Four-digit PINs are notoriously insecure, but they're still the default security mechanism for both payment cards and alternative payment schemes—in part because they can be entered using a POS device, computer keyboard or phone keypad, and in part because they've been around for 40 years. The total possible choices for four-digit PINs are 10,000, while the pattern-lock options could top more than 150 million. Considering that smartphone screens and many POS devices can now handle pattern-lock style security, maybe it's time for a new default. If it's hard enough to keep out the FBI, it might be good enough to lock a mobile wallet.
Maybe Android phones are more secure for mobile payments than we thought. Earlier this month, an FBI forensics lab was unable to unlock a Samsung Galaxy W smartphone after it got a warrant to examine the phone belonging to a suspected pimp in San Diego. According to Ars Technica, the phone was locked with Android's "pattern lock," which involves dragging a finger along an onscreen keypad, rather than specifically punching in a PIN. That seems to have been enough to keep out the feds, who had to get a court order to ask for Google's help to access the phone.