Thursday, August 17, 2006

Denial of Service in BofA via Sitekey

Vulnerability of Passmark Sitekey at Bank of America reported
"Sestus Data Corporation announced today the discovery of a vulnerability of the Passmark Sitekey login approach at Bank of America that could permit an attacker to remotely lock out thousands of customers from their online banking accounts."

This type of issue happens often in websites, especially those with millions of users, when implementing hard and fast rules in anti-brute force. When you have millions of users, just about every guessable username is taken. At that point its trivial for someone to automatically fail login attempts and block your users from logging in. This was a popular tactic in on-line auctions to block competitive bidders. It’s incredibly frustrating for users when this happens.

A better way to tackle anti-brute force in a web environment is to use CAPTCHA's when a threshhold has been reached. Sure a bad guy can keep guessing passwords and filling out those crazy images (a few seconds per), but if you have any kind of password policy in place, your risk here is minimal.

No comments: