A few months ago, British Airways' customers had their credit card details stolen. How was this possible? The best guess goes something like this:
- BA had 3rd party JS on its payment page
- The 3rd party's site was hacked, and the JS was changed.
- BA's customers ran the script, which then harvested their credit card details as they were typed in.
This should have been a wake-up call to the industry. Don't load unauthenticated code on your website - and especially not on your payments page.
If you absolutely have to load someone else's code, check to see if it has been altered. This is done using
... read the whole story at shkspr.mobi.