PIN Management

"Learn PINs by heart, don’t record them" This advice is probably familiar to you. Despite this, many people still write down their PINs or change them to something more memorable as soon as they receive a new PIN. SECUSO has developed and evaluated empirically-validate security guidance. To encourage secure PIN management, we designed a flyer and an Android application. Both can be freely downloaded from the download section of this webpage. They aim to help with two aspects: How should I memorize my PIN? How should I manage it securely?

PIN memorisation

Whether a PIN memorisation strategy is successful, or not, depends on two aspects: the PIN itself and the user’s preferences. One strategy is unlikely to apply to everyone in all contexts. The strategy needs to be tailored to the individual PIN.

Visualisation and association are commonly-used memorisation techniques. For example, some people see the PIN entry on the PIN pad as a shape that is easy to memorize – 2589 looks like the letter "L" (visualization). It could also be associated with a street number or a date (2nd May 1989). Sometimes the letters displayed below the numbers on the PIN pad can be helpful. The combination "5683" corresponds to the word "love" on the keyboard. If there are no letters printed on the PIN pad, a quick look at your mobile phone can help. It’s also easy and helpful to practise the PIN multiple times by entering it, for example, on the mobile phone or a printout of a keyboard until it has been encoded into your memory.

Secure PIN behaviour

Many people worry about forgetting their PIN and the inconvenience that results. For most, this risk outweighs the threat of someone finding a recorded PIN. Being able to withdraw money from their bank account is paramount. Of course, recording a PIN is extremely unwise. However, if you absolutely must record your PIN, at least try to disguise it. For example, a PIN can be saved as part of a phone number next to an innocuous looking name in your address book. You could also add or subtract a secret number from each numeral in the PIN. Password Managers, especially those on your Smartphone, are a secure way of recording your PINs. 

Self-chosen PIN – a secure alternative?

Many banks allow you to change your PIN. The problem is people tend to choose non-random numbers and thus frequently choose easy-to-guess PINs like "1234" or their own birthday.  You should avoid the following PINs, since these are the ones thieves will guess first:

Downloads (Flyer and App)

Our easy to use and straightforward recommendations can help you improve your PIN management.

The privacy-respecting Android application provided here suggests strategies that will help you to remember your PIN. More information, as well as the download area, can be found here.

Additionally there is a flyer with the most important hints.

Publications

Memorable And Secure: How Do You Choose Your PIN?
Andreas Gutmann, Melanie Volkamer and Karen Renaud
In: International Symposium on Human Aspects of Information Security & Assurance (HAISA), 2016.

Nudging Bank Account Holders Towards More Secure PIN Management
Andreas Gutmann, Karen Renaud, Melanie Volkamer
In: Journal of Internet Technology and Secured Transaction (JITST), 2016. 

Exploring Mental Models Underlying PIN Management Strategies
Karen Renaud, Melanie Volkamer
In: World Congress on Internet Security (WorldCIS 2015), p. 18-23, IEEE, 2015.

Contact

For questions or suggestions, please do not hesitate to contact  Karola Marky or Melanie Volkamer.

A A A | Drucken Print | Impressum Impressum | Sitemap Sitemap | Suche Search | Kontakt Contact | Website Analysis: More Information
zum Seitenanfangzum Seitenanfang