
OnePlus got pwned, exposed up to 40,000 users to credit card fraud - anaxag0ras
https://arstechnica.com/gadgets/2018/01/oneplus-got-pwned-exposed-up-to-40000-users-to-credit-card-fraud/
======
joshmn
Credit card fraud expert here:

This happens way more often than you think, particularly with sites that
aren't known to you and me. It's entirely trivial to do, very effective, and
maintenance next to nothing — but you already know that. As companies continue
to choose Stripe/Braintree/etc and maintaining PCI compliance with their
payment processor, keyloggers are being deployed less and less.

What is needed is a browser extension that checks all requests which contain a
param/form data that is 16-digits long and starts with 4/5/6 or 15-digits long
and starts with 3. Is such a thing fool-proof? No, it's not. But it'd be a
starting point. Maybe add a listener to any inputs that contain such a val to
see if anything's hooking into it. Need to whitelist it for ancient
processors? Okay, prompt the user.

------
xattt
I wonder if this number correlated to how many OnePlus customers there have
been in total.

