Some check is definitely needed, but in this case some is a keyword. Storing sensitive data that could leak is extremely bad in my opinion. They secure themself without providing anything in exchange. Some may say that that free tier is what they give, but this is only true in general.
Since this is anti-spam method they protect not from creating a single account, but from creating multiple accounts. If we scale the problem down to 1 account it’s not a case anymore. Why scale down you may ask - that’s simple. When creating an account, the customer does not think about other ones, about hungry children in Africa and so on …
However when data would leak then all affected accounts would cause a huge problems. So to protect 1 company
x number of customers needs to “pay” for that and this part is unfair. On the other side if credit card would not be a sensitive data, so it would not give an attacker anything after leak, the deal would be right.
That’s just a tip of the iceberg. The world would be much better if we would limit to above cases. Unfortunately unfair people have much more wider range of possibilities that normal customers at least do not use, if not known them at all. So let’s see an extreme edge case by example …
When hearing about scam companies in news we hear often a scenario in which somebody pays small amount of money to homeless and they in exchange do some illegal things. If homeless can have a company (with some good, possible fake, profits at start) then they also need to have an bank account and later maybe they could have a credit. What stops the attackers from simple doing same for credit cards?
So here we do not have an anti-spam method, but spam-limiting method. How much it limits attackers? Depends if attacker is single or if attacker is a member of the bigger group. People living in extreme poverty, that “could die for a few cents”, is in the huge millions. Now what? Block credit cards from India because they have slums?
So the deal is that services storing credit card numbers (talking in general, no bad feeling for Fly.io) protects itself from let’s call them … “teen scammers” and we take the risk in case those data would leak, giving another (possibly easier) area for attackers. So in practice every single customer in most cases simply takes all the risk on themself.
I’m not saying this solution is only bad, but it’s like adding a huge amount of antibiotics to the animal feed. In short term it’s a good thing protecting people from lots of diseases. However in long term it leads to creating the super bacteria that is resistant to all antibiotics.
I am part of that power which eternally wills good and eternally works evil.
So I don’t want to force people to use this method or not, but to say that both sides are wrong and we should focus on creating an alternative rather than wasting time on biased criticism. If you worry about security you do not need to use it. If you want to help give an alternative that is worth for all sides.
Hope it helps, cheers!