The video below describes how an infrared device on iPhones can be used to steal Personal Identification Numbers (PINs) on ATM cards and credit cards. It is important that you watch this video because it also contains instructions on how to prevent theft.
What I am going to discuss post is how mathematics will be used on guessing the PINs systematically. This is not to encourage stealing, but to inform everyone that it can be done — so be careful. In addition, there are machines nowadays that could copy cards, so once your card has been copied without you knowing it, the thief can have all the time in the world to guess your PIN. Please watch the video before continuing reading.
According to the video, based on heat signature, it is easy to see using infrared which numbers were pressed first and last. Suppose that the PIN has only 4 digits, then there are only 2 digits to guess.
The Mathematics of Systematic Guessing
Suppose we know the first and last digits, say, 3 and 7, respectively, then we have the PIN 3AB7. Now, we just have to look for AB. This is actually very simple: all we have to do is start from 00, and then add one number each time we guess. That is, we have 01, 02, 03, 04, all the way up to 99. This means that we only have 100 combinations to guess. And note that 100 is the most number of combinations. For example, if the PIN is 3157, then, we only need to guess 16 times (from 00 to 15).
Now, if ATM machines allow users to guess PINs three times a day without disabling the card (which I think is the case fro most ATMs) then, it can surely be guessed in 34 days. In the case above where AB = 15, then it can be guessed on the 5th day.
Of course, 6-digit PINs can be more difficult to guess. Suppose the first and last digit is known, then they will have to guess 4 numbers ABCD. These are 0000-9999 which is 10,000 combinations. That will take him 334 days, or almost a year at maximum to guess if three guesses are allowed each day.
As an additional precaution, do not create PINs that are associated to your personal data such as your birthday, your Social Security Number, etc. It will be far easier to guess.