This is why 100 % of the time I use "virtual credit cards" linked to my actual credit card numbers. NO online site ever sees my REAL number, no exceptions.
Nasty. When I see articles like this it makes me glad I don't do online financial stuff. What are they and how do they work?
https://www.bankofamerica.com/privacy/accounts-cards/shopsafe.go MasterCard also has the equivalent feature.
Excerpt from the Threatpost article: When a checkout form is detected, the script tag injects the keylogger JavaScript from an external domain Would not for example IE11, detect this via its "access data sources across domains" validation which is disallowed by default at the medium-high security level?
I have no idea, I wonder if this type of stuff is detectable at all for endpoint security tools. I'm afraid only server based security tools can stop this.
Not at all. It's true that a strict CSP can stop this but most sites don't do that. But that doesn't mean that you cannot protect yourself against such threats: Running uBlock Origin in medium mode (with all 3rd-party scripts and frames blocked) should be sufficient.
I don't know if AdGuard can block 3rd party scripts and similar. AFAIK it only blocks ads, trackers and popups.
I carry a credit card from my bank. When I want to shop online I log into my bank and generate a "vritual card", which appears exactly as a real card to the merchant. My bank generates a new number, expiration, security code on back, etc..... For all practical purposes it IS a real card, which is linked to my ACTUAL card. When merchant X uses the virtual number as a credit card to complete the transaction their merchant number then is the ONLY merchant # that can process a charge to that number. I control the spending limit so if I am buying something for 50 bucks I might generate a card with a 60 limit and I am not exposed to a 25K limit as on my real card. As soon as the transaction completes I generally log in to my bank in a day anyway, and while I am there I blow away the virtual number. I can have as many virtual cards as I want. No merchant ever can know my real account number. Its easy!
So you're saying that blocking third party scripts and frames is enough to mitigate this? The only problem is that this will often break sites. That's why I started using Ghostery because it only blocks third party scripts related to ads.
I'm trying to say that blocking all third party scripts is not a viable solution for me, because it will break sites, while Ghostery does not.
Yes, but that means that Ghostery doesn't necessarily protect you against all malicious 3rd-party scripts. Besides, it's easy to allow (and save till eternity) what's needed and trustworthy in the local column of Dymanic Filtering in uB0 for sites you frequently visit. The same is true for those ecommerce sites: Even if you allow 3rd-party scripts on all other sites, you can block all 3rd-party stuff on those sites where you want to use your credit card and allow only selectively what's needed to make them work. That's the beauty of site-specific permissions: Its introduction to uBlock0 is the best innovation since the invention of sliced bread.
I never said that. The point is that I don't want to micro manage rules per site. BTW, I found this article: https://gwillem.gitlab.io/2016/10/11/5900-online-stores-found-skimming/
Well, your original statement was that only server based tools would protect against that threat. I said that uB0 can also protect you - but some micro-management would be necessary. Security is not a free lunch (as Milton Friedman would have put it). And again: As mentioned in my last post it is not necessary to do this micro-management on all websites if you don't want it. Rather, you can use uB0 with its default settings (i.e. only static filtering is applied). I suggested to use Dynamic Filtering on specific sites only where you use your credit card. How many such sites are you using? A handful? Applying dynamic filter rules for 5 or 6 or perhaps 10 sites only and saving your decisions with the padlock once and forever - is that really so problematic and inconvenient?
I will have to check this out, and see what happens. It must not break anything of course. In the past I did block all third party scripts, mainly to gain speed, but I got tired of having to allow scripts, so that's why I decided to block only third party scripts related to ads. But just to be clear, you're saying that the manipulated content on hijacked sites will 100% not be visible when you block third party scripts and frames, correct?
Well, that's what that threatpost.com article says: So blocking those 3rd-party scripts will definitely stop these attacks. I would blacklist 3rd-party scripts and 3rd-party frames on those few sites in the local column of Dynamic Filtering and (not allow but) noop only the necessary domains (if at all) after a diligent inspection. And save that with the padlock once all is well. This doesn't take long for only a couple of sites.
appears adguard must use another form of page checks besides the hash of a black list. "If you are using Adguard for Windows, then in addition to the page itself, we check each object loaded on it, giving you the best protection." https://adguard.com/en/how-malware-blocked.html