LloydsTSB Bruteforce Possibility in Memorable Information

[<drumknott () hushmail com>]

There is an issue in the LloydsTSB Banking logon system. Following 
a successful username/password combo the user is asked to enter 
memorable information before the login can be completed. If the 
memorable information is correct the user has access to their 
banking, if it is not they are bumped back to the username/password 
request. The memorable information asks for three characters from 
the memorable information. E.g. at positions 1, 7 and 9.

The login page is located here: 
https://online.lloydstsb.co.uk/logon.ibc

The issue lies in that if the user gets the memorable information 
incorrect they are asked for the same character positions (e.g. 1, 
7 and 9 again). This continues forever, basically making the 
memorable information pointless because it will not take much to 
brute force it. 

The idea of the memorable information is to stop keyloggers as even 
if they log 3 characters they probably won't be asked for them 
again, but it's pointles because if you've got the 
username/password you're basically in after a bit of bruteforcing.

No attempts have been made to contact LloydsTSB regarding this 
matter as I was unable to locate contact details and it is not that 
severe.

--
Click here for low rates and flexible payments on interest only loans.
http://tagline.hushmail.com/fc/Ioyw6h4dQLQekmPfh5qT54yMadAQH7iVxh16TB9S419xomkoDpynO4/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/