There is an issue in the LloydsTSB Banking logon system. Following
a successful username/password combo the user is asked to enter
memorable information before the login can be completed. If the
memorable information is correct the user has access to their
banking, if it is not they are bumped back to the username/password
request. The memorable information asks for three characters from
the memorable information. E.g. at positions 1, 7 and 9.
The login page is located here:
https://online.lloydstsb.co.uk/logon.ibc
The issue lies in that if the user gets the memorable information
incorrect they are asked for the same character positions (e.g. 1,
7 and 9 again). This continues forever, basically making the
memorable information pointless because it will not take much to
brute force it.
The idea of the memorable information is to stop keyloggers as even
if they log 3 characters they probably won't be asked for them
again, but it's pointles because if you've got the
username/password you're basically in after a bit of bruteforcing.
No attempts have been made to contact LloydsTSB regarding this
matter as I was unable to locate contact details and it is not that
severe.
--
Click here for low rates and flexible payments on interest only loans.
http://tagline.hushmail.com/fc/Ioyw6h4dQLQekmPfh5qT54yMadAQH7iVxh16TB9S419xomkoDpynO4/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Received on Aug 31 2007
Intro
