Topic: Copying a visa card? (Read 1412 times)

It is possible but that is a fraud however why are duplicating the card information or plastic if you the rightful owner.

Thank you for explaining again now i have no doubts that this doesn't work.

Well upon reflection it isn't the best example as it may not be a problem under all DBMS in all configurations.  However under some conditions it would be possible to make the balance check on a second transfer request before the explicit transaction statement executes on the first transfer operation.  Thus you were on the right track, the balance check may result in the application being non ACID compliant because it allows a stale read.  If we serialize it out the execution could look like this


Now there may be configurations where the code above "might" be safe but I don't like it because it is fragile code.  A change in configuration could result in it failing.  As a result I prefer everything inside the explicit transaction (the check is part of the atomic operation).


Note that code is still a simplified example.  Production code should obviously be more robust.  I prefer using a try-catch pattern with exceptions.


So yes the dbms prevents you from needing to re-invent the wheel but like any tool you need to use it properly for it to work as expected. 

The top part verifies whether or not the balance is there. The bottom should be fine as well (logically) since it verified that the account that's being withdrawn from has enough balance already, and the second account's balance should be irrelevant since it's adding on to, not removing from.

I'm not seeing the logic error there, :p. Unless it has to do with checking the balances (and in that time period another transaction could have altered one or both balances, such that the balance in acct 9001 may not still be 900+).

A database can't prevent a dirty write (as an example) if you don't inform it that a sequence of transactions are atomic.


This is a very simple example and it should have some error checking before making the change (otherwise) you could end up with balances of {-900,1800}.  The start transaction and commit commands instruct the database that everything between them is a single atomic operation.  Either all updates are successful or none of them are.  If the database crashed, or has a powerloss prior to the commit then the partially complete transaction would be rolled back.  The same operations without the explicit transaction could be subject to a flooding attack (even if balances were checked).

The DBMS handles the low level plumbing but the developers needs to use those capabilities to ensure the application is also ACID compliant.

For example what is wrong with this:

Exactly 

Ahhh, I get you now. So basically people take the "easy" way out and get screwed as a result. Seems like there's a life lesson in here somewhere, :p.

But then a lot of developers circumvent this to optimize speed. Which then leads to the flaws.. Yes, locking sucks and could lead to deadlock contentions, but I rather have a contention than some of the ridiculous things they allow. I don't feel the fiat industry does things like bitcoin exchanges.

If "dirty write" means the exploit mentioned previously (with two transactions hitting at once), wouldn't that mean that none of the exchanges (being that they should all be using modern DB's) should be exploitable? That would go against what was stated earlier.

Don't know if this helps, but most modern db's don't do dirty writes.

Thanks for that very graphical explanation. I wasn't aware that's how things worked either. I don't quite get how the databases are supposed to manage knowing whether or not another write is waiting though. I am one of the people who can code and all, but how do you code in such a way as to determine if you're waiting for something to write to the DB? I think I'm missing the "logic" part of it.

Power loss is just one example.  Here is a very simplified example (real DBMS are more robust).  There is a CC account with a balance of $4000 and the card is duplicated.  Two attackers start using the ATM at the same time trying to each withdraw $400.  They attempt to execute the withdraw as close to simultaneous as possibly by remaining in communication with each other. 

Lets ignore the fact that both ATMs are reporting this to the same central location so it is trivially easy for the bank to detect that the same card is being used simultaneously in two different locations (something that can't happen in fraud) and just confiscate both cards as a precaution.  Regardless of how well timed the attackers are, one request will be processed first.  The A in ACID means that all steps in one logical operation such as withdrawing cash are done as a single atomic operation.  Either they all complete or none of them do.  The I means that all atomic operations will always have the same outcome as if they were processed sequentially even if the database is handling multiple requests in parallel.

To keep it simple lets say this ATM protocol has three steps in the withdraw cash operation:
Check balance is greater than or equal to withdraw_amount
Dispense withdraw_amount
Deduct amount from balance

I am assuming you think the attack could work like this (T1 is steps for transaction 1, and T2 is steps for transactions 2):
T1 check balance ($400) is greater than or equal to $400 = TRUE
T2 check balance ($400) is greater than or equal to $400 = TRUE
T1 dispense $400
T2 dispense $400
T1 deduct $400 from balance.  Balance = $0
T2 deduct $400 from balance.  Balance = -$400.

Attackers win, $800 dispensed from account with only a $400 balance.  

The reality is this problem was solved more than fifty years ago, what actually happens is:
T1 CHECK TO SEE IF EXISTING TX IS IN PROGRESS (if true then wait otherwise start a new transaction)
T1 START TRANSACTION
T1 check balance ($400) is greater than or equal to $400 = TRUE
T2 CHECK TO SEE IF EXISTING TX IS IN PROGRESS (if true then wait otherwise start a new transaction)    <- this is true because T1 transaction is still in progress so the request will just halt and wait
T1 dispense $400
T1 deduct $400 from balance.  Balance = $0
T1 TRANSACTION COMMIT
T2 CHECK TO SEE IF EXISTING TX IS IN PROGRESS (if true then wait otherwise start a new transaction)
T2 START TRANSACTION
T2 check balance $0 is greater than or equal to $400 = FALSE
T2 report insufficient funds
T2 TRANSACTION COMMIT

All Bitcoin exchanges (or any system processing financial requests) should operate the same way.  This is very basic fundamentals of database operations.  Sadly many exchanges have been created by people who lack even the basic understanding of transaction processing.  They have in the past been attacked in a manner similar to the flawed ATM attack model.  They attacks should have failed but they didn't and users lost small fortunes.  I am sure more than one exchange is still vulnerable to similar attacks today.

The credit card number (and other information) can remain the same while the CVV changes. For example, when I requested my custom-picture card, I got one that had identical information but a changed CVV. So it does serve its purpose (as limited as that may be).

I really don't understand the point of CVV.. I thought it's intention was to show you had the card, but since it's needed just as much as the creditcard number, name and date, I just think it's a waste. Once, someone has your data, they have your data.

and you dont need a 3d printer to do it .. anything that has a magstripe will work and all you need is a mag reader and writer I might even have a msr506 somewhere in the garage still...


to answer the ops question yes you can copy the info on a credit card rather easy .. but if the balance isnt there to support it then its pointless..
and depending on what bank supports the card there fraud algorithm should pick up its being used in two different areas in a rather short period of time.

We were talking about credit cards, and what I meant is that nobody ever has to see your card as long as it's under a certain dollar amount. Plus you don't have to sign anything. You can grab $31 (I'm not sure the cap, but had a purchase the other day of $30.XX) worth of stuff at Walmart, have the checkout person ring up your stuff, swipe your card in the credit card system real quick, and move on as no signature is needed and no visual verification.

Above $35 (I guess? I'm not sure) they require you to sign for it. Above like $150-200, they also have to visually inspect the card.

What do you mean by here (what country) and what do you mean by ''don't need to verify cards either'' and what do you mean by ''Just swipe real quick and go'' do you mean that you just put the card in don't even enter the code and go away if so you can wait for a guest?

Thank you for explaing it really helped, but i am still not 100% sure i mean when i read about ACID on vikipedia there were no atms mentioned only sending from A to B some errors  power loss was mentioned on it.

I've seen sites even in the US where no security is there. I've used the card at places where they don't even need the CVC code or whatever it is on the back. And most stores here (physical) don't need to verify cards either. If you purchase less than, I think it's $25, at Walmart, for example, you don't even sign for it. Just swipe real quick and go. Same goes for gas in all cases (*some* will require a zip code, but that's rare).

Lucky for you, we in Spain here don't have that option. Literally no security at all.
A secure password will be enough, but I have no idea why that isn't implemented.


That thing is simply hilarious.