Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

"You’ll find that user enumeration is possible on Facebook, Google, Dropbox, and nearly every other major internet site."

I love this. Look these silly free social sites do it, so it must be ok. Anyone know if BofA or WellsFargo allow user enumeration?



> Anyone know if BofA or WellsFargo allow user enumeration

You're correct. They don't. Not even to authorities without a warrant. Which is the point I was trying to make in my earlier comment.[0]

[0] https://news.ycombinator.com/item?id=7510524


BofA and Wells Fargo suffer from account number enumeration.

Wells Fargo has 10-11 digit (depending on if it's WF or previously Wachovia) account numbers. One portion defines the bank branch where the account was opened, another portion defines the account type, and the last digit is a check digit. You can guess at an account number by attempting a deposit (in person or online).

There's also the fact that BofA and Wells Fargo have account numbers displayed in cleartext on pieces of paper that are handed to strangers.

I'm not arguing the merits of Coinbase's security, but traditional banks don't fare well either. Coinbase can improve. Traditional banks are limited by standards that they can't change.


I haven't personally seen the system, or tested it, but I'm pretty sure if I tried to enumerate all Bank Of America account numbers I'd get shut down pretty quick.


Two months ago I was able to enumerate all accounts from a local bank (Paraguay), they used document number and numeric passwords for login. They were showing different error messages when you tried to login with a nonexistent ID.

So I started generating random numbers between common document number ranges (1000000-4000000).

Our public health system has a web app that lets you check your enrollment status by entering an document #, and there are no CAPTCHAs! So the attack was like this: generate a random document number, send a request to the public health app and get the target's info (name, date of enrollment and other info). The most interesting thing was that I tried to login into all accounts by using the birth date of the target as a password (the bank's password policy: just numbers, a min. of 6 numbers...). Around 40% of the clients were vulnerable.


isn't this roughly the sort of thing that got weev thrown in jail?


Yes, probably. I have communicated the public health app problem (actually they just need to put a CAPTCHA) many times but it seems that nobody cares. About the bank, I was working as a data science consultant at that time, so it was easy for me to knock the door of the security department and tell them about my attack.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: