Re: [w3c/webpayments-payment-apps-api] Users MUST be able to prevent the display of unregistered payment apps (#59) from Jeff Burdges on 2016-09-26 (public-webpayments-specs@w3.org from September 2016)

From: Jeff Burdges <notifications@github.com>
Date: Mon, 26 Sep 2016 16:43:14 -0700
To: w3c/webpayments-payment-apps-api <webpayments-payment-apps-api@noreply.github.com>
Message-ID: <w3c/webpayments-payment-apps-api/issues/59/249729157@github.com>

Agreed in principle.  :)  I haven't completely understood your choice of the word "notified" here though.  

It's clearly bad if a user can be tricked into invoking a payment app, like say by only offering that app.  In that case, a fraudulent website can harvest financial account details by requiring a payment app that looks like one from some company the user trusts.  And the user think that payment app shields their financial account details from this unknown webste. 

Are you envisioning that users concerned about such attacks should block unknown payment apps?  I donno if that is strong enough really, probably you need payment app registration to be something moderately involved for all users. 

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/webpayments-payment-apps-api/issues/59#issuecomment-249729157

Received on Monday, 26 September 2016 23:44:17 UTC