This interesting paper demonstrates an unexpected form of price clustering/anchoring; and by extension shows that laziness and convenience has a rational "util" value. It may also have relevance for specs who play the lottery (and pick their winning numbers).

The gist:

1) If you find someone's ATM card and their driver's license. There's a 1:16 chance that they used their birthday as their pin code.

2) If you find someone's ATM card, but not their driver's license, you should try 1234 as their pin (the most common code). However, you should not try 8439 since that is the least used pin code.

3) If you pursue the strategies described in #1 and #2, it is left as an exercise for the reader to determine the probability of subsequent incarceration.

The full paper is here.


We provide the fi rst published estimates of the difficulty of guessing a human-chosen 4-digit PIN. We begin with two large sets of 4-digit sequences chosen outside banking for online passwords and smart-phone unlock-codes. We use a regression model to identify a small number of dominant factors influencing user choice. Using this model and a survey of over 1,100 banking customers, we estimate the distribution of banking PINs as well as the frequency of security-relevant behavior such as sharing and reusing PINs. We found that guessing PINs based on the victims' birthday, which nearly all users carry documentation of, will enable a competent thief to gain use of an ATM card once for every 11/18 stolen wallets, depending on whether banks prohibit weak PINs such as 1234. The lesson for cardholders is to never use one's date of birth as a PIN. The lesson for card-issuing banks is to implement a denied PIN list, which several large banks still fail to do. However, blacklists can note effectively mitigate guessing given a known birth date, suggesting banks should move away from customer-chosen banking PINs in the long term.





Speak your mind


Resources & Links