Infographic: How Criminals Guess Your PIN

aNewDomain.net – Forget the security issues surrounding the ecosystem surrounding the nascent epayment economy for a minute. There’s a bigger problem – and it’s as obvious as your Personal Identification Number, or PIN.

Odds are you’ve used a four-digit PIN a lot. And that means a field day for criminals. Plain and simple, as the infographic below demonstrates, most folks don’t care or don’t bother to set up a four-digit PIN that’s difficult to guess after about 20 tries.

Try this on for size. According to a study of 3.4 million PINs by Data Genetics, nearly 27 percent of PINs could be guessed at correctly after just 20 tries. That isn’t just because popular pins like 1234 and 8888 reign – the most popular 1234 PIN accounted for 10 percent of the exposed PINs it studied. It’s also because, with four digits, there are only 10,000 possible combinations. Couple the two and you’ve got a situation that stands to expose an awful amount of people to a whole lot of felony theft — all over a PIN.

What to do? Check out the infographic below and make sure your PIN isn’t among the most popular. Never write yours down. Change it frequently. And don’t be lazy about it. PIN theft is booming, for sure. But it takes two – you and the PIN thief working in concert – to tango.

How Safe Is Your PIN?
Infographic credit: BackgroundCheck.org

Gina Smith

Gina Smith

Editorial Director at ANewDomain.net
Gina Smith is the NYT best-selling author of Apple co-founder Steve Wozniak’s memoir, "iWOZ: How I Invented the Personal Computer and Had Fun Doing It." She is editorial director at aNewDomain.net. Reach her at [email protected], Google + or @ginasmith888.
Gina Smith
Gina Smith
Tags: Downtime,IT Security,Tech Culture,Technology
  • Diana

    Thank you very much…this was very enlightening

    • MojoH

      Good article and Infographic. Nobody can guess my pin # because it is k8y89Zz4jh987a. ;-) LOL. M.H.

  • Bill X

    My wife couldn’t remember the ATM code so I had her set up the code in her address book. One of the names was a fake name and the last four digits of the phone number was her pin.

    My passwords usually consist of 5 letter words + 3 randomly generated digits that Excel creates. So I might have a password like homer796 or raven815.

    • http://www.facebook.com/tessgoodman Tess Goodman

      Your password should never include a word that can be found in a dictionary. A cracking program would crack the passwords you indicated above in a few minutes. A better password is: mwcrtATMc815 (my wife couldn’t remember the ATM codexxx)

      • Willy

        There is a variation of using words that works. If you use 3 4-5+ letter words together that are somewhat random, a dictionary hack won’t work. It would have to guess all the possible combinations of all such words, and that’s beyond max computing power. You can use all sorts of variations of this to make it more complicated like using leet; putting numbers in between words; misspellings; etc. And if you don’t know what leet is, go to Wikipedia and find out.

      • http://www.facebook.com/profile.php?id=100003155916804 David White

        Actually, a password like “GunGnu!2″ would take about two thousand centuries to guess, at one thousand guesses per second. Go to “www.grc.com/haystack.htm” to see how secure your passwords are.

  • Jeepinls

    I like using street address numbers from previous residences, employment. Old license plate tags are good, esp if there is an option for having letters interspersed.Former phone numbers either yours or someone you have called a million times.

  • Herbert Lom

    The best password trick is creating a sentence and then using the first letter of each word switching a 1 for I and a 0 for O interspersing uppercase letters randomly. Doesn’t really work for a PIN but it’s a start.

  • expdelay

    Guessing goes away with a simple exponential delay for every failed entry. Besides, I have a 7 digit pin and its not a phone number.

  • http://www.gfi.es/ GFI Norte

    I know this if off topic but I’m looking into starting my own blog and was wondering what all is needed to get set up? I’m assuming having a blog like yours would cost a pretty
    penny? I’m not very internet smart so I’m not 100% positive. Any suggestions or advice would be greatly appreciated. Kudos

    • Nicole_Smith

      If your blog is related to your business, you might want to check out another of Dell’s sites, called Social Business Connection. It’s a community, so you can get advice from others who are doing what you’re planning to do: http://en.community.dell.com/dell-groups/sbc/default.aspx

  • ca5rlb

    well since obama has been in office and it costs me every fill up over 40 dollars they can have my pin i am just about broke on a monthly basis. by the way i hope he enjoys his vacation that me the tax payer is forced to pay for. hope he drops a ball in the pond and goes in to retrieve and is greeted by a popular reptile of florida. but this article was enlighting and no one could figure mine in just 20 tries or 500 tries. you would get carple tunnle syndrome puching the key pad!

    • http://aol shirl

      correction: “your comment is awaiting moderation” are not my words. my comments started with , “just wondering”.

  • CIDPUSA dot Org

    I have learned to stay clear from the common numbers .8068

  • http://www.jobsforjersey.com/__media__/js/trademark.php?d=divingdragongames.com&type=ns network drive burlington ma

    When someone writes an post he/she keeps the thought of a user in his/her mind
    that how a user can know it. Therefore that’s why this article is amazing. Thanks!

    • Navy Brat

      ???

  • Al

    I just use a random number generator for my pins, then write it down for a week until I memorize it.. then burn it.

  • RC

    Only a PINHEAD would use something like 1, 2, 3, 4 or 0, 0, 0, 0 or 4, 3, 2, 1 or 1, 1, 1, 1, 1 etc.

    • jimmy

      No, just laziest people in the world who think that they will never get hacked in any way.

    • http://www.facebook.com/tmelvin2 Terry Melvin

      A PIN head

  • Jeff

    FYI since were talking about PIN… PIN DEBIT is coming to the Smartphone for same as cash payment transactions.
    The company is iPIN DEBIT. Kinda cool.. their device the iPIN plugs into a smartphone and users set up a 4 digit PIN and the info is triple encrypted. ipindebit.co.uk

    • marshall

      Regarding the Smartphone’s new PIN DEBIT, and the fact that it is “triple encrypted”.

      Doesn’t matter that its triple encrypted. Theives, and hackers are relentless in their persuit of easy money. The fact that the information to access your accounts is transmitted electronically over the airwaves, gives theives an advantage. By experimenting with their own Smartphone and PIN DEBIT access, and using equipment that records transmissions from their phone, then entering this recorded info into computer programs designed to crack encryption codes, it is simply a matter of minutes before the corresponding transmissions are logged in relation to the PIN entries.
      I know that they are telling you: “it is very safe”. You wouldn’t sign up for the service, if they told you: “unauthorized fraudulent access to protected money accounts is inevitable, in time”.

      • L

        Marshall, your line about “unauthorized fraudulent access to protected money account is inevitable, in time” is great and, often, so true. It sounds like a line right out of an SNL skit. I was reluctant to open an account with B. of A. which was conveniently located to my office. How many times have we read about B. of A. being hacked? Maybe B. of A. finally wised up & hired a hacker to head up security.

  • randydutton

    Why not set up trip wires that deactivate an account for ten minutes or so when obvious codes are attempted? Then also send an alert to the account holder, and, if it’s an ATM, have the photo sent to a fraud department?

    • Barbara Farmer

      Did you know you that in a situation where you are being forced (like a mugging) to empty your account, you can enter your pin backwards? The ATM will dispense the money, but a silent alarm is sent to police and the ATM recording will be used to prosecute the criminals?
      That said, I think also think it’s ridiculous for an ATM to give endless strings of guesses at a pin number.

      • DR

        Cool idea about the reverse PIN entry, but it’s an idea that’s just a proposal. It’s not implemented on any ATMs. And as the article points out, what about 1212 and 5555?

        http://en.wikipedia.org/wiki/ATM_SafetyPIN_software

        • Anthony

          No barbara, a backwards PIN does absolutely nothing but tell you your PIN is incorrect. Google it. This has been a hoax passed around for a decade now.

          If you’re going to continue to spread false rumors at least pick one that is newer than 10 years old, girlie.

          The idea was brought up in 1997 when I worked with Wells Fargo. The banking industry rejected the 1dea because it would be too expensive to implement, and it would create legal liability. Suppose you’re being robbed and you enter your PIN backwards, and the ATM is down and the police aren’t contacted. Next you’ve hired an attorney and are suing the bank because their system failed to save your life.

          • http://www.facebook.com/thesamarmstrong Sam Armstrong

            Really? “Girlie?”

          • craig

            the system “failed to save your life?” so you’re suing them from the afterlife?? interesting!
            ;)
            proof reading is a grand idea.

          • Lynae71

            “you’ve hired an attorney and are suing the bank because their system failed to save your life”

            - from beyond the grave??

          • tribbles

            If the system ‘failed to save your life’ I don’t think you’d be around to hire any attorney, much less sue.

      • billj357

        that is an urban legand.

      • http://www.facebook.com/Heepster Joe Cogan

        Urban legend. This would rule out symmetrical PINs like 1001, 2112, etc.

      • CJLinden

        FALSE — http://www.snopes.com/business/bank/pinalert.asp
        You chose between los9ing less than ~$1,000 (probabbly refundable), or you LIFE —

      • Tim

        That’s NOT true Barbara. That’s an urban legend. Check Snopes.com, you’ll see…

    • http://none John

      Excellent idea. I’m not computer tech, but it seems to me that entering an incorrect PIN multiple time in the span of 10 seconds should set off an alarm

  • Charles Anderson

    Change frequently? Sooo . . . if i have a PIN that has served me well for years, I should change it and possibly hit one of the common ones?

  • Allan J Krueger

    It amazes me that these accounts are not locked out after THREE INCORRECT GUESSES? What kind of security is this if a BANK SYSTEM accepts an endless string of guesses at a password? Ridiculous!

    • Donald Lee

      Allan,
      Excellent idea. A simple method to enhance security of PINs.

    • CS

      WellsFargo does this…if you punch in your account# and then your PIN incorrect three times, your account access from the number you’re calling from gets blocked, even if you hang up and punch in your PIN correctly the 4th time…and then you’re forced to answer security questions to a live individual before it can be unlocked.

  • Russ

    Watch out for “shoulder surfers” at an ATM or POS terminal in a store too. More than once, I’ve asked people behind me to move back as they were close enough to look over my shoulder and get my PIN. Then it would be a simple matter for them later to hit me over the head and clean out my account.

  • jimmy

    I’m surprised that keypad patterns didn’t come up more. As the author noted, 2580 is common. I would have expected to see 1470 and 3690, too.

  • SunSpots

    Thanks for posting this. 4 numbers really doesn’t seem to be enough considering the possibilities. It’d be a better idea to start making the pins 7 digits. Even better, have stronger penalties for hacking.

    • CJLinden

      It seems to elude everyone that a Criminal still needs a copy of YOUR ATM CARD, to even try and access your account…. While I realize card skimming occurs, what is the actual number of folks that ultimately get taken (the Bank never reiburses them) in a year — which is TOTALY diffetent from CC number theft…

      As to worrying about getting conked over the head — if I were a criminal, doing so at an ATM would be my last resort — “Smile”. Especially when you’ve got a 1 in 100 chance of dying in a car crash.
      http://well.blogs.nytimes.com/2007/10/31/how-scared-should-we-be/
      “Heart disease (1 in 5), Cancer (1 in 7), Stroke (1 in 24), Hospital infections (1 in 38), Flu (1 in 63), **Car accidents (1 in 84)**, Suicide (1 in 119), Accidental poisoning (1 in 193), MRSA (1 in 197), Falls (1 in 218), Drowning (1 in 1,134)… Other risks are in the 1 in 5,000+ range, @ less than 5,000/year, just how unlucky do you feel?”
      Assault, of ANY type, ain’t even in the noise level.
      Come’on folks, GET A GRIP!

  • deb

    thanks for the graphic. I’m going to share with our staff. we support people with developmental disabilities so their vulnerable to scams already. Also you should remind people that in other parts of the world your pin must be 4 digits to work on their ATM’s.

  • Justin

    I see that my PIN is listed in PINS least used list so I’m safe.

  • http://www.lapatilla.com patillero

    This site was… how do you say it? Relevant!! Finally I have found something which helped me.
    Many thanks!

  • Donald Lee

    Also avoid 5683. This spells “Love” and is a very popular PIN, particularly for cell phone thieves. The November 2012 issue of the AARP Bulletin has this tip and more on safer PINs.

  • Tatiana Kreinine

    I just choose something connected to a personal event- in other words- date of first date- first time you felt your child moving…first day you drove ALONE.. you get the picture- something that you alone would know…whats so hard about that?

  • Marie Karlsson

    We need to move beyond the usage of PIN numbers. Banks are so lazy in providing ways to prevent theft.

  • Dav Inchi

    A computer could be hooked up to try all 10,000 numbers in about 15 seconds. It seems strange that ATMs don’t exclude the most common codes, you know, just don’t accept them. Or at least they should shut off after six incorrect tries. Maybe they don’t care if you get ripped off. Like anything else, PINs are meant to keep amateurs out. Professional crooks will find a way.

  • Rod Pieper

    Encourage your bank to move to OTP/SMS — ‘One time passcode through Text messages’ walk up to your ATM, cash register, when you insert your card the system generates a passcode (normally 6 digits) and sends it to you. You use that as your one time PIN and it expires after use or short time period (perhaps a minute). Next step is the bank verifying through GPS that the phone is near the point the card is being used.

    • no phone

      What if you don’t have a phone?

      • sabrina

        So Rod, you’re assuming people who need money at the atm always have charged cellphones. Cool world you live in….

    • Reading this article

      Brainstorming is the way to find good solutions. Some ideas work, some have issues that need to be overcome. The problem I see with this one is all a thug has to do is stand by the ATM, hit you over the head, grab your phone, and get the new pin.

  • Audrey

    I’m glad to see some stores have installed key pads with little security “hoods”. I was in the checkout line one day and the keypad didn’t have a “hood”, so I cupped my left hand over the pad as I punched in my number. Apparently, people DO watch you because I heard the B***h behind me say, “She must think somebody gone try and steal her money. Look how she hidin’ it. She ain’t got none no how”. I ignored her (because she was twice my size and had her BFF with her) but I wanted to reply so badly I had to bite my tongue.
    And another trick to watch out for……You know those security cameras in stores, positioned over the cash register? A savvy criminal employee can go into the security room and watch you press in your PIN. Let the buyer beware!!!!

    • Peter Griffin

      Let me guess, she black?

  • Jonathen Rose

    HMMMPH that is good advice

  • Dave Seavy

    Audrey brings up a valid point about store security cameras. We’re in that business and we’ve had clients ask us specifically to get a good shot of the terminal when we to a final aim during installation. We always refuse. There’s a good case to be made for invasion of privacy when the terminal’s activity can be clearly seen and monitored visually/recorded. While you should assume you have no privacy expectations in a store (except changing areas and restrooms) the store has an obligation to keep certain information private, including when you enter your pin. Privacy hoods on terminals are a start, but if you watch people, it doesn’t take long to figure out their code just by finger position and movement. There’s really no 100% safe method when it comes to PIN entry, but the more you shield the keypad, the better the chances others won’t get your code.

    • craig

      this is why i have always positioned my hand over a keypad and moved my thumb and first finger over the numbers as i’m hitting them, while in reality i’m hitting my actual numerical keycode into the terminal with my ring finger, which is hard to tell it’s moving since it naturally curves at the joint anyway. fool proof method! it looks like two of my fingers are entering numbers but it’s actually my ring finger doing the work! of course i suppose you must be as good at multi-tasking as i am, to make sure you can both enter your real code with your ring finger while touching the false keys with your thumb and first finger at the exact same time. it came naturally to me, so perhaps it will for you, too! practice at home on the number keys on the right side of your keyboard to learn how it feels. trick everyone! you can use a different finger, such as your middle finger, to enter the “real” code while touching the “fake” code with your first finger if that’s easier for you. i just found the ring finger to curve so naturally against the keys it worked best. experiment!

      • pogivic19

        middle finger. that should do it.

  • Asolo

    You can get double teamed at the check out with a guy on one side and his girl friend on the other. Also had to deal with this on a keypad door lock. A couple that lived in my building would just happen to to visiting next door when I got to my door. One stood off to one side while the other was watching from the other side.

  • Asolo

    I have had people tell me it doesn’t matter with a bank card because the crook would still need the card. Obviously these people aren’t taking their thinking it to the next obvious step which would be for the crook to try to get the card somehow.

    • Reading this article

      Twice my bank has called me to ask about fraudulent use of my debit/credit card. Both transactions were out of state and I had the card in my possession. Whether the card numbers were stolen from online use of from some sort of sensor inserted in the card machine is unknown. Per the bank’s instructions I do not use my PIN at machines that can be accessed by the public, I always pay as “credit.” However, both fraudulent uses were as credit card purchases. The first time they got about $450 worth of goods at three stores (fortunately my bank reimbursed me.) The second time the purchase was denied. The bank (or its computer) saw a purchase on the east coast when an hour before the same card had been used to purchase gas in the SW. Doing the math they didn’t see any way for the card to physically move that far in that amount of time. Oh, and when I say bank I mean credit union.

  • Ana Cantu

    I really like Allan and Rod’s suggestions to increase security. Two-step identification in particular would be great.

    Ana Cantu
    Managing Editor
    Tech Page One

  • Jennifer

    So do you usually include hacked links in a story about tech security?

    • Ana Cantu

      Thanks for letting us know, Jennifer! We removed it.

      Ana Cantu
      Managing Editor
      Tech Page One

  • lauren

    …that info graphic has information in it from 1990…. think we could find some CURRENT information?….

  • Rhea Lopez

    They don’t need the actual card….if they get the numbers they take blanks and make one, those can be used in any store by pressing credit instead of debit….I agree use a personal date of something specific to you only…Also if you have memory issues putting it somewhere as a fake address or phone number is a good idea especially if you keep a real address book…..

  • Joe Collins

    The morons at Citibank went from a 6 digit pin to a 4 digit pin. When I asked why since the odds for fraud increased dramatically, the idiot from the bank replied that “This is what they do in Europe and we want to be like them”!!!! The fall of Rome is being repeated right in front of us.

  • Alan

    Mine’s 2394! Whoops….

  • http://Join911Truth.com/ Join911Truth.com

    I actually seem to go along with every thing that ended up being written in “Infographic: How
    Criminals Guess Your PIN”. Thanks for pretty much
    all the information.I appreciate it-Lorri

  • BobMc

    When I have to enter a pin, I use my body and a hand as a shield, then start punching at the key board with two fingers, only making contact every few pokes, until I have the entered the numbers. I keep poking before I hit the Enter. I believe that will make it far harder to capture the numbers from keyboard position.

    To make long, hard to guess passwords (not a PIN), have easy to remember digits, but hold the shift-key down when typing them. Passphrase: “I Was 24 In 1997″ becomes password IWas24In!((& OR it could be IWas@$In1997. A lot of systems require a numeric digit, so I use a form similar to those shown.

  • margaretbartley

    Develop a personal code, maybe add 1 to each digit, using the first four digits of your account number.

    So if your account number is 390 538 2930495, then the first four digits are 3905. Add 1 to be 4016. that’s your PIN.

    Or subtract 1 and use the third to sixth digits, making a seed of 0538, giving a password of 2750. It’s easy to remember, no need to write it down.

    If you are given a password, then use the same logic, but put a 3 between the 2nd and 3rd digits.

    If you are given a PIN of 3806, write 43917 (if you are adding 1 to each digit, and putting a 3 in the second position.) then you can write that down on your card. No one would connect 43917 to 3806.

    Make up your own rule. You might want to do the trick of writing it in an address book or fake phone number at first, to back up your memory. but after time, it will become second nature, and is very fast and convenient.

  • pinhead

    1-2-3-4-5? That’s amazing! I’ve got the same combination on my luggage!

  • Rhows

    Change it to the date of the day you change your PIN. Thats random and you’ll remember it.

  • paul gerko

    It is only 3 tries for any pin. A card will be swallowed after 3 attempts.
    Stop spread panic.

  • janice

    I agree totally

  • Jim Donaught

    I have a 4-digt number written on the back of my card. It’s nowhere near the actual PIN, but I bet it would get a thief to use up all the guesses my bank allows.

  • Jim Donaught

    Thieves have gone high tech – they’ve been known to set up tiny digital cameras at ATMs, so even if nobody’s in sight you’re still not 100% safe. In the course of entering your PIN, it’s wise to lightly tap extra keys at random. (It takes very little practice to make this second nature.) Anyone trying to poach your number won’t be able to tell which keys were actually pressed.

  • JamesG

    Four digit PINs are too short something IIRC the Europeans advocated. Stealing a six digit number is more than 50% difficult than a 4 digit.

  • Eddie

    Be safe all the time…1)Plan your needs for the day; 2)Go in to the bank to get what you need for that day only, and no more; 3)write checks instead; carry no more than $4 or $5 or $10 on your person, in wallet or purse…if you find you must use a public ATM, look around anxiously, and wave as though signaling to someone near by in different locations, and even speak loudly to that/those imaginary person, by saying something like , I’ll only be a minute…”,then say into your cell-phone- Okay go ahead and take the picture now. thus making it look/seem to any possible thug that you are being watched ; look anyone behind you right in the eyes and tell them they can go ahead of you if they wish to, as you step away to let them in…

  • http://www.johnclarkprose.com Johnny

    I have ten million dollars in my bank account, and I use the first letters of God Save The Queen. Nobody will ever guess it, and I know my money will always be safe!

  • Betty

    Not to mention, if your purse has been stolen, the crook now has your ATM card and your phone… much easier than guessing.

  • paul

    Morons!-ATMs dont have letters

    • marqui

      Sure they do. Take a closer look.

  • http://twitter.com/bohemiotx Joffre (J.D.) Meyer (@bohemiotx)

    I use a year from history that’s very important to a country that’s not the U.S. Aren’t I vague?

  • Paul Tooley Sr

    I must congratulate all who’ve given so much info to the crooks. They’ll have a feast with all this info.

  • me

    For those people discussing regular passwords as opposed to PINs:

    I’m surprised nobody has mentioned xkcd.com yet.
    http://xkcd.com/936/

  • techie

    My PIN started out as 8 digits 30 years ago.. but then some of the POS/ATM networks started limiting it to 4 digits.. My card worked fine at my bank, and at most ATM’s, but some POS terminals would reject it. My current bank issues 4 digit PIN’s, and it is royal PITA to change them.
    They also won’t let me delete one of my phone numbers online, even though that number has been dead for several years, simply because my address is a PO box (which isn’t changing, nor is the other phone number.)

  • http://www.facebook.com/profile.php?id=100004338040543 John Bond

    To bad they make you change your pin often

  • Fry

    My pin is easy to remember, its the price of a cheese pizza and a large soda, 1077.

    @me My Google Chrome home page is Password Strength 936 :)

  • OlderButWiser

    Once the Immigration /bill is passed that will require every person in this nation to give the federal government their fingerprints in order to work of leave the country on a trip PIN numbers will quickly become obsolete.

    Your fingerprint will become your PIN number.

    They are requiring students in a Florid school district to submit to retinal scans to get on and off the school bus. To enter the school.

    • Daniel Berman

      Honestly now, what kind of school district can afford a retinal scanner on their school bus? Link please