Telephone_keysWe are at an interesting tipping point in terms of Internet access. We have just passed the point where there are more mobile devices on the planet than humans, and we will shortly pass the point where the Internet is routinely accessed via mobile devices more often than by laptops and desktops. Current projections show that by 2016 there will be 8 billion mobile devices and 25% of users will have more than one.

Our smartphones and tablets now contain information that is every bit as sensitive as that stored on our personal computers. And, if the device itself doesn’t hold the information, it almost certainly acts as an access point to your sensitive data online.

Amongst those of us who study cyber security, therefore, mobile devices attract a lot of attention with respect to how easily they can be cracked. There is a remarkable amount of information on how to circumvent the various controls on mobile devices. Just take a look at sites like for extensive details on the Android platform, or for forensics toolkits that enable mobile device access (although such tools are increasingly being restricted to law enforcement agencies).

Being a computer scientist I find this fascinating, but in addition to being a computer scientist who studies cyber security, I am also a statistician, and I have long suspected that a PIN is not the random number that many assume it is. With so many devices still reliant upon PINs for their security I find myself asking if this more detailed, technical research is perhaps tackling a molehill when there is a mountain of a problem inherent in the use of PINs.

The majority of PINs are four digits only. Some bank ATMs had six digits when originally introduced, but even those appear to have now adopted the standard four digit format. This four digit PIN has been carried over onto the mobile devices, on which we all now store our treasured secrets. The simplistic view is that if I pick up a device and attempt to guess then PIN then it is just as likely to be 0000 as it is 9999 ie a chance of 1 in 10000. Most systems lock access after three incorrect guesses so the probability of an attacker guessing your PIN is actually 0.03%, or so the designers hope.

In February 2003 researchers at Cambridge University published a paper which analysed how so-called Decimalisation Table Attacks can increase the chances of guessing a PIN. They showed that, using standard computing facilities in a 30 minute “lunchtime” attack, they could correctly guess 7000 PINs rather than the expected 24. This might cause alarm, but the attack was relatively sophisticated, and it is likely to be restricted to dedicated, technically literate thieves. It is, though, an indication that PINs are a weak link in the chain.

My real concern has always stemmed from the fact that there is a very non-random element to the whole process of producing PINs: people. If we are allowed to choose the PIN, then we typically do not decide upon a random number; we select something that is memorable to us personally. When a bank issues a PIN they generate a random number, but many allow you to reset the number to something that you find more usable. In a flash, all the randomness in the original number is gone, and the PIN becomes a lot easier to guess.

Some banks do have prohibited lists of PINs. For example, some will not allow you to reset it to 1111 or 1234. Theoretically, such a number is just as random as any other four digit PIN but, being human, we choose some numbers more regularly than others, and these are the ones on the proscribed lists. However, not all banks provide such safeguards, and it is a rare mobile device that will not allow you to choose a particular PIN.

My long-held concern that human chosen PINs were weak was confirmed when my colleagues at Cambridge did a survey which they published only a few weeks ago. I was truly shocked. With access to minimal personal information they were able to guess a PIN correctly better than every 20 guesses. The most often used PIN was, yes you guessed it, the user’s birthday.

Just imagine the scenario where you have your smart phone or tablet stolen. Maybe you’re on a trip and it’s stolen, or you’re burgled and the thieves walk off with the most valuable of your portable assets. Whatever the circumstances, it is highly likely that you will have your phone, wallet, and passport or briefcase stolen. Now take a look in your wallet, and you’ll quickly realise that you have quite a bit of personal information in there. We nearly all have our birthday on something like a driver’s licence. So it is easy to guess a PIN if it is set to something as obvious as your birthday.

Secret knowledge stored in the human memory remains the most widely used means of human-computer authentication. Think of it as something you know, in contrast to biometrics (something you are) or hardware tokens (something you have). If that secret is to be something as simple as a four digit PIN, then it really is vital that it is as random as possible. So, choose a PIN that cannot be easily related to you, and certainly not something that you might easily pick up from information in your wallet.

Better still, consider one of the newer forms of securing your mobile device and abandon those old-fashioned PINs.

Image: in public domain, from user Sprocket at Wikimedia Commons.