Full Disclosure mailing list archives
LloydsTSB Bruteforce Possibility in Memorable Information
From: <drumknott () hushmail com>
Date: Fri, 31 Aug 2007 16:03:26 +0100
There is an issue in the LloydsTSB Banking logon system. Following a successful username/password combo the user is asked to enter memorable information before the login can be completed. If the memorable information is correct the user has access to their banking, if it is not they are bumped back to the username/password request. The memorable information asks for three characters from the memorable information. E.g. at positions 1, 7 and 9. The login page is located here: https://online.lloydstsb.co.uk/logon.ibc The issue lies in that if the user gets the memorable information incorrect they are asked for the same character positions (e.g. 1, 7 and 9 again). This continues forever, basically making the memorable information pointless because it will not take much to brute force it. The idea of the memorable information is to stop keyloggers as even if they log 3 characters they probably won't be asked for them again, but it's pointles because if you've got the username/password you're basically in after a bit of bruteforcing. No attempts have been made to contact LloydsTSB regarding this matter as I was unable to locate contact details and it is not that severe. -- Click here for low rates and flexible payments on interest only loans. http://tagline.hushmail.com/fc/Ioyw6h4dQLQekmPfh5qT54yMadAQH7iVxh16TB9S419xomkoDpynO4/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- LloydsTSB Bruteforce Possibility in Memorable Information drumknott (Aug 31)
- Re: LloydsTSB Bruteforce Possibility in Memorable Information A . L . M . Buxey (Aug 31)