A Brute Force attack will take few milliseconds to crack a 4 digit PIN (10,000 possible PINs). Have you ever wondered why the PIN (Personal Identification Number) for most of the commercial ATM cards is only 4 digits ? Some banks do allow you to choose longer PINs but the minimum number of digits is mostly 4.
Despite the smaller length, PIN is still an effective way of securing the ATM card. Here are the reasons why.
1. Two factor Authentication
An ATM access is really a two-factor authentication. i.e, the authentication happens by
a. Something you know: your PIN
b. Something you have: Your ATM Card
Note: A three factor authentication adds ‘something you are’ such as your voice,finger print, hand geometry, iris, retina etc.
2. Bank’s Security Database is (supposedly) secure
A brute force attack (a.k.a dictionary attack) generally requires a copy of the security database (or password file) to run the attack against. But Bank’s security database is generally super-secure (or at least we hope so). This means an attacker needs to go through the good-old way of manually trying the 10,000 combinations of PIN in an ATM machine (or in a website).
This is where the Access control come in to play. After three failed attempts, the ATM card gets locked down by the system. And the ATM card is useless from there.
Alright, breathe easy….. for now.
Quick tip: There is a reason why your organization asks you to setup a password that consists minimum of 8 characters including lower case, upper case and digits. It will result in more than 200 trillion combinations and will take several months for a dictionary attack to succeed. Even if the attacker succeeds after three or four months, guess what, your company policy required you to change your password every 60 days. * N I C E *