It sounds like someone got ahold of a 6 year old copy of Google’s risk register. Based on my reading of the article it sounds like Google has a robust process for identifying, prioritizing, and resolving risks that are identified internally. This is not only necessary for an organization their size, but is also indicative of a risk culture that incentivizes self reporting risks.
In contrast, I’d point to an organization like Boeing, which has recently been shown to have provided incentives to the opposite effect - prioritizing throughput over safety.
If the author had found a number of issues that were identified 6+ years ago and were still shown to be persistent within the environment, that might be some cause for alarm. But, per the reporting, it seems that when a bug, misconfiguration, or other type of risk is identified internally, Google takes steps to resolve the issue, and does so at a pace commensurate with the level of risk that the issue creates for the business.
Bottom line, while I have no doubt that the author of this article was well-intentioned, their lack of experience in information security / risk management seems obvious, and ultimately this article poses a number of questions that are shown to have innocuous answers.
Everything is transient and eventually becomes shitty, sure, but I generally trust them because they’re able to make money just from people using the service. I don’t know how profitable they are, but I am reasonably certain that as the card issuer they get a cut of every transaction. Given that they aren’t issuing physical cards and have no obvious costs other than maintaining their platform, I don’t see a reason not to trust them in the medium term.
I’ve generally had good experiences with Privacy.com. It seems like a decent solution when I want something from a semi-reputable website.
I particularly enjoy the bit where cards are vendor-locked, which has been interesting to observe in a couple of instances where a site seems to have had their credit card db breached and the attackers turn around and try to use the card on another site, where it is inevitably denied, but I still get an email that shows which site got hacked and where the attackers were trying to use the information.
Thank you?