Hacker News new | ask | show | jobs
by jessedhillon 3889 days ago
That could just be the last four digits. When you create a token with Stripe, you do still get those back. Conceivably, they're showing 12 asterisks and the naked last four, while retaining the token Homejoy used with you so they can recharge -- although in order to do that, they would need Homejoy's Stripe API secret.
1 comments
shkkmo 3889 days ago
The last four digits are still plenty sensitive enough to make serving them over http blatantly irresponsible.
link
chris_wot 3889 days ago
It's not just that - it allows you to update your credit card over unencrypted http.
link