"Learn PINs by heart, don’t record them" This advice is probably familiar to you. Despite this, many people still write down their PINs or change them to something more memorable as soon as they receive a new PIN. SECUSO has developed and evaluated empirically-validate security guidance. To encourage secure PIN management, we designed a flyer and an Android application.
Both, the app and the flyer, aim to help with two aspects: How should I memorize my PIN? How should I manage it securely? The most important aspects are also summarized here.
PIN memorisation: Whether a PIN memorisation strategy is successful, or not, depends on two aspects: the PIN itself and the user’s preferences. One strategy is unlikely to apply to everyone in all contexts. The strategy needs to be tailored to the individual PIN.
Visualisation and association are commonly-used memorisation techniques. For example, some people see the PIN entry on the PIN pad as a shape that is easy to memorize – 2589 looks like the letter "L" (visualization). It could also be associated with a street number or a date (2nd May 1989). Sometimes the letters displayed below the numbers on the PIN pad can be helpful. The combination "5683" corresponds to the word "love" on the keyboard. If there are no letters printed on the PIN pad, a quick look at your mobile phone can help. It’s also easy and helpful to practise the PIN multiple times by entering it, for example, on the mobile phone or a printout of a keyboard until it has been encoded into your memory.
Secure PIN behaviour: Many people worry about forgetting their PIN and the inconvenience that results. For most, this risk outweighs the threat of someone finding a recorded PIN. Being able to withdraw money from their bank account is paramount. Of course, recording a PIN is extremely unwise. However, if you absolutely must record your PIN, at least try to disguise it. For example, a PIN can be saved as part of a phone number next to an innocuous looking name in your address book. You could also add or subtract a secret number from each numeral in the PIN. Password Managers, especially those on your Smartphone, are a secure way of recording your PINs.
Self-chosen PIN: Many banks allow you to change your PIN. The problem is people tend to choose non-random numbers and thus frequently choose easy-to-guess PINs like "1234" or their own birthday. You should avoid the following PINs, since these are the ones thieves will guess first:
- The privacy-friendly Android-App suggests strategies that will help you to remember your PIN. More information about the app is availble here.
- Flyer with the most important hints (in Germany only).
- Memorable And Secure: How Do You Choose Your PIN?: Andreas Gutmann, Melanie Volkamer and Karen Renaud. In: International Symposium on Human Aspects of Information Security & Assurance (HAISA), 2016.
- Nudging Bank Account Holders Towards More Secure PIN Management: Andreas Gutmann, Karen Renaud, Melanie Volkamer. In: Journal of Internet Technology and Secured Transaction (JITST), 2016.
- Exploring Mental Models Underlying PIN Management Strategies: Karen Renaud, Melanie Volkamer. In: World Congress on Internet Security (WorldCIS 2015), p. 18-23, IEEE, 2015.
- Replication Study: A Cross-Country Field Observation Study of Real World PIN Usage at ATMs and in Various Electronic Payment Scenarios . Volkamer, M.; Gutmann, A.; Renaud, K.; Gerber, P.; Mayer, P. 2018. Fourteenth Symposium on Usable Privacy and Security (SOUPS), Baltimore, MD, USA, August 12–14, 2018, USENIX Association, Berkeley (CA)