“PayPal is warning users that they are better off using an alternative if they want to avoid fraud,” Julio Franco reports for TechSpot.
“Now, this doesn’t necessarily mean Safari is a bad option, not even an insecure browser, but in the eyes of PayPal it is lacking two important anti-phishing security features that ‘Internet Explorer 7 or 8 when it comes out, Firefox 2 or Firefox 3, and indeed Opera’ already pack in. The two features mentioned by Michael Barrett, PayPal’s chief information security officer, are a built-in phishing filter and an anti-phishing technology, called Extended Validation certificates,” Franco reports.
“PayPal happens to be in a very unique position for making an educated assessment regarding web security, but we don’t see either of those two technologies making miracles for saving users from fraudsters,” Franco reports. “At the end of the day, there is no better anti-phishing filter than yourself, being aware that scammers are out there and they are trying to get you.”
Full article here.
[Thanks to MacDailyNews Reader “Ampar” for the heads up.]
You can avoid phishing attacks by pointing your DNS to openDNS. I really don’t think that it is fair to say a browser is unsecure because it doesn’t offer phishish protection.
i just love it when people say “very unique.” end of their credibility.
I always advise Mac users not to use PayPal.
Regardless of “what you could do” this could be a serious issue for newbees to the Mac. This should be adressed in the next release of Safari ASAP..
sigh I hate the antiphishing filter in IE it takes so bloody long to antiphish. Good thing I dont have to worry about it on my mac. Besides not like I surf stupidly anyway so im not worried at all.
Looks like I won’t be using PayPal anymore, as if I did. If this really becomes an issue I trust Apple will take the necessary measures to make Safari as secure as it needs to be.
Yes, Safari doesn’t have anti fishing filters and that is why I use it. The only anti fishing filter that works is the user. Everyone what to create software to protect the user for the user’s own stupidity.
I say let the stupid learn the hard way, it’s called tough love. The ones that never learn the lessons, they really should be using the internet in the first place or their banks and Credit card companies should just not let them have to their account information or even access to spend anything on-line at all.
Is using my brain an option or a requirement?
An anti-phishing filter should be something very similar to the pop-up blocker on Safari. Shift-Cmd-K toggles it on or off when needed. Clearly, Apple can make a very smooth and elegant solution to this, which would be intuitive and unobtrusive to users, and provide the type of safety blanket that ignorant users (and with expanding Mac user base, greater and greater numbers of them) need very much.
Telling us to point our DNS to openDNS is redundant. Those of us who are skilled enough to actually do it (practically everyone reading MDN) will never fall for a phishing lure.
On that subject, I must say, I always click on those phishing links. Out of curiosity, I go to the root of the web server masquerading as a bank, ebay, paypal, etc. Oftentimes, it is an unsuspecting website for crocheting patterns, or some Guatemalan hiking, or some small, semi-amateur work where password was hacked and phisher’s site uploaded. I usually try to notify the site owner that they had been hacked. It doesn’t help much, though, since these phishing sites need no more than two days to stay up to collect what they’re looking for.
Anyway, back on the subject; next rev of Safari will have to have a phishing filter.
I’m a Mac user and I depend on PayPal for my income. There has never been a more-frustrating experience! But it is very difficult or impossible these days for a webmaster based outside the US, to get an account with a payment gateway. I’m trying very hard to set up an opposition company that will take its customers seriously and provide a professional service but potential investors don’t understand the situation and are unwilling to commit. So far! In the meantime, I recommend no one take seriously anything that PayPal says.
My web browsing feels a bit faster with a switch to OpenDNS.
Thanks for the link and info Dutch, nice one.
http://www.aboutpaypal.org/
http://www.paypalsucks.com/
“Is using my brain an option or a requirement?”
That depends on whether you are vertical or horizontal.
I don’t even use Paypal anymore.
I keep getting Spam claiming its from Paypal.
It’s just not worth the risk … not sure what’s legit anymore.
What a load of crap… the Extended Validation certificates don’t protect from phishing if the underlying site happens to be vulnerable… see this big story on the subject.
EV Certificates and XSS considered harmful!
The average user of a Mac is not like people here. They usually don’t know their way around a computer.
Firefox is a much better browser anyhow.
Are they nuts?
It’s anti-phishing… it requires a brain, not software with alerts.
And plus, the iPhone is slowly conquering the world… no ebay or paypal on iPhone… it’s their loss
Wouldn’t the easiest way for Safari users, and Macusers, to avoid this, is to avoid using PayPal altogether?
I keep getting spam/bullshit emails on my MacMail account. I’ve NEVER visisted PayPal EVER.
Avoid PayPal like the plague! They will eventually freeze your account, take your funds, and make it near impossible to get your money back. Don’t give them access to your bank accounts either! It is a criminal organization.
Notice to PayPal: I have a better solution; I will not use PayPal.
Smart users check for SSL/ padlock symbol, follow anti-phishing practices, use their own links to bank-sites, etc.
For those interested, PithHelmet has an option to check host spoofing on Safari.
I’ve read that PayPal owns the company that issues the EV Certs. Very self-serving announcement about Safari. Looks like their form of coercion: “We’re going to issue scary press releases about Safari, Apple, until you pay us some dough for one of certifications.”
Don’t answer the fricken emails you get asking for your password.
I use Paypal all the time and have never had one problem. I do get those phishing emails and just report them to “Spoof@paypal.com”.
Am I missing something? Isn’t it just about engaging the brain a bit?
So many people here on their high horse! Solutions like “Don’t use PayPal!” or, “Never click on links” are obviously never going to work. PayPal is the most popular money transfer site in the world for a good reason. They are cheap (as in: free for most users), they allow you what no other service does (instantly send money between two persons without highway robbery-type charges like Western Union or MoneyGram) and have presence in about 140 countries (out of 192 official UN members). You may choose not to use it, but there is a huge number of people who do and will continue.
Same goes for people who don’t know what is phishing. If you have never heard of it, you can easily fall for the lure. While EV certification may be dubious, Apple can easily implement their own filtering solution and build it in. They should.
As for iPhone, PayPal works on it (as well as eBay). As a matter of fact, PayPal has mobile site that works even with crappy WAP browsers on all other cellphones.
The last time I used Paypal Safari wouldn’t work anyway so I had no choice but to use Firefox to complete the transaction. As the default browser on Macs, Apple needs to be much more active at keeping it up to date. The folks at Mozilla are doing a great job with Firefox, why can’t Apple keep up with Safari?