[aioprisan]

I remember seeing these same concerns with the Stripe button. Edit: found the old discussion link: https://news.ycombinator.com/item?id=5079702&mobify=0

[talos]

When I've used Stripe payment before, I remember just entering my credit card info. I can do this anywhere, regardless of how it's branded.

If someone malicious gets my credit card info, I have a lot of ways to defend myself. Someone malicious getting my PayPal login info could be much, much more dangerous, and I'd have considerably less protection. Essentially we're talking about leaking login info here -- that's very different than credit card info.

[pc]

This phishing concern is part of why we decided to use one-time SMS tokens with Checkout -- there's no password to steal.

[talos]

That's good to know -- thanks for clarifying that this is a real security concern.