Insider attacks on PIN generation

Theo Markettos theom+news at
Sat Feb 25 23:53:18 GMT 2012

In article <EC6C6CB7-599C-44D7-8D69-D569E6BA6027 at> you wrote:
> I have a memory of being told of an insider attack at a bank where
> programmers managed to force the system to issue PINs drawn from a very
> small set, so that with a stolen card they had a better than 50% chance of
> guessing the correct PIN within three attempts.  But I can't find it in
> the literature.  Anyone find it rings a bell?

Ross mentions some cases in Why Cryptosystems Fail, where banks have issued
all their customers with the same PINs or from a tiny subset, either
unintentionally or maliciously:


More information about the ukcrypto mailing list