[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] LloydsTSB Bruteforce Possibility in Memorable Information

To: drumknott@xxxxxxxxxxxx
Subject: Re: [Full-disclosure] LloydsTSB Bruteforce Possibility in Memorable Information
From: A.L.M.Buxey@xxxxxxxxxxx
Date: Fri, 31 Aug 2007 21:17:35 +0100

Hi,

> The issue lies in that if the user gets the memorable information 
> incorrect they are asked for the same character positions (e.g. 1, 
> 7 and 9 again). This continues forever, basically making the 
> memorable information pointless because it will not take much to 
> brute force it. 

not correct. after about 7 attempts the account is locked out at
the username/password part

> No attempts have been made to contact LloydsTSB regarding this 
> matter as I was unable to locate contact details and it is not that 
> severe.

http://www.lloydstsb.com/security.asp is a good starting point

anyway, LloydsTSB are moving to 2-factor authentication and most
of their customers should have their online backing upgraded
by the end of this year

http://www.vnunet.com/computing/news/2151425/lloyds-tsb-trial-wipes-online

alan

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] LloydsTSB Bruteforce Possibility in Memorable Information
  - From: drumknott

Prev by Date: [Full-disclosure] [USN-510-1] Linux kernel vulnerabilities
Next by Date: [Full-disclosure] Team SHATTER Advisory: IBM DB2 Buffer overflow in sysproc.auth_list_groups_for_authid
Previous by thread: [Full-disclosure] LloydsTSB Bruteforce Possibility in Memorable Information
Next by thread: [Full-disclosure] IE7 (for Vista) and Firefox remote code execution
Index(es):
- Date
- Thread