In case anyone is worried, most (all?) browsers do not autofill credit card information without the user explicitly clicking into the credit card field so there's no chance of a hidden field stealing your CC information.
This requires the browser to recognize it as a credit card field.
Suppose a form uses a non-standard name for the field (say a localized name), and a user enters it at a legitimate site. Any attacker simply has to find these non-standard names for auto-complete to fill this in.
I feel like I've seen a credit card autofill before outside of normal controls.
It will if the attacker uses the same custom name for his field.
The attacker could try to suck as much data as possible by creating thousands of hidden fields having a lot of possible combinations for the names of these non-standard CC fields, and wait to get lucky.
Why would I even care about credit card information being stolen. My bank will reimburse that no questions asked. I am much more concerned about my personal information being leaked. CC fraud costs other people money, identity fraud is much more damaging to me.
For many people living paycheck to paycheck, someone cleaning out their bank account would be quite harmful. Yes, the banks will reimburse them but that could take up to a week if not more. In the meantime when your rent and utility checks bounce, you could be in an extremely uncomfortable position.
And even when clicking into the credit card field you still need to click a little popup that asks if you want to autofill.... at least that's how it works for me, I don't remember ever changing a setting on Chrome for this so I assume this is the default state. In fact it does something similar for my address information too. There must be some setting because I know my address autofill info is saved in Chrome but when I tried the demo I did not see my address info in the headers
Interesting use of CVV, since vendors aren't permitted to store it. But Chrome does, for you... is that synced across browsers? That would require Google to store the CVV on its servers...
My understanding was that Google doesn't store your CVV anywhere, which is why you need to enter it every time. When you do so, it attempts to charge you zero units of your preferred currency (or perhaps it gives you zero, not sure) and if the transaction succeeds it accepts the CVV as valid.
The CCV check Chrome does doesn't compare the entered CCV against anything stored at all. Instead, it charges a small amount to verify the credit card. See my comment below.
Your mileage my vary, but I'd be very surprised if it does.
To be clear, this is not from any Google purchase. That's what happens if I use my CC in Chrome on any site.
It also has to be noted that this implementation is pretty bad. On pre-paid CC (i.e. your CC payments are directly tied to your bank account - there is no CC bill), this will negatively impact your spending balance:
I might be an order of magnitude off here, but I believe there's only around 1 billion unique numbers per card once you take away check sum digits and look at how they are issued.
Assuming that's correct, it really wouldn't take up much memory or computing power to create a lookup table for every credit card number with hash x.
Chrome does autofill CC info based on just a name if you want. It does give the user a visual cue as to what might happen http://i.imgur.com/2bY2Pes.png
Suppose a form uses a non-standard name for the field (say a localized name), and a user enters it at a legitimate site. Any attacker simply has to find these non-standard names for auto-complete to fill this in.
I feel like I've seen a credit card autofill before outside of normal controls.