Walking on PINs and Needles
Brian Tokuyoshi - Product Marketing Manager
I had a recent conversation with a friend who just opened a new checking account at a major national bank. My friend was complaining about the difficulty remembering her PIN (personal identification number) for her ATM card because of the policies for the number.
It’s usually passwords that people complain about when it comes to difficult policies. Typical policies usually require that passwords cannot be shorter than 6 characters, and must have a mix of upper/lower case, numbers, or symbols. Often, such policies make the password computationally safe from a dictionary attack, but users find the resulting password so difficult to memorize that they need a written reminder in order to recall it at a later date.
So I found it interesting that this is a scenario where the PIN was difficult to use. PIN numbers for ATMs are typically numeric only, so there isn’t the same complexity of alphanumeric characters. I asked my friend about the policy. Apparently, this bank requires that all PINs are four digits long (no longer, no shorter) and it may not start with zero. My friend was used to using the same seven digit PIN on her other bank cards, and thus it wouldn’t work at this particular bank.
I thought the policy was strange too. Why not allow zero as the most significant digit? A zero is a perfectly valid digit, as valid as any other digit. My guess is that the bank’s computer systems store the entire PIN as a single number, which would make the leading zero insignificant, and the zero would be lost. This probably also explains why the bank doesn’t accept PIN numbers shorter than 4 digits, because it may have trouble differentiating the PIN 0222 from the integer 222.
Now think about the number of possible combinations possible with this bank’s PIN policy. If the bank accepted zero as a most significant digit, then there would be 10x10x10x10=10,000 possible different combinations with a four digit PIN. But, zero is not allowed as a starting number, so that instantly eliminates all possible combinations where zero is the first number. Thus, 10x10x10=1,000 combinations are not possible.
So the effective security of this PIN shrank from 10,000 possible combinations to 10,000-1,000=9,000 combinations. That’s 10% less security from what seems like an oversight in fairly basic coding practices.
ATM security depends on two factors (possession of the card and knowledge of the PIN), so brute forcing the PIN number is not the most likely avenue of attack, and this PIN policy isn’t really a security hole. It’s just an example of not taking advantage of all of the security that is available.
The real lesson here is to define requirements early so that there is a clear expectation of the requirements beforehand. A little extra planning and documentation goes a long way towards avoiding compromises in the quality of your security services.