| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: jlacour at zonelabs.com (John LaCour) Subject: Drivers License number generation - was Small vulnerability in Canadian Pay Pal Secret Question American drivers license numbers are generated differently by state. However, at least three states use the same algorithm which is uses your name and birth date to generate your driver's license number. See http://www.highprogrammer.com/alan/numbers/dl_us_shared.html for details. -John > -----Original Message----- > From: j tole [mailto:jtole2003@...oo.com] > Sent: Friday, January 09, 2004 11:01 AM > To: hostmaster@...PAL.COM > Cc: full-disclosure@...ts.netsys.com > Subject: [Full-Disclosure] Small vulnerability in Canadian > Pay Pal Secret Question > > > This vulnerability isn't a huge one and isn't even so > much technical but I thought it was at least worth > addressing. > > This problem arises from the Secret Questions > seciotion of the pay pal account, and as far as I know > this only affects canadian members. > > One of the secret questions you can select when > setting up your pay pal account is to enter the last 4 > digits of your drivers license. The problem here, is > that the last 4 digits of most any canadian drivers > license are the month and day that you were born. For > example of the last 7 digits of my drivers license > were 8-40726 then I would be born on july 26th, 1984. > Canada uses this as a secondary measure to ensure > validity of age against people modify their license (I > used to work in a bar). > > So anyone who wanted to know the answer to the last 4 > digits of your drivers license secret question would > only need to know the day and month you were born to > know the answer. > > Seeing as how the other 3 possible secret choice > questions are kinda weak anyways, it doesn't provide > much security against someone who has done their > homework from stealing your money. > > Also it is my guess that this question was just left > over from the secret question on the american paypal, > which american licenses don't use the same method, I > think. > > Anyways, have fun. > > J. Tole a.k.a. ph1zzle > jtole2003@...oo.com > > > __________________________________ > Do you Yahoo!? > Yahoo! Hotjobs: Enter the "Signing Bonus" Sweepstakes > http://hotjobs.sweepstakes.yahoo.com/signingbo> nus > > > _______________________________________________ > > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html >
Powered by blists - more mailing lists