The primary reason for ATM card PINs being 4 digits long is because it is easier for people to remember a 4-digit number compared to a 6- or 7-digit number. Another reason is that it slightly increases the PIN’s vulnerability to brute force attacks, but this is a compromise between convenience and a limited risk.
If you have a bank account, it is highly likely that you also have an ‘ATM card’ or a debit/credit card. To use these cards at ATMs or at point of sale (POS) terminals in stores, you need to authenticate them with a unique 4-digit number known as a PIN (Personal Identification Number).
Without knowing the PIN, you cannot use a credit/debit card at an ATM.
One interesting thing you may have noticed about these PINs is that they are usually only 4 digits long. You would expect the card PIN, which protects your entire bank account and your hard-earned money, to be more complex… but it’s not!
On the other hand, when it comes to the numerous online accounts you have, you are often urged or even compelled to choose passwords that are difficult to guess and include special characters.
In fact, if you have access to the internet banking feature of the same account, you would know that the bank website requires you to choose a password with at least one numeric digit and a special character. Some banks even make it mandatory for you to change your password every 2-3 months! Clearly, banks want you to choose a very secure password for your online account. So why are most ATM card PINs usually just 4 digits long?
Methods Of Verification
The main forms/techniques of security are based on three factors: something you are, something you know, and something you have.
In certain places, access to highly confidential areas is granted or denied based on a retinal scan. Retinal scans, along with fingerprint and tongue print tests, fall under the category of biometrics (something you are).
Retinal scans are considered ‘something you are’. (Photo Credit: Cpl. Christopher O’Quin / Wikimedia Commons)
Similarly, the passwords for your online accounts fall under ‘something you know’. An ATM card falls under the category of ‘something you have’.
When you possess an ATM card and its PIN, you fulfill two of the three types of security requirements: ‘something you have’ (the card itself) and ‘something you know’ (the PIN). This is why banks and financial institutions allow a 4-digit PIN, as it is easier to remember compared to a 6- or 7-digit one. However, it also slightly increases the PIN’s vulnerability to brute force attacks, but this is a balance between convenience and a limited risk.
Cracking ATM PINs through Brute Forcing
Brute forcing refers to the systematic process of trying out every possible combination of numbers, alphabetic numerals, and symbols in order to determine a password. This method is commonly used by hackers to gain access to passwords. In the case of ATM PINs, brute forcing involves attempting various combinations such as 0000, 0001, 0002, 0003, and so on. Hackers may also start with commonly used PINs like 1234, 4321, 2222, 9999, etc. until they find the correct combination and succeed in their malicious actions.
Why ATM PINs are (Relatively) Secure Against Brute Forcing?
Fortunately, ATM card users are protected to some extent against brute forcing. Banks usually set a limit on the number of incorrect PIN attempts allowed. If you enter a wrong PIN three times consecutively, your card will be blocked, at least for that day. You will then have to visit the bank to obtain a new card. This means that in order to gain unauthorized access to your account, a person would need to physically possess your card and have only three attempts to guess your PIN correctly. While there are tools available that make brute forcing easier than it may initially seem, it is highly unlikely for an average person to guess your 4-digit PIN through pure chance.
That’s why banking institutions typically allow for 4-digit PINs. However, this does not mean that you should choose a 4-digit PIN. The more digits you add to your PIN, the more secure it becomes (though it may be slightly harder to remember). For this reason, many banks require their users to select 6-digit PINs.
John Shepherd-Barron
John Shepherd-Barron, a British inventor, was the pioneer behind the development of the ATM (Automatic Teller Machine).
Initially, Shepherd-Barron suggested the use of 6-digit PINs. However, when he tested this system on his wife, Caroline, she informed him that the longest string of numbers she could remember was 4. As a result, he switched to 4-digit PINs, which ultimately led to the widespread adoption of this standard worldwide.