|
|
|
|
|
|
by femto113
2820 days ago
|
|
|
Felt legit to me. Sites can, should, and do take steps to mitigate brute force attacks, his approach showed some shortcomings in those steps, e.g. they already only allow 3 bad PINs per call, but he showed that by hanging up immediately after the 3rd bad PIN they make it relatively trivial for the attacker to detect the failure. He also demonstrated that due to the partial phone number masking in the UI the attack could be done from an apparently trusted phone number. |
|
|