Why are 4 digit PINs used?

(Note: I am completely new to security and hacking so please excuse my lack of knowledge.) As per the title, Why are 4 digit pins used? They have a max of only 10,000 combinations and would only take minutes if not seconds to crack. Yet they are widely used both in finances and other accounts.

Convenience.

If you combine a 4 digit pin with say, a max of 5 attempts before lockout it can be “Secure enough” without being a pain in the balls to actually enter all the time.

Doesn’t matter that there are only 10,000 combinations when you only get to try 5 of them.

This is why you enter your pin too many times on an ATM and your card doesn’t come out.

I would guess it is a combination of convenience (as @thro said) and the stuff beeing quite old. Electronics weren´t always dirt cheap.

This.

A PIN’s security doesn’t come from the PIN itself, but from the lockout that happens when you mess it up enough times.

Couldn’t the 10,000 combination cap become a problem when implemented across millions of accounts and devices due to repetition? I could see a system wherein it inputs the 4 or five statistically most common PIN’s and if they don’t work move on to another account.

In most cases, you need the plastic card and the pin.
I don´t know how exactly they generate the pins, but I would imagine they are quite random.

Also (as @MazeFrame pointed out) it employs a kind of two factor authentication. In theory, the code should be worthless without the card.

Historical.

Some cards support more.

Long time ago there were cheques where signatures were enough.

Then mechanical imprinters showed up and embossing from the card + signature were enough.

Then magnetic stripe + signature were enough.

Then chips readers showed up, and all of a sudden you had swipe and sign, and chip and pin, and chip and sign, and swipe and pin.

Because chip is not clone-able (if used properly), it was deemed that simplyfying signatures down to pins was enough and 4 digits are the minimum, and usually the maximum as well.

These days the card I use the most is of the “online chip and pin” variety (yes there’s offline chip and pin too, where the terminal doesn’t have to have access to the payment provider via internet, e.g. flights and stuff). I also have a phone app from the card provider that both tracks my location to feed it into security heuristics engine, as well as notifies me on any transaction.

Deploying new stuff to market is infinitely easier than getting rid of old stuff. (Same reason we still have GSM and EDGE but are losing 3G in favor of LTE)

That would work but 2 things.

They tend to block common pins
and attempting to mass access accounts will show up in a log so its no fool proof

95% will use the last 4 of their SSN
This allows people in IT to get more lounge time without people saying, “I forgot my password”

I don’t know how it’s in other countries (or other banks for that matter) but at the place I work the PINs aren’t even printed in-house, they are printed by the federal printing office.

Yes and “certain countries” still live in the stone ages.

It’s not you or the card that decides that. Every chip is capable of online (as is the magnet strip, technically). It’s the terminal and the shop owner that decides that.

Depends on the chip and its security implementation. Those chips are very much clonable, there’s a reason there are multiple iterations of them.

Little offtopic, but the reason we have those is because… try getting a 4G signal in the middle of nowhere. Then give up and get a GSM signal instead. They’re not the base of emergency broadcasts for nothing.

That’s why the PINs (in banking at least) are either non changeable, or the mechanism that allows changes watches checks for various common stuff that a third person might easily learn from his victim. They just can’t be used.

Side note, working at a bank and our customers get the 4 digit card pin and a 6 digit pin for their online banking. Guess which pin needs to be sent out again more often.

Sure, but there are several factors that protect against this:

1. Bank lock-out if you access your account from unusual locations or other countries
2. Daily withdrawal limits (presumably you will see money disappearing and act before it all disappears)
3. Normally, a requirement to use the physical card (for debit cards).
4. Other heuristics that the bank use to spot irregular transactions on your account.

At the end of the day, it is more secure than regular cash if your card is stolen, and people seem to have no issue carrying cash around.

If we enforced 16 digit fully random pins (for example) on everyone nobody would use the service. Or they’d just write them on the back of the card.

As with any security measure, there is ALWAYS a trade-off between convenience and security. And if you make it too inconvenient, it just gets circumvented.

That is true, though (granted far less) people do that with 4 digit PINs and that voids whatever insurance policy the bank has when money gets stolen by using a card (because negligence).

My card (or rather my bank and payment_processor) … doesn’t support or care to accept offline transactions. The card I like using doesn’t actually support preauth/advice either (making tipping when I visit US twice a year interesting) - and I actually like them more for it.

My point is that with things like ApplePay/GooglePay/Curve/Revolut/N26 and others hitting the market, it definitely does become more of a choice of the end user where they can pick-n-mix.