000, 1111, 2222, 9999, etc. These same overall patterns persist with PINs longer than four digits although people tend to pick phone numbers when forced to select 7-digits, thus adding artificial randomization to the mix.
The problem with guessable PINs surprisingly worsens when customers are forced to use additional digits, moving from about a 25% probability with fifteen numbers to more than 30% (not counting 7-digits with all those phone numbers). In fact, about half of all 9-digit PINs can be reduced to two dozen possibilities, largely because more than 35% of all people use the all too tempting 123456789. As for the remaining 64%, there's a good chance they're using their Social Security Number, which makes them vulnerable. (And as we know, Social Security Numbers contain their own well-known patterns.)
To reemphasize, the greater the number of digits required, the more predictable selections become. Why? Why does the problem worsen with additional digits? As people are forced to use more digits, I hypothesize they react by falling back on easy-to-recall patterns such as sequences. Someone might remember 3791, but they won't easily recall 379114928, and they may reason 123456789 is as difficult as any other number.
PIN-pricks
The bad guys know these things. They don’t need high-speed analysis engines or intensive code-cracking software. They know the numbers and work the odds. As often as not, they can hack into an account– or your house or your medical files or your life– within moments.
Armed with only four possibilities, hackers can crack 20% of all PINs. Allow them no more than fifteen numbers, and they can tap the accounts of more than a quarter of card-holders.
PIN-ups |
---|
If you
absolutely cannot remember little used numbers and carry a reminder, at
least code the number in some way. • Some take a cue from old-fashioned costing codes that used alphabet substitution for digits: I=1, J=2, K=3, … • Roman numerals might be another idea, e.g, 2009=MMIX. • One handy method is to subtract your PIN from 9999 and write that down. When you need your PIN, you simply subtract the code from 9999 again. (For those who know hexadecimal (base 16: 0-1-2-3-4-5-6-7-8-9-A-B-C-D-E-F), this geeky technique is even more effective: Where F is 15, subtract your PIN from FFFF, e.g, 9531=6ACE. I used this method to label keys in an apartment complex: 1422B=EBDD4.) |
Your job– you should choose to accept it– is to make breaking into your account as difficult as possible, not that institutions tell you what you really need to know: Their usual advice is to cover ATM and store keypads with your hand. Don’t tell anyone your PIN. Don’t write it on a stick-em and carry it in your billfold.
But you can do a lot more than that: Make your number as difficult to guess as possible.
PIN-wheel
So what numbers are rarely used? Generally, the higher the first digit, the less common the password. Of the ten least used PINs, four start with 8, two with 9, and two with 6. Just don’t blow your efforts with 8888 or 8000, or 9999 or 9000.
Tip: Sure, you want a number you can remember. Toward that end, I suggest picking an easy four letter word (or a word with the same number of letters as the number of PIN digits) you can remember, say ‘easy’ itself. Look at E-A-S-Y on a telephone keypad and you’ll see the letters correspond to 3279, which breaks the most obvious patterns. Reverse the digits if you like to make the combination harder. If your ATM doesn't show letters, then open your cell phone. See more tips in the box at right.
PIN-points
In the following table* of the twenty most used numbers, it becomes painfully obvious any baddie who’s learned only the first four or five most popular numbers can suck the money out of one in five ATM accounts. With a crib sheet of these twenty numbers, he can boost his takings to 27%.
|
|
PIN-out
Now go forth and protect thy accounts. And drop me a line if you use these clues in your own stories.