Defending Against JavaScript Keylogger Attacks on Payment Card Information
By Troy Hunt and John Elliott
Course info



Course info



Description
In this course, Defending Against JavaScript Keylogger Attacks on Payment Card Information, John Elliott and Troy Hunt discuss the most common attack used to steal payment card data and how to defend against it. Learn how security people think about a problem, why criminals attack, how their tools and techniques work, and how you have to adapt as defenders. By the end of this course, you’ll have a better understanding of the NIST model, how thinking about detection is equally important, and response/recovery.
Section Introduction Transcripts
Course Overview
(Music playing) Hello, my name is John Elliot, and I'm a data protection specialist with a particular interest in protecting payment card data. I was Visa Europe's representative on the payment card industry security standards council, which means I had the contributing to many of the PCI standards, including PCI DSS. And I'm Troy Hunt. I'm an author of many different Pluralsight courses about how to protect yourself online. And, of course, protecting yourself online applies to all sorts of different web applications, but particularly those that lead through to payment processing. When Troy visited London recently, we had a chat about the modern ways that criminals steal cardholder data by using JavaScript executing in the customer's browser to read and steal card data from form fields. We discussed how the attack works and how people could protect their organization's web applications. We actually have some fantastic native implementations within browsers that can be used for protecting web applications, collecting any sorts of data, not just payment related information. So, for example, we have content security policies, CSPs, and sub-resource integrity, or SRI. Following the NIST cyber security framework, we also brainstormed ways you could detect the attack, how to respond, and what you would need to do to recover normal operations. This course is based on real-world experience, and we'll be looking at some important industry precedence that highlight just how serious this issue is and how important it is to get the defenses right. Everything we talk about applies to protecting all web forms, not just ones that collect payment data, so I do hope you'll join us as we discuss ways of defending against JavaScript keylogger attacks on payment card information.