## Assume John is one of the customers. What is the probability that an attacker can guess John’s PIN in one try?

### engineering

##### Description

Question 1 (6 marks)

A bank with 1,000 customers decides to use a different PIN entry method for cardless cash. It first assigns random 4-digit PINs to each of the 1,000 customers such that no two customers have the same PIN. At the ATM, each customer can authenticate simply by entering their PIN. The backend system can authenticate the customer based on the unique random PIN. You have been hired as a security consultant by the bank to analyze the security of this system.

(a) Assume John is one of the customers. What is the probability that an attacker can guess John’s PIN in one try? (1 mark)

(b) What is the probability that an attacker can guess any customer’s PIN in one try? (1 mark)

(c) How many attempts are needed by an attacker to guess any customer’s PIN with probability at least 0.5? (3 marks)

(d) You suggest to the bank that the customer should also enter a unique username. What issue does this mitigate? How is requiring a bank card in addition to entering a PIN different?