Cracking PIN numbersPIN numbers are vulnerable to the same weaknesses as other passwords; people can choose them. Many applications and phones rely on PIN numbers for locking access to devices. If a PIN is good enough to protect your bank card, then it's probably safe enough to protect your phone right?
But phones tend to be much more lenient than banks when it comes to getting your PIN wrong. Fruit based devices and Android devices all let you try 10 PIN codes before wiping the device. How much extra leverage does that give an attacker? What if they have access to multiple devices and bank cards?
Most common three PIN numbersData from a recent (2014) breach gives us some answers. The most common PIN number in this set is 0000(5.25%) closely followed by 1234 (4.15%) and 1111(2.89%). These three PIN numbers make up over 12% of the data. If you only had three tries (read bank card at an ATM) these are the numbers to try.
A recent report by McAffee values your credit card and PIN at $200. If an attacker can work out your PIN at an ATM, they don't even need to take any money from your account to profit, they can simply sell the card on to someone else.
Top 10 most common personal identification numbersThese popular PIN numbers make up 17.2% of all PINs, that's way more than 0.1% we would expect if people were choosing random numbers. The top 10 PIN numbers include all of the expected unimaginative sequences of numbers. The single digits runs such as 9999, 8888 and 4444 are in there. Sneaking it at number 7 is 2580 which is an obvious 4 digit for a phone. This gives a good indication that many people are sharing PIN numbers between their phone and their bank card, because 2580 isn't quite so obvious on an ATM.
At number 9 we have 4321 which shows that a tiny bit of thought has gone into not choosing the most obvious PIN, but lots of people had the same idea.
An attacker trying to access a phone protected by a PIN which allows you 10 attempts would be able to unlock 17% of devices without any technical know how by trying these numbers. If you are sharing PIN codes then unlocking your phone would then give someone quick access to your ATM card. Sharing PINs between devices is not a good idea.
Most common 20 PIN numbersWith just these 20 PIN we have covered over 20% of the populations personal identification numbers. Here we start to see some personalization of the numbers. PINs starting 19XX are clearly birth dates. The most common is 1972 which perhaps gives an indication of the demographic of people using their birthday as a PIN number. Dates drop off towards the 90's but pick up again in the 2000's. It looks like Gen Y know not to use their birthday as a PIN, but Gen X is still using their birthdays, anniversaries or children's birthdays.
<p>A staggering 9.87% of PINs start with 19XX. Make sure that if someone steals your wallet and phone that your PIN number isn't written clearly on your drivers license.
<p>Two other numbers that jump out here are 2468 and 9876, both of which didn't require much imagination.
Further patterns in PIN codesOther patterns that emerge are pairs of numbers such as 1122 and 1212. In fact most PIN numbers start with 1XXX (33%) or 2XXX (15%).
RecommendationsWhat does mean for protecting yourself?
Don't use a simple pattern for your PIN number.
Don't use birthdays or anniversaries.
Don't share PIN numbers between devices and ATM machines.
Use a proper random number generate PIN numbers