Why it's time for companies to stop using PINs and passwords

By Michael Steinmann, Nuance Communications

Passwords and PINs are now more vulnerable than ever.

Proving this point has been a number of high profile security breaches, including Twitter, LinkedIn, iCloud and most notably Adobe, where 150 million passwords and user details were compromised.

RELATED TOPIC: 3 ways your business can improve its cloud safety

While these breaches highlight the vulnerability of the traditional password and PIN — which were developed over 50 years ago — they also show that knowledge-based authentication is becoming antiquated in today’s world of connected smart devices and even smarter hackers.

With increased pressure on these traditional security methods, organisations need to re-assess the processes and solutions in place to prevent security breaches and make their customers’ lives more convenient.

RELATED TOPIC: 4 cyber risks your financial sector should be prepared for

Here are some ways PINs and passwords are compromised:

Brute Force Attack

The four-digit PIN is one of the weakest security credentials, due to the ease in which a malicious user can compromise a system without the need to possess any technical knowledge, or any knowledge of the legitimate account holder.

The vulnerabilities of PINs were revealed by a 2012 DataGenetics study which showed that 10.7 per cent of four digit PINs are “1234”. This means a fraudster would only need to conduct an average of 10 attempts to compromise an account. Additionally, as revealed by the Adobe breach, passwords don’t perform much better, with the top 5 user passwords including ‘123456’ or ‘password.’

RELATED TOPIC: The importance of risk management in today’s digital business environment

Although organisations can block the most commonly used PINs and passwords, the DataGenetics study also revealed that beyond sequential numbers and repeating numbers, people tend to select PINs where the numbers form patterns on the keyboard, or where the number represents a date that is significant to the caller. This PIN selection behaviour by legitimate account holders render brute force attacks quite effective.

 Compromising the Database

A PIN or password, like any other knowledge factor used for authentication, is stored in a database. If the database is compromised, a malicious user has unlimited access to accounts. Although properly designed systems have numerous security measures in place, there are many documented cases of breaches occurring.

Some cases involve hackers finding ways to bypass the security measures. Other cases involve employee error, for example an erroneous transfer of PIN credentials through e-mail. No matter how the PINs or passwords are compromised, once in the hands of a malicious individual, the potential for large scale financial losses are enormous.

RELATED TOPIC: Cyber Crime in Oz: What Telstra and CommBank are Doing to Improve Cyber Security


Phishing is an ever-increasing technique that malicious individuals undertake to compromise credentials, such as PINs and passwords via email and social media. Industry statistics indicate a mass phishing attack yields a 5 per cent data collection success rate, meaning that if 100 e-mails are sent to collect PINs, a hacker will on average collect five valid PINs.

However, if the malicious individual conducts a spear-phishing attack, the success rate can reach 19 per cent. As such, phishing attacks are one of the preferred choices by malicious individuals to compromise systems that are protected by PINs and passwords.

Internet Search

Calls centres typically use a series of knowledge questions to verify a caller’s identity. If the caller answers the questions correctly, the agent considers the caller’s identity validated and any transactions can then take place.

RELATED TOPIC: How limiting BYOD security risks will help your company thrive

However, many of the answers to the security questions asked by call centre agents can be easily found on the internet. A moderately sophisticated hacker can find the answers to the majority of security questions by accessing social media sites, such as Facebook and LinkedIn.

Collecting this basic information about an individual online makes the task of guessing answers to security questions easy, as was shown by a study at Carnegie Mellon University in 2009. It demonstrated that typically used security questions are vulnerable; in some cases they can be guessed with 48 per cent accuracy.

Let's connect!  

Check out the latest edition of Business Review Australia!


Featured Videos

View all

Schneider Electric - Global Specialist in Energy Management

Digital Strategy

Allianz Malaysia: Closer to customers through digital