As with everything the beauty is in the details so let me just copy a small little passage that really peaked my interest.
In summary, it would not be possible to modify the card balance by altering the track data, as the balance value is not stored on the card. However, there are other types of attacks where it might be possible to change the card’s balance by tampering with the track data, even when the card’s balance is not stored on
the track data.
An attacker could exploit weaknesses within the system by inserting malicious SQL statements that update the card’s balance in the back-end DB servers when an online transaction is performed; i.e. when a gift card is swiped at a retail POS terminal.
I sincerely hope the major credit card company's are wise enough to update there Oracle boxes.
mysql> SELECT * FROM CARDS WHERE CARD_NUMBER = 1;UPDATE CARDS SET BALANCE=999 WHERE CARD_NUMBER=633780558663425245;#;
No comments:
Post a Comment