Saturday, November 18, 2006

Designed for insecurity

PVR’s fancy ticket vending machines use credit card numbers as the primary database key. You book online, pay by card, come here, swipe the card, and get tickets. The only thing common to the online and kiosk transactions is your credit card. Your card number is the id in their database.

This is one system just waiting to be hacked.
Image from phone camera.
  1. 10:10 PM
  2. Visit Original →
Moblog
  • Avatar

    Anonymous — Nov 18, 2006 10:29:57 PM — #

    This is one system just waiting to be hacked.
    :(
  • Avatar

    Anonymous — Nov 19, 2006 12:48:49 AM — #

    Scare tactics?
    This is one system just waiting to be hacked

    Umm..assuming they don’t know what they are doing? And they are storing whole card number when you swipe the card?

    Or is this the standard scare tactics employed by “network security consultants” so that business in question hire you as their “consultant”?

    Cheapshot IMO.
  • Avatar

    praveenkumarg — Nov 19, 2006 1:04:24 AM — #

    need not be…they can generate an id and associate your card with it.
    • Avatar

      Kiran Jonnalagadda — Nov 19, 2006 12:05:21 PM — #

      In which case it has to be a one-way hash of the card number. While the number may itself not be stored, the fact that it is the primary access route into their database is discomforting.

      With a e-commerce payment gateway, I’m assured that only the payment gateway gets to see the number, not the merchant. Here, I have no idea what’s going on behind the scenes.

      In some sense, PVR has a duty explaining to me why this is secure and that I should not be concerned about using my card here (and this goes for anonymous smartass above too).
  • Avatar

    Anonymous — Nov 22, 2006 12:10:32 AM — #

    Or…they might just be using the credit card to establish your identity, like the northwest kiosks here. Cause I book online with my corporate credit card and swipe my personal credit card at the kiosk to collect the boarding pass. I guess you could try that to verify.
    -Rohit
    • Avatar

      Kiran Jonnalagadda — Nov 22, 2006 10:03:52 AM — #

      Don’t have another card to test with, but that’s possible. You know what’s most upsetting? The website produces a transaction id and says that is needed to get my tickets. I thought the card was merely id proof. That the card alone produced tickets was a nasty surprise.

Leave a Reply

You can respond with a photo by tagging it on Flickr with