Cornucopia - Ecommerce Website - AT 4

Suit: Authentication

Card/Value: 4

Description:
Sebastien can easily identify user names or can enumerate them.

Technical Note:
This attack is often the result of one or more of the following:
 * User names (IDs, account names) may be guessable, published elsewhere, or are simply email addresses
 * Authentication and related mechanisms may indicate whether a username is valid or not (registration, password reset/recovery, username recovery, change password, change email address)
 * Missing authentication failure detection
 * Missing monitoring to identify attacks against multiple user accounts, utilizing the same password

Additionally another web or non-web application (e.g. mobile app, telephone service) that utilises the same credentials has one or more of the above problems.

NB: This card relates to user names. See AT 7 for the similar password cracking (brute forcing, dictionary attacks, guessing, credential stuffing, credential cracking).

References:
« Previous Card | Authentication | Next Card »