Conversation

Notices

Embed this notice
Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Sunday, 04-Feb-2024 08:09:28 JST Ryan Castellucci :nonbinary_flag:

UK banks like to make you pick a "memorable word" and then will ask you for two or three letters when you log in.
Given even two letters, there usually won't be many possibilities...

In conversation Sunday, 04-Feb-2024 08:09:28 JST from infosec.exchange permalink
- Embed this notice
  Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Sunday, 04-Feb-2024 08:39:15 JST Ryan Castellucci :nonbinary_flag:
  in reply to
  - ✨🏳️‍⚧️Timelordiroh :she_her:🇵🇸
  @timelordiroh yes
  
  In conversation Sunday, 04-Feb-2024 08:39:15 JST permalink
- Embed this notice
  ✨🏳️‍⚧️Timelordiroh :she_her:🇵🇸 (timelordiroh@mstdn.iroh.tv)'s status on Sunday, 04-Feb-2024 08:39:17 JST ✨🏳️‍⚧️Timelordiroh :she_her:🇵🇸
  in reply to
  
  @ryanc this might just be the dumbest way to 2fa without actually doing 2fa that I have ever seen. Is it common in UK?
  
  In conversation Sunday, 04-Feb-2024 08:39:17 JST permalink
- Embed this notice
  Ben Herzog :donor: (bh11235@infosec.exchange)'s status on Sunday, 04-Feb-2024 11:04:14 JST Ben Herzog :donor:
  in reply to
  
  @ryanc It has long been speculated that a statistical correlation exists between the familiarity of a player with a word, and the number of expected wordle turns the player will require to solve for the word; and that this might have practical applications in the field of authentication mechanisms. In this paper, we
  
  In conversation Sunday, 04-Feb-2024 11:04:14 JST permalink
- Embed this notice
  Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Sunday, 04-Feb-2024 18:02:34 JST Ryan Castellucci :nonbinary_flag:
  in reply to
  - Ben Herzog :donor:
  @bh11235 now that you mention it, I think I once wrote a CTF challenge that was a lot like wordle, except it was intended to force the players to automate it.
  
  In conversation Sunday, 04-Feb-2024 18:02:34 JST permalink
- Embed this notice
  Ben Aveling (benaveling@infosec.exchange)'s status on Sunday, 04-Feb-2024 21:23:06 JST Ben Aveling
  in reply to
  
  @ryanc … but you only get a few wrong guesses before it locks.
  
  In conversation Sunday, 04-Feb-2024 21:23:06 JST permalink
- Embed this notice
  Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Friday, 09-Feb-2024 19:46:09 JST Ryan Castellucci :nonbinary_flag:
  in reply to
  - Ben Aveling
  @BenAveling If you observe one login, you can probably guess the word before it locks.
  
  In conversation Friday, 09-Feb-2024 19:46:09 JST permalink
- Embed this notice
  Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Friday, 09-Feb-2024 19:46:48 JST Ryan Castellucci :nonbinary_flag:
  in reply to
  - Ben Aveling
  @BenAveling It's just wordle.
  
  In conversation Friday, 09-Feb-2024 19:46:48 JST permalink
- Embed this notice
  Ben Aveling (benaveling@infosec.exchange)'s status on Friday, 09-Feb-2024 20:41:05 JST Ben Aveling
  in reply to
  
  @ryanc interesting.
  back of the envelope calculation for that attack, assuming 6 letter words, chosen randomly, 3 letters, chosen randomly, 5 guesses, attacker has full knowledge of those 3 letters => almost 70% chance of guessing.
  Much harder if the attacker knows the letters but not the exact locations.
  Also a lot harder if the bank is deliberate in its choosing of letters rather than completely random - many words have some combination of 3 letters that are a complete 100% giveaway and other combinations that are very much not.
  
  In conversation Friday, 09-Feb-2024 20:41:05 JST permalink
- Embed this notice
  Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Sunday, 11-Feb-2024 21:55:49 JST Ryan Castellucci :nonbinary_flag:
  in reply to
  - Ben Aveling
  @BenAveling The positions are specified by the prompt, the customer chooses the word. The word not being chosen randomly matters a lot.
  Sure, an attacker can't get into every account, but if they phish 100 people, they'll probably be able to get into most of them.
  
  In conversation Sunday, 11-Feb-2024 21:55:49 JST permalink
- Embed this notice
  Ben Aveling (benaveling@infosec.exchange)'s status on Monday, 12-Feb-2024 05:30:53 JST Ben Aveling
  in reply to
  
  @ryanc how did we segue to phishing?
  
  In conversation Monday, 12-Feb-2024 05:30:53 JST permalink
- Embed this notice
  Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Monday, 12-Feb-2024 17:23:25 JST Ryan Castellucci :nonbinary_flag:
  in reply to
  - Ben Aveling
  @BenAveling My original post was implicitly about phishing.
  The banks claim the reason they only ask for two or three of the letters is to prevent replay attacks (capture via phishing or man-in-the-browser) from being used to login.
  This feature is touted as a sort of one time password MFA, but it absolutely is not.
  
  In conversation Monday, 12-Feb-2024 17:23:25 JST permalink
- Embed this notice
  Ben Aveling (benaveling@infosec.exchange)'s status on Monday, 12-Feb-2024 18:53:11 JST Ben Aveling
  in reply to
  
  @ryanc if you’re mitm’d then it doesn’t matter how good your password is…
  
  In conversation Monday, 12-Feb-2024 18:53:11 JST permalink

Public

Conversation

Notices

Feeds