Listen to this post
Unless you’ve been living under a rock, you surely have a bank account. And these days, that is synonymous with having an ‘ATM card’ or a debit/credit card. As you already know, in order to use such cards in ATMs or at POS (point of sale) terminals in grocery stores or supermarkets, you have to authenticate it using a unique 4-digit number known as a PIN (Personal Identification Number).
You have almost certainly observed another rather interesting thing about these PINs – the fact that they are usually just 4 digits in length. One would expect that the card PIN, which protects your entire bank account, and, in turn, stores your hard-earned money, would be much more complicated… but it’s not!
On the other hand, the numerous accounts that you have on the Internet usually urge you or even compel you to choose hard-to-guess passwords that consist of various special characters.
In fact, if you have access to the ‘Internet banking’ feature of the very same account, you’d know that the bank website makes it mandatory for you to choose a password that consists of at least one numeric digit and a special character. Also, many banks go a step further and make it mandatory for you to change your passwords every 2-3 months! Clearly, banks want to make sure that you choose a very ‘intelligent’ password for your online account, so why are most ATM card PINs (usually) just 4 digits long?
Methods of authentication
The major forms/techniques of security revolve around these three things: something you are, something you know and something you have.
In some places, you are granted/denied access to highly confidential areas following a retinal scan. Retinal tests, like fingerprint tests, tongue print tests etc. fall under the realm of biometrics (something you are).
Similarly, the passwords to your online accounts fall under ‘something you know’. Finally, an ATM card comes under the category of ‘something you have’.
When you have an ATM card and its PIN with you, you check two of those three types of security, i.e. ‘something you have’ (the card itself) and ‘something you know’ (the PIN). Therefore, banks and financial institutions allow you to have just a 4-digit PIN, as it’s comparatively easier to remember than a 6- or 7-digit one. However, it also makes the PIN (a little) more vulnerable to attempts of brute forcing, but that’s a tradeoff between convenience and a limited threat.
Brute forcing ATM PINs
Brute forcing is an attempt to determine a password by systematically trying every possible combination of numbers, alphabetic numerals and symbols until the correct combination is arrived at.
Brute forcing in the case of ATM PINs would mean that a hacker would try combinations like 0000, 0001, 0002, 0003 and so on. They could also try the most commonly used PINs first, like 1234, 4321, 2222, 9999 etc. until they arrive at the right combination and hit the jackpot (pun intended).
Why ATM PINs are (relatively) safe against brute forcing?
Fortunately for users of ATM cards, banks establish a limit as to how many times one can enter an incorrect PIN while using your card. Thus, if you enter wrong PINs three times in a row, your card will likely get blocked (at least for that day). Then you have to actually go to the bank and get a new card.
This means that a person would first have to have your card, and they would then get only 3 attempts to gain access to your account. Although tools do exist that make brute forcing relatively easier than what it appears on the surface, for an average person (who somehow got their hands on your card), determining your 4-digit PIN through pure guessing is very, very unlikely.
That’s why banking institutions allow their ATM PINs to be just 4 digits in length. However, it doesn’t mean that you should choose a 4-digit PIN. The more digits you add to your PIN, the safer it gets (although it becomes a little harder to remember too). For that reason, many banks make it mandatory for their users to choose 6-digit PINs.
This British inventor named John Shepherd-Barron pioneered the development of the Automatic Teller Machine aka ATM.
Initially, Barron also proposed 6-digit PINs, but when he tested this system on his wife, Caroline, she told him that the longest string of numbers that she could remember was 4. Consequently, he switched from 6-digit PINs to 4-digit ones, and ATMs became more popular. It wasn’t long before 4-digit PINs became the world standard.
- The University of Virginia
- University of California, Santa Cruz
- Information Technology – University of Florida
- The University of Arizona, Tucson, Arizona
- Washington University in St. Louis