Disturbed by @DonorBox-powered UI's interaction with Web's security model: it asks for bank login/password on origin that's not the bank's.

Aug 17, 2017 · 10:01 PM UTC

1
3
And to add a little more context, the problematic UI looks like this:
1
1
2
5
Security that bad almost led me not to give money to the organization I was donating to (@yimbyaction), but I chose CC option instead.
1
3
PCI compliant doesn't mean they're not training users to do things that they should never do if they want to be safe on the Web.
1
8
Wanting criminals to not have your online banking username+password doesn't seem like "extreme security".
1
7
The criminal could be someone who sets up a site similar to yours, using something that looks like @DonorBox, but steals the password
1
1
5
It could also be somebody who hacks the @yimbyaction website, since users entering bank passwords into that site makes it a valuable target
1
5
I was originally trying to take it up with @DonorBox since the bad UI in question has their branding. Could be Plaid, though.
1
3