Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-disclosure] LloydsTSB Bruteforce Possibility in Memorable Informat

from [drumknott] Network Security [Permanent Link]
Subject: [Full-disclosure] LloydsTSB Bruteforce Possibility in Memorable Information
Date: Fri, 31 Aug 2007 16:03:26 +0100 
There is an issue in the LloydsTSB Banking logon system. Following 
a successful username/password combo the user is asked to enter 
memorable information before the login can be completed. If the 
memorable information is correct the user has access to their 
banking, if it is not they are bumped back to the username/password 
request. The memorable information asks for three characters from 
the memorable information. E.g. at positions 1, 7 and 9.

The login page is located here: 
https://online.lloydstsb.co.uk/logon.ibc

The issue lies in that if the user gets the memorable information 
incorrect they are asked for the same character positions (e.g. 1, 
7 and 9 again). This continues forever, basically making the 
memorable information pointless because it will not take much to 
brute force it. 

The idea of the memorable information is to stop keyloggers as even 
if they log 3 characters they probably won't be asked for them 
again, but it's pointles because if you've got the 
username/password you're basically in after a bit of bruteforcing.

No attempts have been made to contact LloydsTSB regarding this 
matter as I was unable to locate contact details and it is not that 
severe.

--
Click here for low rates and flexible payments on interest only loans.
http://tagline.hushmail.com/fc/Ioyw6h4dQLQekmPfh5qT54yMadAQH7iVxh16TB9S419xomkoDpynO4/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Full-disclosure] sqlninja 0.1.3 released, A. R.
Next by Date:  [Full-disclosure] IE7 (for Vista) and Firefox remote code execution, Juergen Marester
Previous by Thread:  Re: [Full-disclosure] Full-Disclosure Digest, Vol 30, Issue 50, Scott McIntosh
Next by Thread:  Re: [Full-disclosure] LloydsTSB Bruteforce Possibility in Memorable Information, A . L . M . Buxey
Indexes:  [Date] [Thread] [Top] [All Lists]