The Stripe button poses a similar problem, even if credit card number and cvc are arguably not as bad as actual login data.

But it is much easier to create a frictionless user experience if you do not have to redirect people to somewhere outside your side.

I recently implemented paymill payments and also there the only assurance for the customers is the 3D-Secure iFrame, if their credit card is 3D secure enabled ...

Under this model, how do you train ordinary users to avoid phishing?

Of course the situation is unsatisfactory. But I like the 3D-Secure approach.

Unfortunately the implementation is card provider specific and quality varies.

I had a VISA once where I could enter a custom phrase that was displayed to me on every "verified by VISA" dialog.

Combined with displaying the dialogue in an iframe this practice seems strike the best balance between usability and security.

Of course as coinbase would have to implement something like this by themselves, but I that seems feasible.

But I can't help but ask, this isn't THE MtGox providing this info, is it? :P