Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Full-disclosure] LloydsTSB Bruteforce Possibility in Memorable Info

from [A . L . M . Buxey] Network Security [Permanent Link]
Subject: Re: [Full-disclosure] LloydsTSB Bruteforce Possibility in Memorable Information
Date: Fri, 31 Aug 2007 21:17:35 +0100 
Hi,


The issue lies in that if the user gets the memorable information 
incorrect they are asked for the same character positions (e.g. 1, 
7 and 9 again). This continues forever, basically making the 
memorable information pointless because it will not take much to 
brute force it. 


not correct. after about 7 attempts the account is locked out at
the username/password part


No attempts have been made to contact LloydsTSB regarding this 
matter as I was unable to locate contact details and it is not that 
severe.


http://www.lloydstsb.com/security.asp is a good starting point

anyway, LloydsTSB are moving to 2-factor authentication and most
of their customers should have their online backing upgraded
by the end of this year

http://www.vnunet.com/computing/news/2151425/lloyds-tsb-trial-wipes-online

alan

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Full-disclosure] [USN-510-1] Linux kernel vulnerabilities, Kees Cook
Next by Date:  Team SHATTER Advisory: IBM DB2 Buffer overflow in sysproc.auth_list_groups_for_authid, Team SHATTER
Previous by Thread:  [Full-disclosure] LloydsTSB Bruteforce Possibility in Memorable Information, drumknott
Next by Thread:  [Full-disclosure] IE7 (for Vista) and Firefox remote code execution, Juergen Marester
Indexes:  [Date] [Thread] [Top] [All Lists]