Wednesday, May 30, 2012

Analyzing PIN codes

[ A load of PIN codes visualized ]
You can click the image above to see it full size. It is a heatmap generated by us (@KluZz and myself), and the data are 4-digit PINs extracted from a physical access control system. According to the system operators, more than 50% of the PINs are believed to be selected by the users themselves, while the remaining ones are randomly generated by the system when a new 'user' is created and physical card is issued. The complete data set includes PINs for guest visitor cards etc.

According to Norwegian privacy laws, we didn't request and didn't get any ownership information on each PIN, so they cannot be traced back to individual users.

Now you may ask why did we do this?

1. A birthday present every eleven wallets? The security of customer-chosen banking PINs (PDF)
A paper by Joseph Bonneau, Soren Preibusch & Ross Anderson at Cambridge University. Amazing work, and we fell in love with the heatmap on page 6. But please; do read the entire paper, and visit their blog!

I called my friend & colleague Jan Fredrik (KluZz) from my car, on my way to get my daughter at kindergarten. I told him about the paper & their findings, and told him I wanted to do something similar. Of course with better data, which to us means data where we know the origin. We know that it is live data from a live system in daily use, instead of depending on randomly collected data or questionnaires etc.

Now KluZz is a rare creature - in a very positive way. Any programming challenge I throw at him, he solves it before going to bed - although it can get pretty late. :-) So the morning after, I got what I requested. You will probably get access to it too, pretty soon. Code version 2 - release candidate - is in the works.

2. this lifehacker article
Based on information from the above paper. There is also more text + video available at mashable, and John Markoff has a story at the New York Times blog.

At least to me, a PIN code is a password. A pretty simple one in fact. I kind of enjoy the moments where someone comes up to me and says: "we're using 2-factor authentication with solution XYZ, and I bet you cannot beat that, can you? hah!". I guess chances are high we're talking RSA SecurID hardware tokens, with user-selected 4-digit pins to go with the OTP and the username, which is easily found in many cases. Essentially they are dropping the good old password and replaces it with a really bad one (4-digit pin, no complexity requirements or frequent forced change). Although the attack doesn't scale - you need to collect hardware tokens - a few will probably be enough. Lets say that eleven will do (see above paper title). :-)

3. True or false?
I must admit - we do tend to disagree not only with each others, but with everyone else as well. At least until we see more proof of any claims made. Compare our heatmap to those provided in the paper from Cambridge. It seems as if we have pretty equal patterns, yes? :-)


Its past midnight - again - time to go to bed. More to come, and watch our recording of Howard Smith (Oracle, UK), "Take the cucumbers! An analysis of user selected PIN numbers" at Passwords^10 (509MB, MP4 format).