Two students of the Eindhoven University of Technology have discovered that the least safe code for your bank card (PIN) is 2580.
They did this by estimating which hand movements are easiest to observe, then calculating the amount of fits for each series of movements. The PIN 2580 on a grid that consists of the rows 123, 456, 789 and x0x requires a continuous downward motion of the hand, and is the only code possible for that series of movements. A bad actor should be able to guess that PIN 100% of the time.
Eindhoven Dichtbij reports that 292 codes can be guessed in three goes after observing hand movements. This also produces a 100% success rate, assuming the bad actors get three attempts before access is blocked. Codes that are relatively safe require lots of back and forth movements. The code 1959 belongs to the same set of hand movements as 105 other PINs.
I wonder if making fake movements would help against PIN thieves?
The students, Anne Eggels and Aukje Boef, also considered other ways of hacking PINs:
- Dabbing the keys in salts, and measuring which salts were gone after use of the keypad—especially useful for PINs in which the same key is used more than once.*
- Camera surveillance.
- Observing wear and tear of keys—useful in locations where the same PIN is shared my most users, such as nursing home wards.
Aukje Boef has a telling name by the way, as her last name means ‘crook’ in Dutch.
Update: found an article from last year that claims 2580 is the third most used PIN.
*) This is an old trick that I was aware of. To this day paranoid me wipes all keys with his fingers after entering a code.