Only a few weeks ago, I wrote about a new GDPR course with John Elliott. We've been getting fantastic feedback on that course and I love the way John has been able to explain GDPR in a way that's actually practical and makes sense! In my experience, that's a bit of a rare talent in GDPR land...
When we recorded that course in London a couple of months back, we also recorded another one on Defending Against JavaScript Keylogger Attacks on Payment Card Information. John has a background in payment systems and he's seen more than his fair share of attacks against them, particularly those which scrape card data straight out of the client side.
As luck would have it (or "bad luck", depending on your perspective), after recording that course but before posting this piece we saw a perfect industry example of the problem. Actually, it dates back to before the June record date to this tweet the month before:
@Ticketmaster_NZ pic.twitter.com/MYFZy88SUc
— Shane Langley (@AskewDread) May 7, 2018
In this tweet, Shane is attempting to draw Ticketmaster's attention to the fact that there was some malicious JavaScript running on their site. Literally whilst John and I were recording this course, visitors to their site were being served this script and having their card data siphoned off. More than 6 weeks after that tweet, Monzo bank in the UK identified a pattern of Ticketmaster customers experiencing card fraud. It's a little alarming that it took the bank to figure out that one of their merchants had been pwned rather than identifying it themselves, yet here we are.
It later eventuated that the compromise was due to a single line of code or more specifically, a script tag on Ticketek's website that embedded a chatbot from a company called Inbenta. Inbenta than had their script compromised and because it was embedded on the Ticketmaster payment page, that's it, game over, the contents of the DOM and any input fields are now accessible via a malicious party. This is eerily similar to the Browsealound incident only a few months earlier although rather than a bit of (mostly) harmless crypto coin mining, it led to full on card theft.
This sort of thing is alarming common and you really want to think about whose script you embed on your site:
H/t to @ydklijnsma - you probably don't want to embed Clarity Connect Javascript into your PCI-DSS payment page (as companies do) https://t.co/7aJYl2rOHd pic.twitter.com/MLLx9PgYNl
— kevin (@GossiTheDog) July 10, 2018
But we also have good defences against these things going wrong. For example, John and I talk about content security policies and subresource integrity, both free and easily accessible browser constructs that stop attacks like this dead. CSP in particular could have not only stopped that attack, but actually alerted Ticketek to it as soon as it began. There's a whole heap more beyond that, of course, and it's all baked into one of those very conversational "play by plays" so it's easy watching and only just over an hour long.
Defending Against JavaScript Keylogger Attacks on Payment Card Information is now live!