Credit Card Info visible in Mac and iOS

bacongonzo
bacongonzo
Community Member

I'm curious why my CC info is shown in completely visible on both the Mac App and the iOS app. When I click into the "Credit Cards" section the middle digits are *ed out. But when I click into a specific card it's completely shown.

So couple questions:
1) Why the inconsistency?
2) Why make the CC number visible at all?

  • Jeff

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • bacongonzo
    bacongonzo
    Community Member

    Oh and I'll add the "verification number" IS NOT visible. It seems odd that the middle 8 digits of my CC info are visible but the 3-4 digits of my verification number are not visible.

  • ag_ana
    ag_ana
    1Password Alumni

    Hi @bacongonzo! Welcome to the forum!

    When you click on a specific credit card, we assume that you want to look at that credit card, including the full credit card number.

    This is what happens on most website by the way: when you fill in your credit card details, the credit card number is shown. Your verification number, on the other hand, is a secret, so that will be hidden by default.

  • bacongonzo
    bacongonzo
    Community Member

    Thanks!

    Interesting thought process. I’ll argue that on most websites when I see the CC number again (if it’s stored on that site) it is *ed out. That seems like a better corrolary than mimicking the behavior on the filling side.

    I’d feel a little less exposed if the CC we’re handled like passwords: *ed out but with a click of a button copied or revealed. Can you go into why it’s not handled this way? Is there a downside?

  • ag_ana
    ag_ana
    1Password Alumni

    @bacongonzo:

    Interesting thought process. I’ll argue that on most websites when I see the CC number again (if it’s stored on that site) it is *ed out.

    It is not masked when you are filling credit card information on a website though, which is what 1Password is for ;)

    I’d feel a little less exposed if the CC we’re handled like passwords: *ed out but with a click of a button copied or revealed. Can you go into why it’s not handled this way?

    A credit card is not handled by default like a password because it's not technically a password. If you feel more comfortable handling it like a password, you can certainly not use the default credit card number field, and instead enter your card number in a custom password field. This would probably break filling of your credit card information when you checkout on a website, but if you are more concerned of hiding your card details within 1Password too, perhaps this won't be something that will bother you.

    I should probably ask though: what is your thought process behind this? What is the threat you are afraid of exactly?

  • CoreyCorey
    CoreyCorey
    Community Member
    edited January 2020

    @ag_ana

    When you click on a specific credit card, we assume that you want to look at that credit card, including the full credit card number.

    I also disagree with this assumption; that is a minority of my use cases.

    This is what happens on most website by the way: when you fill in your credit card details, the credit card number is shown

    This is not the case on all websites. Some websites are more responsible and mask the digits.

    It is not masked when you are filling credit card information on a website though, which is what 1Password is for

    But it is when you no longer need to see it, which is what I think 1Password should consider.

    1Password is for storing sensitive information, making it accessible to us in a responsible manner, helping to share that sensitive info with the people we choose, etc.; I don't think you should pigeonhole it into "filling in passwords."

    Your verification number, on the other hand, is a secret, so that will be hidden by default.

    This is not needed to use a credit card number on many websites. For example, there's an option to ignore the CVV validation for all Stripe vendors.

    If you feel more comfortable handling it like a password, you can certainly not use the default credit card number field, and instead enter your card number in a custom password field. This would probably break filling of your credit card information when you checkout on a website

    I thought about doing this, but like you said, then it may not function as intended when using it to auto fill.

    what is your thought process behind this? What is the threat you are afraid of exactly?

    I created a thread for this feature on the Windows app where I explained my reasons: https://discussions.agilebits.com/discussion/110518/suggestion-conceal-credit-card-numbers-when-viewing-the-card-details/

    Here's the relevant bit:

    I feel uncomfortable when any sensitive information is exposed on my computer screen when I am in public (Starbucks, airport, etc.), in the office, etc. because anyone nearby can see it, take a picture, etc.

  • Thanks for the feedback on the situation @CoreyCorey. :)

    Ben

  • CoreyCorey
    CoreyCorey
    Community Member
    edited January 2020

    My pleasure.

    My suggestion is to modify the "View" menu options to either:

    1. Add "credit card numbers" to the existing "Conceal passwords" option as such: "Conceal passwords and credit card numbers"
      - or -
    2. Keep "Conceal passwords" unchanged and add a new option: "Conceal credit card numbers" (it could even be unchecked/disabled by default)

    These are simple on/off switches.

    That would satisfy everyone's use case, including the reason you explained that you haven't hidden them yet.

    Thanks for considering!

    P.S. My suggestion is for 1Password for Windows, but I assume things (View menu, etc.) are similar on the other apps. As @greg explained, if this change was made, it'd be made across all apps, which is ideal.

  • Indeed. Going forward we're making a concerted effort to be consistent across platforms. It isn't an easy goal, when building native apps, but thing like this would seemingly fall into the realm of needing consistency. Unfortunately that does mean that things such as this will take longer to implement, as they require coordination across multiple teams. I can't make any promises, but I do understand where you're coming from, and hope this will be something we can address in the future.

    Ben

This discussion has been closed.