[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: Re: [Full-disclosure] LloydsTSB Bruteforce Possibility in Memorable
From: A.L.M.Buxey () lboro ! ac ! uk
Date: 2007-08-31 20:17:35
Message-ID: 20070831201735.GA11181 () lboro ! ac ! uk
[Download RAW message or body]
Hi,
> The issue lies in that if the user gets the memorable information
> incorrect they are asked for the same character positions (e.g. 1,
> 7 and 9 again). This continues forever, basically making the
> memorable information pointless because it will not take much to
> brute force it.
not correct. after about 7 attempts the account is locked out at
the username/password part
> No attempts have been made to contact LloydsTSB regarding this
> matter as I was unable to locate contact details and it is not that
> severe.
http://www.lloydstsb.com/security.asp is a good starting point
anyway, LloydsTSB are moving to 2-factor authentication and most
of their customers should have their online backing upgraded
by the end of this year
http://www.vnunet.com/computing/news/2151425/lloyds-tsb-trial-wipes-online
alan
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic