Transaction Based Systems
From Area51 Archives
|Date Released:||03/15/2004 - In 2600 Magazine.|
Let’s jump right in to the first question, “What the hell is a transaction based system?” Well, it is as straightforward as it sounds. It is a system that works using transactions to process data. Remember that interactive processing shows immediate results, but batch processing takes more time. Transactions based systems are exclusive to batch processing (although some systems may support both types of access).
For example, when you go to 2600 store (plug, plug…) or some other online shopping site, you add things to your shopping cart and then finally go to checkout. This is where you can see transaction processing happen. Do you think a little bell rings somewhere in a warehouse and someone runs to get your product right away? No, it will create a transaction that performs several functions. First, it will send the actual order to 2600 notifying them of their obligation. It also submits a transaction to the credit card company with details of the purchase and asks for the payment. It updates its own system at yahoo.com with accounting information (probably billing 2600 for a flat hosting fee, along with a per transaction fee to get their “cut”, plus any number of other accounting and tax record keeping functions). While you are sitting their looking at the “thank-you for ordering” screen, all these things have happened in the background.
So why should you care? Well, now that you know exactly what transactions are, where do you think the data in those transactions are kept? They are transactions that process DATA after all, and data doesn’t normally just disappear. It is kept for tax purposes and billing purposes as mentioned before. Everything you have ever ordered online is maintained. Don’t overlook that fact. No one throws data away! So far, I don’t know of any CENTRALIZED location where ALL of your purchases are kept, but each site definitely keeps records of their own transactions. But this article is not about being watched or tracked by big brother, so I digress.
Now that you realize what happens to your data in transaction processing, and you understand that it is stored somewhere, what good is this information to you? Crack your knuckles and stretch because it is time to get technical.
Transactions run on some sort of regular cycle that is determined by each individual company. Generally, that is to run the transaction cycle once per day (you ever seen that warning that it may take 24 hours to process your transaction?). Some companies run these programs hourly or even more frequently, but this is stressful on a system. While there has been a trend moving towards “live” inventory and order processing, it is still in its infancy. Generally, all of the orders taken at a particular site will get stored in a temporary file in the form of transactions. These transactions have programs behind them that decode the transaction data and tell the system what to do with the data within. A typical (unencrypted) transaction can be as simple as this.
If you look closely and decipher what you see, you may be able to figure out that the key to the file appears to be my friends email address (this is common because it is unique and not as personal as someone’s SSN). Beyond this, you might be able to figure out that on 02/13/2002 he purchased (the letter P) 2 products classified as “FL” (Flowers) which is product 01. The delivery address follows (note that this entire transaction is made up) with the last fields being his credit card number. This is what the system gets when you click on that order button. Then, usually in the middle of the night (downtime for most systems) a batch job runs that picks apart these transactions and sends out the parts that I mentioned earlier in the article. This is when the real work gets done and the order is truly processed. The deduction from your account will appear the next day, they warehouse will get the work order to process the purchase, etc... So the question I pose to you is; how would I place an order without ever seeing the web page?
Think about that for a second before reading further. You may see that the web is simply the interface that gathers information and generates the transactions. It is actually the transactions, and the programs that process these transactions, that actually do the work. So if you could get into the transaction file yourself, you would have direct control over the transactions. Now keep in mind that I am only explaining how these systems work, I am not suggesting or insinuating that you should do anything illegal with this knowledge! You are on your own there, I am only here to inform.
If you were able to gain access to this file (this is a topic that has been beaten to death, find your own way in) you could edit the file to have any transaction you wanted. You could cancel your own order, change your address, or any other number of things. You probably realize by now that you are editing ALL of the records in the ENTIRE file, not just your own. And the beauty is that in my experience, the audit trail (the logging of who does what to the system) happens on the interface side of the house, not the data side. The web server logs your visit and your order, but if you edit the file directly, it usually doesn’t get logged. They assume that general system security is keeping you away from this information. Obviously a good company will have good security that audits both, but in my experience it doesn’t happen. You edit the file, and the worst case I usually see is that it timestamps the edit and marks it with the users ID (which is unimportant if you are using a hacked ID). It is also unimportant because one of the parts usually in the transaction process is to sort the file and/or backup the file which puts the job timestamp and SYSTEM ID back on the file! As the program runs, it hides your footsteps for you!
Also, there is a timing issue involved when multiple transactions are going on. The order may be processed on an hourly cycle, but the credit card company may only process all of its charges at the end of the day. This is how people, in the past, would be able to use a stolen credit card all day without getting caught. It wasn’t until the next day was the suspicious activity noticed. Of course, the credit card companies got wise to this and now are much more up to date on their monitoring.
With all of this being said (particularly my warning that you are at your own VERY HIGH RISK if you do anything illegal), I think that if you look around you every day you will see how transactions are extremely prevalent in your everyday life. The ATM will not process your deposit until the next business day (sometimes a manual process). A change of address may no be reflected until 24 hours later. Listen jerk, I paid that ticket last week, why hasn’t it been cleared from my record? Waiting on a change of grade at school before you can get your loan? All of these can now be explained, and now, maybe you can do something about it without waiting on someone else.
Feel free to comment on this page using the form below.