Minor Bug(Group-11)[Could Be A Potential Security Bug]: Unnecessary usage of Card_id and Account_No

[shubham-agrawal04]

Upon analysis of the source code, I found that the account number and the card id, generated during a successful registration of a user, are generated using a random number number generator, and hence they lose their uniqueness upon being generated randomly, multiple users can have same card id and account number.

While this does not really affect the current implementation of the system, it may be a potential security bug in future if it's considered unique, (because in reality, account numbers are unique for each account holder). Also, at the current level of implementation, do we really require an account number and a card-id? because each username is required to be unique as an initial specification, in which case these are just unnecessary and serve no purpose.

[shubham-agrawal04]

I also pondered whether these may have been added as an additional security to the account, in case even if the password is known, the card_id and account number asked during login serve as 2nd and 3rd layer of security. But even in that case, it's only a 10^10 and 10^16 possible combinations brute force which is really not computationally heavy these days and quite easily achievable.

[shubham-agrawal04]

But then what purpose do they serve here? As i see it, the system would have completely sound and foolproof even if these weren't added, just have the username and password for logging in.