I have a memory of being told of an insider attack at a bank where programmers managed to force the system to issue PINs drawn from a very small set, so that with a stolen card they had a better than 50% chance of guessing the correct PIN within three attempts. But I can't find it in the literature. Anyone find it rings a bell? ian