When the customer user name is invalid, why does it ask the security question instead of saying it's invalid?

Q: When the customer user name is invalid, why does it ask the security question instead of saying it's invalid?

A: If the user name entered is invalid, the user is asked a random question from the application's full list of security questions.  The security question may or may not be one associated with the user's valid user name.  No matter what security answer is entered, the system will return an error of "Invalid answer for this user."  The system never indicates if just a username is invalid to protect against user name enumeration vulnerabilities.

This was added to system to specifically address a potential vulnerability identified during our pre-production third party penetration testing.  Username Enumeration Vulnerabilities arise when different error messages are presented to a user based on the existence of an account.  By abusing this vulnerability, an attacker can gain a complete list of all of the valid users of the application.  This would easily allow the attacker to get one piece of the security puzzle for every single Digital Banking user.

21930