Skip to main content

Cracking PIN Numbers

Cracking PIN numbers

PIN numbers are vulnerable to the same weaknesses as other passwords; people can choose them. Many applications and phones rely on PIN numbers for locking access to devices. If a PIN is good enough to protect your bank card, then it's probably safe enough to protect your phone right?

But phones tend to be much more lenient than banks when it comes to getting your PIN wrong. Fruit based devices and Android devices all let you try 10 PIN codes before wiping the device. How much extra leverage does that give an attacker? What if they have access to multiple devices and bank cards?

Most common three PIN numbers

Data from a recent (2014) breach gives us some answers. The most common PIN number in this set is 0000(5.25%) closely followed by 1234 (4.15%) and 1111(2.89%). These three PIN numbers make up over 12% of the data. If you only had three tries (read bank card at an ATM) these are the numbers to try.

A recent report by McAffee values your credit card and PIN at $200. If an attacker can work out your PIN at an ATM, they don't even need to take any money from your account to profit, they can simply sell the card on to someone else.

Top 10 most common personal identification numbers

These popular PIN numbers make up 17.2% of all PINs, that's way more than 0.1% we would expect if people were choosing random numbers. The top 10 PIN numbers include all of the expected unimaginative sequences of numbers. The single digits runs such as 9999, 8888 and 4444 are in there. Sneaking it at number 7 is 2580 which is an obvious 4 digit for a phone. This gives a good indication that many people are sharing PIN numbers between their phone and their bank card, because 2580 isn't quite so obvious on an ATM.

At number 9 we have 4321 which shows that a tiny bit of thought has gone into not choosing the most obvious PIN, but lots of people had the same idea.

An attacker trying to access a phone protected by a PIN which allows you 10 attempts would be able to unlock 17% of devices without any technical know how by trying these numbers. If you are sharing PIN codes then unlocking your phone would then give someone quick access to your ATM card. Sharing PINs between devices is not a good idea.

Most common 20 PIN numbers

With just these 20 PIN we have covered over 20% of the populations personal identification numbers. Here we start to see some personalization of the numbers. PINs starting 19XX are clearly birth dates. The most common is 1972 which perhaps gives an indication of the demographic of people using their birthday as a PIN number. Dates drop off towards the 90's but pick up again in the 2000's. It looks like Gen Y know not to use their birthday as a PIN, but Gen X is still using their birthdays, anniversaries or children's birthdays.
<p>A staggering 9.87% of PINs start with 19XX. Make sure that if someone steals your wallet and phone that your PIN number isn't written clearly on your drivers license.
<p>Two other numbers that jump out here are 2468 and 9876, both of which didn't require much imagination.

Further patterns in PIN codes

Other patterns that emerge are pairs of numbers such as 1122 and 1212. In fact most PIN numbers start with 1XXX (33%) or 2XXX (15%).


What does mean for protecting yourself?

Don't use a simple pattern for your PIN number.
Don't use birthdays or anniversaries.
Don't share PIN numbers between devices and ATM machines.
Use a proper random number generate PIN numbers


Popular posts from this blog

Snagging creds with Raspberry Pi Zero and Responder

So this is not all my own original work. This is a bringing together of the ethernet gadget tutorial by lady ada at adafruit and the beautiful work by Mubix at room362 which uses Laurent Gaffie's from SpiderLabs scripts.

I'm still using Mubix's recipe of USB Ethernet + DHCP + Responder == Creds but here we are using a £4.00 Raspberry Pi Zero instead of the USB armoury or the HAK5 LAN turtle. Both are awesome products.

Please note that this only works on the RPi Zero. Other RPi's will not work!

1.0 Setup the the RPi Zero for Ethernet over USB
Download and install the latest Jessie Lite from here onto an SD Card.

Pop the card out of the card reader and re-insert it to mount it. Take your favorite text editor and edit the following two files in the boot partition.

config.txt Go to the bottom and adddtoverlay=dwc2as the last line:

Save the config.txt file.

cmdline.txt After rootwait (the last word on the first line) add a space and then modules-load=dwc2,g_ether

Munging Passwords

Password munging is the art of changing a word that is easy to remember until it becomes a strong password. This is how most people make up passwords.

Munge stands for Modify Until Not Guessed Easily.

The trouble is that it doesn't work very well. We can guess the modifications.
Password selection.
Take the average office worker that is told that it's time to change their password and come up with a new one. They have just been on holiday to New York with their family and so following common advice they choose that as their password.


No! They are told they must include capital letters


No! They are told they must include numbers


No! They are told they must include a special character


There, now that's a password that meets security requirements and our office worker can get on with their actual job instead of playing with passwords.

Scripting similar munges
There are a number of ways that they could munge their password but the vast majority ar…

Anatomy of a phishing campaign

This is the story of a phishing email that came across my desk. It's good to take a look at what the bad guys are doing sometimes. It's often not rocket science but it's handy to keep an eye on the simple techniques used. And if this isn't your day job you probably don't get forwarded a huge number of phishing emails, malware to analyse or dodgy sites to investigate. In fact hopefully you do your best to avoid all of those things.

The Attack Chain So this particular phishing campaign started as many others do with a simple phishing email.

It's not an aggressive email, it's not selling itself too hard, no spelling mistakes, no funny looking URLs and it's pretty simple. There's only one link to click on.

Just a quick note here about clicking on links in nefarious emails. Don't do it unless you are ready to. This link could trigger some malware, it could be unique to the targeted email (so the attacker knows the email address is valid), it could p…