Lock the Arion online bank site from its users

Do you want to lock all Arion customers from their bank? It's very easy.

When you try to login to Arion bank on a valid user account but you accidently typed your password wrong you get the following error message:

Notandanafn og/eða lykilorð er rangt slegið inn. Þrjár  árangurslausar  innskráningar í röð leiða til þess að aðgangnum verður  lokað af  öryggisástæðum.(AS22E2)

Translation:

Your username and/or password was wrongly typed in. After 3 attempts in a row, your account will be locked.

This is the message you get from typing a valid username but invalid password.

However if you type both a wrong username and password, you get the following error message:

Notandanafn og/eða lykilorð rangt(AS2204)

Translation:

Username and/or password is wrong.

This means the account doesn't exist. With a simple script you can brute force all valid usernames that exist in the Arion bank. After building a valid user list you can then type 3 random passwords for each and every user on the Arion bank. This will result in the user being completely locked out.

It's also interesting to note that Arion bank's username are automatically generated for each of their customer.

This is not the correct way of implementing a login for something like a bank. Now lets take a look at how this should really be done.

Landsbanki, which is another bank in Iceland has a very simple login box. Yet it is superior to Arion bank in 3 ways:

Landsbankinn requires for the user to write all three inputs (the username, password and the security code) at the same time.

On Arion bank you just have to type in the username and the password and only then will it ask for the security code. This is also inferior to Landsbankinn in such a way that should you ever get to the security code page on Arion, you'll know that the username and password combinations was correct. This can be valuable information to a malicious hacker.

Landsbankinn always displays the same error message.

It doesn't matter if the username or password or the security code is wrong, if any are incorrect, you will get the same message. Even if you try to brute force the username and password and click "Send SMS" you still get the same error message as if you had typed all three wrong.

Landsbankinn does not lock user accounts if the password is wrong after few attempts.

Instead if the password is wrong, you have to wait a while before you can try again. This is the best solution to this kind of a problem.

Some would say that you can still determine if a username and password are correct on Landsbankinn if you try to send SMS but even if you manage to get your hands on the username and the password, the customer would be sent an sms code containing a security code making the victim aware that someone else has his login credidential.

I hope Arion bank finishes their bugs by the time I post this.

Update:

It seems the Arion bank has no interest in fixing their bug. The only way to fix this involves removing the feature of locking acounts after 3 attempts. It seems someone in Arion bank management thinks that locking accounts is a very good security measure.

Show Comments