Closed Bug 949070 Opened 11 years ago Closed 11 years ago

The user's account will be locked for 5 minutes if the PIN is entered incorrectly less than 5 times

Categories

(Marketplace Graveyard :: Payments/Refunds, defect)

Product:
Marketplace Graveyard
Component:
Payments/Refunds
Platform:
Other
Gonk (Firefox OS)
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WORKSFORME

People

(Reporter: sailajan.sabaratnam, Unassigned)

Details

Attachments

(1 file)

account will be locked for 5 minutes if the PIN is entered incorrectly less than 5 times_ezboot-http.log
399.06 KB, text/x-log
Details
Region code: Crow/Germany Device: Unagi white Connection: 3G/WiFi Phone number/MSISDN: 01756938887/01756980737 Carrier: Telekom Last 4 digits CC: n/a Test App used: any steps to reproduce: 1. Launch MP Stage. 2. Search for an app. 3. Select the price button. 4. Enter the PIN incorrectly 2 times (or 1, 3 or 4 times). 5. Cancel the PIN entry process. 6. Attempt to buy the same app or another app. 7. On the PIN entry screen attempt to enter the PIN incorrectly 5 times. expected behavior: The user should be able to enter the PIN incorrectly 5 times. observed behavior: Notice the user can only enter the PIN incorrectly 3 times (or more or less depending on step 4) before being locked for 5 minutes.
Note: please wait at least 20 mins between step 5 and 6.
We think this is functioning as expected.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → WORKSFORME
Here is a scenario that I'm concerned about: 1. User's teenage son wants to buy an app 2. Tries the PIN code 4 times before giving up 3. Days later, the user tries to make a purchase 4. The first incorrect PIN entry will lock the account and say you have entered an incorrect PIN way too many times. Does it make sense to clear the counter every day? I am not too worried about this scenario. So, not reopening the bug as yet.
The counter scenario: * is that I have stolen your phone and try 4 PIN attempts * then when it clears, I try 4 more times * I can keep repeating this until I get in to purchasing In this scenario, I can get into purchasing, using an infinite number of attempts, without the PIN ever getting locked. By resetting every day, we just slow this whole process down. So that it could take someone who is really determined many days to get in. There needs to be a line between security and usability here though. So I wouldn't have too much problem if someone said we should clear the PIN out. I think the PIN was a request from security though, so looping in rforbes.
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: