“PayPal, one of the brands most spoofed in phishing attacks, is working on a plan to block its users from making transactions from Web browsers that don’t provide anti-phishing protection,” Ryan Naraine reports for eWeek.
“The eBay-owned company, which runs a Web-based payment system that allows the transfer of funds between bank accounts and credit cards, said browsers that do not have support for blocking identity theft-related Web sites or for EV SSL (Extended Validation Secure Sockets Layer) certificates are considered ‘unsafe’ for financial transactions,” Naraine reports.
“‘In our view, letting users view the PayPal site on one of these browsers is equal to a car manufacturer allowing drivers to buy one of their vehicles without seat belts,’ said PayPal Chief Information Security Officer Michael Barrett,” Naraine reports.
“In a white paper that outlines a five-pronged action plan aimed at slowing the phishing epidemic, Barrett said there’s a ‘significant set of [PayPal customers] who use very old and vulnerable browsers’ and made it clear that any browser that falls into the ‘unsafe’ category will be banned,” Naraine reports.
“Barrett only mentioned old, out-of-support versions of Microsoft’s Internet Explorer among this group of ‘unsafe browsers,’ but it’s clear his warning extends to Apple’s Safari browser, which offers no anti-phishing protection and does not support the use of EV SSL certificates,” Naraine reports. “The EV SSL certificates are meant to provide trust to Web-based transactions. For example, if you use Microsoft’s IE 7 to visit a Web site secured with an EV SSL certificate, the URL address bar is displayed in green and offers the ability for the user to toggle between the organization name listed in the certificate and the issuing Certificate Authority.”
“Firefox and Opera have announced their intention to support EV SSL in upcoming releases,” Naraine reports. “Apple’s Safari browser, which is being aggressively pushed to Windows users, could conceivably be banned from accessing PayPal.com under the plan outlined by Barrett.”
Full article here.
[Thanks to MacDailyNews Reader “B-sabre” for the heads up.]
If you’re stupid enough to click on a “PayPal” link in an email, you must be a Windows user.
Q. How does blocking a browser from accessing PayPal’s legitimate site stop phishing?
A. It doesn’t.
PayPal just wants to teach everyone a lesson. Well, they just might get a costly one themselves instead.
This is all about Safari for Windows, not for Mac. Mac users have the Keychain. If you’re on a phishing site (a malevolent site masquerading as a legitimate site in order to steal your valuable info), your Keychain will not compete or autofill your username/password info. Gee, there’s a pretty huge sign that something’s wrong already, huh?
Should Apple add EV SSL to Safari? Maybe, maybe not; regardless it’s really no substitute for users’ common sense. What’s next, anyway, XL SSL? XXL? SuperSized? Puleeze.
If you’re not an idiot, you don’t need a green URL to tell you that you’re secure: When you use a website that handles private or financial information, make sure the website is secure. Look for a lock icon in the upper-right corner of the Safari window. The lock icon means that the website has a certificate signifying to Safari that it’s a legitimate website and that information you exchange with it will be encrypted. Make sure the website’s address begins with “https” (instead of “http”). If the website is not secure, you may have been given a choice between a secure and an insecure connection when logging in to the site. Go back to the page where you logged in and check for a link to a secure login. Even if you don’t plan to view private information, it’s best to use a secure login whenever possible, to ensure that your login information is encrypted.
Digital certificates are used to validate users and hosts on the Internet. When you receive certificates from the internet, you can add them to your keychain (including EV certificates) for quick access to secure websites and other resources. Once a certificate is added, it can be used by other compatible applications.
To add a certificate to a keychain:
1. Drag the certificate file onto the Keychain Access icon or double-click the certificate file (You can also add a certificate to a keychain by choosing File>Import).
2. If you want to view the contents of the certificate before you add it, click View Certificates in the dialog, and then click OK when you are done.
3. Choose a keychain from the pop-up menu and click OK.
4. If you’re asked to provide a name and password, type the name and password for an administrator user on this computer.
PayPal is not your mommy, users need to be responsible for themselves, and EV certificates are a scam designed to extract more money from website operators under the guise of more security. More about that last bit here.
One thing PayPal (and banks, online retailers, software developers, etc.) should keep in mind: Mac users, besides being better educated, also have more disposable income than your average web surfer and our numbers are growing. Block/ignore us at your own peril.
Want a faster, safer and more convenient way to shop online? Try Google Checkout. It’s Safari-compatible.
Is it a big deal to add this feature and thus be compliant?
I thought the original SSL certificate was supposed to protect transactions. Now you need EV SSL? What?
Look, PayPal, who cares? Really. Why not offer protection to users instead by having something similar to what credit cards do? If there is an unauthorized transaction, you will undo it and take the offending vendor to task for it. No? Too difficult? Would that require “work” on your part?
paypal block me,
I block paypal.
I suspect that there is too much money to be lost for PayPal to block the large number of Mac (and PC) users with Safari. I suspect Safari wasn’t mentioned in the white paper because they know they have to resolve this issue before “pulling the plug” on us.
Given the choice I’d keep Safari on all my Macs and PC and find another payment mechanism.
Maybe we shouldn’t be using the internet in banking and related transactions. It’s always going to be a moving target to guarantee security.
” Make sure the website’s address begins with “https” (instead of “http”). If the website is not secure, you may have been given a choice between a secure and an insecure connection when logging in to the site.”
So MDN is NOT secure?
PayPal is the weak link here…always has been!
Yet another reason why Apple forces me to keep multiple browsers on my Macs. For some reason Apple refuses to make Safari a 100% of the time browser. This one place that Apple refuses to do the “work” for its customers.
If I am reading that correctly, then they are banning Firefox, Opera, and Camino as well. In other words, all Mac, Linux, and Unix users.
That’s a real smart plan. Migrate over from inherently safe browsers to a terribly insecure one just to use PayPal.
Well this sucks big time. A lot of my income comes from microstock web sites that prefer paypal. I don’t know whether to be mad at Paypal or Apple.
MDN – the “secure-lock” icon on a page can be spoofed, from what security experts have written.
In other news….
Safari users plan to block PayPal use and stick to “real” credit card companies. And real vendors who don’t rely on PayPal.
MDN – your blind mac devotion is off the mark here. Why shouldn’t Safari just make itself a more secure browser? There SHOULD be red/green indicators of page security… Apple is supposed to be the computer friendly company, and I don’t see a lot of new computer users or kids or grandmas looking for an ‘s’ after the ‘http’ in the URL to determine for themselves if a site is safe.
Everything is going online, everything needs to be secure, and Safari should be leading the way in online safety as Apple is leading the way in computer usability.
What is the advantage of NOT being compliant?
“If you’re on a phishing site, your Keychain will not compete or autofill your username/password info.”
So THAT’s why I have to keep reentering my social security number over and over again!
As for PayPal, Google Checkout is a great way to do all Non eBay activities.
The biggest threat to PayPal users is phishing. How does this protect against that? If someone steals your user name and password, then what, they can’t use Safari to access your account? That’s absurd.