What happened
1 It’s the first time transaction of my BMO credit card(New card from BMO bank) on a sports wear website;
2 After 1 hour I have an alert phone call from BMO, my credit has a $2000 online shopping transaction is marked suspicious, BMO blocked the transaction and freeze my credit card.
What’s wrong
Scenario 1: A persistent cross site scripting(XSS) is happened on shopping website.
How:
1 When I input my credit card information and CVV code, the XSS code forward my credit card information to the attacker. Then they used my information to make a $2000 online transaction.
2 BMO bank system detected suspicious, and blocked it.
Scenario 2: An insider staff of sport wear company fraudulent used my credit information
How:
1 When my credit card information recorded by shopping website, they stored my credit card since the poorly developed online transaction code.
2 Insider fraudulent used my card information and the blocked by BMO online security system.
Deep analysis
1 Why not man-in-the-middle attack?
Online transaction is transmitted on https protocol, there is not a scenario of man-in-the-middle attack.
2 Why are only two possibilities?
It’s the first time this credit card been used.
3 How PCI-DSS regulates online transaction security?
Don’t store credit card information unless necessary, never store CVV code.
What learned
1 Online transaction should be trusted minimally.
2 Using 3rd party transaction system instead of direct input card information, such as Paypal.
3 Anymore can be hacked even you are doing prudential of your online security.