I recently came across a interesting article about PIN codes on iOS devices where an app developer pulled the login PIN numbers for his app to do some statistical analysis.

His findings are far from encouraging - or surprising - with (you guessed it!) '1234' taking the top spot, followed by '0000' (seriously...why bother with a passcode at all?).

This is pretty much in line with what i've blogged before about passwords. Of course if Mrs Shepherd-Barron hadn't gotten her way, the most popular PIN would probably match the most popular password...'123456'!

On passwords, a developer has taken all the recently exposed accounts and provided a nice web interface to allow you to see if your password may have been exposed. If your'e worried, run your login ID through the checker and see. The site doesn't ask for passwords, but considering many site usernames are email addresses - use it at your own risk!

On better Security news, the DSD (an Australian Government three-letter Agency) has released a preliminary guide to hardening iOS [pdf]. A more in-depth guide is expected in September 2011.

Not strictly Information Security, but certainly pertaining to organizational security culture,
News.com.au ran a story today that just makes me sad..or is that mad? Or both?

A security gate at Dubbo Airport has been found to have the access pin number to a printed out and stuck above the keypad.

According to the article, Government officials will review security at Dubbo airport next week. I wonder what else they'll find?

Something this balantly idiotic is a sign of a generally poor (or non-existent?) security culture. Sure you may have one 'helpful' person who decides to post the PIN number (along with the helpful "please touch pad softly" message), but for others using the gate to not step in and remove the sticker is a worrying sign. Some more of those airport security dollars may need to be spent on basic staff security awareness and less on security theatre like confiscating nail clippers but not cigarette lighters...

In the spirit of Richard's post below on a little 'no tech hacking'; on a couple of occassions recently I've had friends wanting to show me photos taken on their iphones, and inadvertantly reveal some potentially quite damaging information.

To set the scene, you're discussing a subject (such as a holiday) and your friend says "want to see the photos?". Applying the in the affirmative, they whip out their phone and hold it up for you to see, hitting a button and entering their unlock PIN to begin showing you the photos.
It's at this stage I ask "so, is that number you just entered the same as your ATM-card PIN?"
Sheepish looks ensue as they mumble "....yes...." and I reply "you might want to change that...or lend me your ATM card!"

Now this certainly isn't an 'iphone-problem' as such, or I'd wager even a new problem. It is however exacerbated by the new touchscreen smartphones and their big friendly on-screen keypads that make it much easier to 'shoulder-surf' from greater distances and see the PIN number more easily as it is entered.
ATM card PIN numbers are a little unusual as for a lot of people they are one of the few 'enforced' passwords they use. By 'enforced' I mean they are passwords that are dictated and not chosen by the end user, they are often just a random (or semi-random) 4-digit string that was supplied by the bank.
Although these days you can often choose a PIN number while opening a new account, this wasn't always the case and many people have had the same PIN number for years, from card to card, keeping the one they've already memorized. After all we are often creatures of habit.

So when the new phone arrives and needs to be set up with a 4-digit PIN number, it seems not uncommon to grab the first available 4-digit number that you already have memorized - your ATM PIN (I'd wager birthdays or borth year are the other popular options) and off you go.

What's the risk? Well it's probably pretty low. I'm not really going to run off with my friend's ATM card, nor bother remembering their PIN number after seeing it initially. But low risk is not no risk and doing something as simple as scrambing or reversing your ATM PIN (if that must be the basis of your phone PIN) is better than using the same number.

A little research into PIN numbers brought up an interesting fact; the inventor of the ATM PIN, Brtion Mr Shepherd-Barron wanted to use a 6-digit number (based on his army number), but his wife said she could only remember 4-digits - so that became the world standard!*

And btw, yes I have an iphone and no my PIN is not the same as my ATM card! (nor any derivative thereof!)

*Except for Switzerland, where apparently 6-digits is the default....

Recently I bought a new phone. I stayed on the same carrier, so it was just an upgrade of my call plan and a new piece of hardware. As part of the identity verfication process in the phone store, I was asked my name, the phone number and the PIN number I had provided the company with when I first signed up for my previous phone. This PIN number was also used in the past to verify my identity over the phone when I had a mobile phone stolen and needed it call blocked. It is essentially a shared secret to identify me as me.
It's little different than the password I get asked for at the local video store when I rent a dvd, although they also require I provide then with my membership card (multifactor authentication!)
Back to the phone, I dutifully provided the PIN number and began the process of filling out forms and signing my life away on a new phone contract. While filling in details I noticed at the top of the form there was a box (filled in by the sales clerk) for my PIN. He had dutifully written my PIN in the box as part of application.
I asked him if this was the norm, if this 'secret' number was commonly written in large friendly digits on the applcation forms and he applied in the affirmative.

I did ask his opinion on writing this 'secret' number on a form that is kept in triplicate (one copy to me, one for the store and one sent off to a central office) but he didn't seem interested in discussing the ins and outs of how they secure their data or prevent impersonation.

I guess in the end I got my phone and have to hope one of the three copies of the form with my name, address, date of birth and PIN number don't fall into the wrong hands and someone decides to cancel my account or report my phone as stolen. Although thinking about it, I imagine with a name, address and date of birth alone you could use some social engineering to effective DoS someone's phone. Hmmmm. When is Richard's birthday?