[LINK] faux-privacy ? (was: It's Queensland - (sorry to Qlders))

Michael Skeggs mike@bystander.net mskeggs at gmail.com
Fri May 20 14:20:44 AEST 2011


On 20 May 2011 13:54, Jan Whitaker <jwhit at melbpc.org.au> wrote:
> The brute force access on this case reminded me of a similar
> situation a few years ago (probably discussed on Link at the time) of
> a person guessing URLs for bank accounts or some other similar type
> of 'secure' system. Does anyone recall what that was? If the URL is
> guessable, then it's not really secure, is it? Patterns are
> guessable. It wouldn't surprise me if that approach wasn't used a lot
> for just mucking about by bored high school/middle school/uni students.
>

My useless mortgage lender has a web login that requires login and
ridiculously pedantic password (8 characters exactly, at least one
uppercase and at least one number but no punctuation, must start with
a letter) and disables your account if you get it wrong 3 times. It
takes a call to the business hours support desk to reset (please
supply a new password, same rules).
But the username is a numerical account number that increments by one
for each customer. I discovered this when I accidentally locked
someone out when I mistyped my login.
A script to lock out all their customers could be written in about ten minutes.
Idiots.

Regards,
Michael Skeggs



More information about the Link mailing list