This happens way more often than you think, particularly with sites that aren't known to you and me. It's entirely trivial to do, very effective, and maintenance next to nothing — but you already know that. As companies continue to choose Stripe/Braintree/etc and maintaining PCI compliance with their payment processor, keyloggers are being deployed less and less.
What is needed is a browser extension that checks all requests which contain a param/form data that is 16-digits long and starts with 4/5/6 or 15-digits long and starts with 3. Is such a thing fool-proof? No, it's not. But it'd be a starting point. Maybe add a listener to any inputs that contain such a val to see if anything's hooking into it. Need to whitelist it for ancient processors? Okay, prompt the user.
This happens way more often than you think, particularly with sites that aren't known to you and me. It's entirely trivial to do, very effective, and maintenance next to nothing — but you already know that. As companies continue to choose Stripe/Braintree/etc and maintaining PCI compliance with their payment processor, keyloggers are being deployed less and less.
What is needed is a browser extension that checks all requests which contain a param/form data that is 16-digits long and starts with 4/5/6 or 15-digits long and starts with 3. Is such a thing fool-proof? No, it's not. But it'd be a starting point. Maybe add a listener to any inputs that contain such a val to see if anything's hooking into it. Need to whitelist it for ancient processors? Okay, prompt the user.