Think about how often you use a personal identification number (PIN) in everyday life. If you are like most everyone, you use a PIN primarily for critically important transactions: your ATM card, credit card, frequent flier account and if you are the least bit security conscious, your mobile phone. Sadly, Symantec’s recent 2012 Norton Cybercrime Report states that only one-third of mobile device users surveyed have activated some form of mobile security on their device. But that third might be surprised to know there is a fairly good chance if they are using a PIN (sometimes called a Passcode) to lock their mobile device it may not be as secure as they would believe.
This isn’t one of those classic tales of hackers sniffing numbers out of thin air with covert listening devices. No, instead it’s about the choices we make for those numbers used for our PIN codes. A data researcher has shown that our choices are not very good. In fact, they are quite bad. In September of 2012, Nick Berry of DataGenetics legitimately analyzed over three million four-digit PIN codes available through his research on compromised data from multiple sources. What he discovered was we are creatures of habit and convenience, and that can lead to greater risk.
Berry found the most common four-digit PIN out of 10,000 possibilities was – “1234”. How common? It was used by 11% of the three million-plus record database. The numbers “1111” and “0000” came in at 6% and 2% respectively. Rounding out the rest of the top ten were the straight combinations of like-numbers (i.e. “2222”, “3333”, etc.).
Now let’s put that knowledge into context. This doesn’t mean these ten numbers are the top PINs used universally, but you have to admit by using a sample of over three million numbers, the odds are pretty high they are indeed likely to be the most popular. That being said, it’s probable a hacker who tries these ten PINs alone would be successful on nearly 27% of all mobile devices.
“But wait!” you say, “I don’t use numbers like that – I use the location of the keys as my guide!” Well, if you use “2580” – which are the four numbers straight down the keypad of most phones - you’ll be disappointed to know that was the 22nd most popular PIN.
No popularity contest would be complete without a loser, or in this case a winner by being the least common PIN, “8068” (of course now that this number is out, it’s no longer a good choice). Neither are birth years, that is to say numbers starting with a “19”. All of the “19xx” PIN combinations (1900-1999) in Berry’s research were found in the top fifth of the data.
This information may be discouraging, as you likely have seen your PIN show up already in this post. Perhaps you would prefer a longer numbered PIN such as six or seven. Sadly, Berry’s research shows that we tend to only lengthen the identical problem; “123456” and “1234567” were the top PINs in those categories.
So where do we go from here? What is the best PIN for my mobile device? The answer is the same as it would be for anything we like to label as secure: use layers. The fact you are using a passcode of any kind to lock your device is the first layer. Not writing down or using the same PIN for everything (ATM, voicemail, etc.) is also helpful in stopping one compromised PIN from ruining your day (or life). Using a strong PIN is next (and since we know which ones NOT to use, this might be easier than it was before). The next layer up is take advantage of letters as well as numbers, as this makes it far more difficult for a hacker to guess your PIN (the iPhone offers this feature). Finally, continually changing your PIN is a great way to help reduce the possibility of compromise.
How many layers you choose to use will be a decision you have to make while weighing convenience over security. This should be easier now that we can easily see our old habits are not as unique or secure as we once thought.
About the Author:
John Ceraolo is the chief security officer at 3Cinteractive where he directs the organization’s enterprise risk management, business continuity, and information security. Ceraolo has been leading security initiatives within global organizations for over 20 years.