lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20070831150327.C0382DA820@mailserver8.hushmail.com>
Date: Fri, 31 Aug 2007 16:03:26 +0100
From: <drumknott@...hmail.com>
To: <full-disclosure@...ts.grok.org.uk>
Cc: 
Subject: LloydsTSB Bruteforce Possibility in Memorable
	Information

There is an issue in the LloydsTSB Banking logon system. Following 
a successful username/password combo the user is asked to enter 
memorable information before the login can be completed. If the 
memorable information is correct the user has access to their 
banking, if it is not they are bumped back to the username/password 
request. The memorable information asks for three characters from 
the memorable information. E.g. at positions 1, 7 and 9.

The login page is located here: 
https://online.lloydstsb.co.uk/logon.ibc

The issue lies in that if the user gets the memorable information 
incorrect they are asked for the same character positions (e.g. 1, 
7 and 9 again). This continues forever, basically making the 
memorable information pointless because it will not take much to 
brute force it. 

The idea of the memorable information is to stop keyloggers as even 
if they log 3 characters they probably won't be asked for them 
again, but it's pointles because if you've got the 
username/password you're basically in after a bit of bruteforcing.

No attempts have been made to contact LloydsTSB regarding this 
matter as I was unable to locate contact details and it is not that 
severe.

--
Click here for low rates and flexible payments on interest only loans.
http://tagline.hushmail.com/fc/Ioyw6h4dQLQekmPfh5qT54yMadAQH7iVxh16TB9S419xomkoDpynO4/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ