From Bruce Schneier’s Crypto-Gram of 15 August 2003:
When I called to activate an American Express credit card I had received in the mail, the automated system told me that I would have to associate a PIN with it. The system told me that other users liked the idea of using their mother’s birthday as a four digit PIN. After some experimentation, I discovered that the system would accept only those four digit PINs that corresponded to dates: 0229 was acceptable but not 0230 and certainly not 3112 (New Year’s Eve, European style.) Thus the system policy administrators had reduced the 10,000 possible four-digit PINs to 366.