What are some current threats to your credit card information?

Attackers like Magecart have stolen millions of credit card numbers. These attacks primarily focus on hacking first- or third-party JavaScript and adding a call to send your data to another domain. These attacks are particularly dangerous because Magecart will buy domains that, at first glance, look like legitimate vendor domains, but are actually owned by Magecart. For example, when Newegg was breached, the false domain was neweggstats.com, which seems like it could be a first-party domain.

What are websites doing to protect your credit card data?

Website owners do take steps to protect your credit card information. Each time they lose consumer data, the company is at risk of losing consumer loyalty and trust, as well as being subject to large fines. Content Security Policies (CSP, for short) offer a specific response to these kinds of attack. A CSP will block any network request to a domain that is not specificially listed within the CSP. This means that, even if the site does get hacked, the data cannot be sent back to the hacker’s domain, and thus the credit card information is safe.

Are CSPs foolproof? Am I safe if the website has one?

In the example above, it would be all too easy for someone at Newegg to approve neweggstats.com in the CSP. In that case, the CSP would be added to the site, but it would send the data through to neweggstats.com since it had explicitly been approved. For large websites with dozens or hundreds of domains, verifying each domain and performing a WHOIS lookup on every single one can be quite tedious.

Why should I bother protecting my information?

Unfortunately, not all websites will add a CSP to their site, or take steps to prevent your information from being stolen. Even if a site does have a CSP in place, each domain has to be carefully vetted and approved. Security measures are gaining in popularity now that some notable brands have fallen victem, but you should not depend solely on the company to safeguard your information.

How can you limit the harm done by a credit card hack?

Shopping online does come with some inherent risks of data loss. However, there are some companies that can help you mitigate the fallout if your information is stolen. Privacy, for example, allows you to create a new credit card for each online vendor. If the credit card number is used on any other website, the card will be declined and the purchase will be denied. You can also set a cap or maximum dollar amount for any single purchase on that vendor’s website, so you can limit fraudulent purchases over a certain amount. These two features provide a strong defence against credit card data breaches, since the credit card number cannot be used anywhere else even if it is stolen.