Sampath Vishwa allows brute Forces

[Jack_Sparrow]

I forgot my Sampath Vishwa password then i did for tried 6 times, finally website indicates that my user id is blocked... They have manual tedious procedure to reset accounts which has to be done by filling forms and submitting

However i was curious then i tried an user name such as "dsfgsdfds" and then it prompts you have 5 more attempts. then i again tried it it keeps prompting 5 attempts (i doubt that this happens when particular user is not existing)

cool thing is every time i try new username it gives me five attempts.. It does not block my IP at all...

So how about if someone tried a Brute force attack on every possibility of usernames (more than 6 characters) and starts freezing Sampath customers Vishwa accounts (Simple freezer like GroundZero's Facebook Freezer could do it, thing is in fb you can reset pasword easily with email)

Any comments or arguments weather its not possible with this site
If anyone works at sampath please inform your IT

 

[2osama]

MY ONE ALSO GOT SAME PROBLEM

 

[radiax]

i have sampath vishwa too. mahan i think its for safety reasons. i never experienced this as i always remember my pass
clearly it doesnt block IP but the user ID. no use of blocking IP attacker could use another IP.
only down side is i can block your account if i know your user ID.
they should introduce quick and hassle free way to reset password.
but this method is way secure

 

[moonrock]

you are an idiot for posting something like this in a public forum. you should have informed them(sampath bank) instead of exposing a critical issue like this in their system and let hackers to mess up with accounts of innocents users. users can do nothing so why did you reveal such a crucial information in here? what is the point?

 

[JesonRulez]

ammatasiri. aththa kathawa

 

[GoldHeart]

itz true machan... bt the possibility to be the both user name & password right is very low..

 

[kosandpol]

itz true machan... bt the possibility to be the both user name & password right is very low..

he's talking about a DOS attack. Idea is to cripple the service and not hack in to it.

 

[Jack_Sparrow]

i have sampath vishwa too. mahan i think its for safety reasons. i never experienced this as i always remember my pass
clearly it doesnt block IP but the user ID. no use of blocking IP attacker could use another IP.
only down side is i can block your account if i know your user ID.
they should introduce quick and hassle free way to reset password.
but this method is way secure

so attacker can grab two or three user names repeat this and get block these users thats the point is so sampath should have way to easily reset this with a mobile or email thats how big giants like FB , google fo

you are an idiot for posting something like this in a public forum. you should have informed them(sampath bank) instead of exposing a critical issue like this in their system and let hackers to mess up with accounts of innocents users. users can do nothing so why did you reveal such a crucial information in here? what is the point?

If i inform them will they give me an award or hire me for their software engineering team hell no they will say ok we will consider and their IT team will not accept their fault, but they will secretly fix it

 

[JesonRulez]

itz true machan... bt the possibility to be the both user name & password right is very low..

na machan. methana karanne password eka waraddala account block karala daana eka.

 

[Jack_Sparrow]

he's talking about a DOS attack. Idea is to cripple the service and not hack in to it.

haha exactly cripple the service for valuable customers and they all have to fill forms I don't know why they don't allow recover options from emails

 

[moonrock]

so attacker can grab two or three user names repeat this and get block these users thats the point is so sampath should have way to easily reset this with a mobile or email thats how big giants like FB , google fo



If i inform them will they give me an award or hire me for their software engineering team hell no they will say ok we will consider and their IT team will not accept their fault, but they will secretly fix it

yeah they will surely fix it and that's the point of my comment and that's what should be happened.

 

[kosandpol]

haha exactly cripple the service for valuable customers and they all have to fill forms I don't know why they don't allow recover options from emails

because this method is hacker proof. Only the account owner can reset pw or request access change to his account.

 

[JesonRulez]

I'm a sampathvishwa user. My user name is JesonRulez. Now I'm done!

 

[mldarshana]

yeah they will surely fix it and that's the point of my comment and that's what should be happened.

LOL ... මම 2003 ඉඳන් sampath vishwa use කරනව ... දැන් අවුරුදු 10ක් තිස්සෙ ඔය අවුල repeat වෙනව

 

[kosandpol]

I'm a sampathvishwa user. My user name is JesonRulez. Now I'm done!

effin' LOLZ!!

should've thought about that before becoming a Statham fanatic

Though in all seriousness, what you said just proves another security concern. Do NOT use the same username everywhere. Especially ones that are used in public sites.

 

[Jack_Sparrow]

yeah they will surely fix it and that's the point of my comment and that's what should be happened.

as a software engineer we are also developing applications and we also have loopholes and errors, but we need to accept our mistakes. For a security engineer (not a software engineer) these are very primitive things he should detected at first place.

because this method is hacker proof. Only the account owner can reset pw or request access change to his account.

yeah you are correct its hacker proof online, how about mobile subscription get a SMS?

 

[Jack_Sparrow]

LOL ... මම 2003 ඉඳන් sampath vishwa use කරනව ... දැන් අවුරුදු 10ක් තිස්සෙ ඔය අවුල repeat වෙනව

sirawata from 2003 machan did you report them?
doubt that they still use old SSL already broken channels and encryption algorithms

 

[Jack_Sparrow]

I'm a sampathvishwa user. My user name is JesonRulez. Now I'm done!

haha my account always come below Rs1000 in the middle of the month so i dont have to worry

 

[kosandpol]

as a software engineer we are also developing applications and we also have loopholes and errors, but we need to accept our mistakes. For a security engineer (not a software engineer) these are very primitive things he should detected at first place.



yeah you are correct its hacker proof online, how about mobile subscription get a SMS?

this method is still safer. if the phone gets stolen, someone can still access the account. This way, unless the hacker changes his face and get a counterfeit ID card, is impossible to fool.

 

[mldarshana]

sirawata from 2003 machan did you report them?
doubt that they still use old SSL already broken channels and encryption algorithms

ඔව් බන් මම Manager කෙනෙක්ටත් කිව්ව ඒ කාලෙම ... තව ඕකෙ IT devision එකේ වැඩ කරන යාළුවෙක්ට කිව්වම ඌ කියපි ...

"ඔව් බන් ඕක known bug එකක් ... ළඟම තියෙන branch එකකට ගිහිල්ල reset කරගනින්කො" කියල

තව ඌ කියනව ඒක security feature එකක්ලු ... උන්ගෙ IT ගැන හිතාගනින්කො