Skip to main content

Cracking PIN Numbers

Cracking PIN numbers

PIN numbers are vulnerable to the same weaknesses as other passwords; people can choose them. Many applications and phones rely on PIN numbers for locking access to devices. If a PIN is good enough to protect your bank card, then it's probably safe enough to protect your phone right?

But phones tend to be much more lenient than banks when it comes to getting your PIN wrong. Fruit based devices and Android devices all let you try 10 PIN codes before wiping the device. How much extra leverage does that give an attacker? What if they have access to multiple devices and bank cards?

Most common three PIN numbers

Data from a recent (2014) breach gives us some answers. The most common PIN number in this set is 0000(5.25%) closely followed by 1234 (4.15%) and 1111(2.89%). These three PIN numbers make up over 12% of the data. If you only had three tries (read bank card at an ATM) these are the numbers to try.

A recent report by McAffee values your credit card and PIN at $200. If an attacker can work out your PIN at an ATM, they don't even need to take any money from your account to profit, they can simply sell the card on to someone else.

Top 10 most common personal identification numbers

These popular PIN numbers make up 17.2% of all PINs, that's way more than 0.1% we would expect if people were choosing random numbers. The top 10 PIN numbers include all of the expected unimaginative sequences of numbers. The single digits runs such as 9999, 8888 and 4444 are in there. Sneaking it at number 7 is 2580 which is an obvious 4 digit for a phone. This gives a good indication that many people are sharing PIN numbers between their phone and their bank card, because 2580 isn't quite so obvious on an ATM.

At number 9 we have 4321 which shows that a tiny bit of thought has gone into not choosing the most obvious PIN, but lots of people had the same idea.

An attacker trying to access a phone protected by a PIN which allows you 10 attempts would be able to unlock 17% of devices without any technical know how by trying these numbers. If you are sharing PIN codes then unlocking your phone would then give someone quick access to your ATM card. Sharing PINs between devices is not a good idea.

Most common 20 PIN numbers

With just these 20 PIN we have covered over 20% of the populations personal identification numbers. Here we start to see some personalization of the numbers. PINs starting 19XX are clearly birth dates. The most common is 1972 which perhaps gives an indication of the demographic of people using their birthday as a PIN number. Dates drop off towards the 90's but pick up again in the 2000's. It looks like Gen Y know not to use their birthday as a PIN, but Gen X is still using their birthdays, anniversaries or children's birthdays.
<p>A staggering 9.87% of PINs start with 19XX. Make sure that if someone steals your wallet and phone that your PIN number isn't written clearly on your drivers license.
<p>Two other numbers that jump out here are 2468 and 9876, both of which didn't require much imagination.

Further patterns in PIN codes

Other patterns that emerge are pairs of numbers such as 1122 and 1212. In fact most PIN numbers start with 1XXX (33%) or 2XXX (15%).

Recommendations

What does mean for protecting yourself?

Don't use a simple pattern for your PIN number.
Don't use birthdays or anniversaries.
Don't share PIN numbers between devices and ATM machines.
Use a proper random number generate PIN numbers

Comments

Popular posts from this blog

Munging Passwords

Password munging is the art of changing a word that is easy to remember until it becomes a strong password. This is how most people make up passwords.

Munge stands for Modify Until Not Guessed Easily.

The trouble is that it doesn't work very well. We can guess the modifications.
Password selection.
Take the average office worker that is told that it's time to change their password and come up with a new one. They have just been on holiday to New York with their family and so following common advice they choose that as their password.

newyork

No! They are told they must include capital letters

NewYork

No! They are told they must include numbers

N3wY0rk

No! They are told they must include a special character

N3wY0rk!

There, now that's a password that meets security requirements and our office worker can get on with their actual job instead of playing with passwords.

Scripting similar munges
There are a number of ways that they could munge their password but the vast majority ar…

Snagging creds with Raspberry Pi Zero and Responder

So this is not all my own original work. This is a bringing together of the ethernet gadget tutorial by lady ada at adafruit and the beautiful work by Mubix at room362 which uses Laurent Gaffie's from SpiderLabs responder.py scripts.

I'm still using Mubix's recipe of USB Ethernet + DHCP + Responder == Creds but here we are using a £4.00 Raspberry Pi Zero instead of the USB armoury or the HAK5 LAN turtle. Both are awesome products.

Please note that this only works on the RPi Zero. Other RPi's will not work!

1.0 Setup the the RPi Zero for Ethernet over USB
Download and install the latest Jessie Lite from here onto an SD Card.

Pop the card out of the card reader and re-insert it to mount it. Take your favorite text editor and edit the following two files in the boot partition.

config.txt Go to the bottom and adddtoverlay=dwc2as the last line:



Save the config.txt file.

cmdline.txt After rootwait (the last word on the first line) add a space and then modules-load=dwc2,g_ether


Wiggling your pointer with a Mouse Jiggler

What is a Mouse Jiggler? A mouse jiggler basically simulates physical movement of your mouse to prevent the computer from going to sleep, the screensaver from starting or the screen from turning off. They can also be handy if someone measures the idle time on your computer and you need to look busy, just saying.

Law enforcement use them to stop laptops and servers from going to sleep when making "lights on" arrests. This is especially important to avoid losing hard drive encryption keys. They have also been used by companies wishing to maintain access to machines that they dont have the password for when employees leave.

If the machine is awake, we can keep it that way with a mouse jiggler.

There are basically two kinds, hardware and software. Hardware devices retail for $20-$40 but you can make your own for less than $6.

All you need is some kind of ATMEGA32U4 arduino device. A quick check on ebay/amazon will reveal dozens of devices in all different form factors. Personal…