“PayPal, one of the brands most spoofed in phishing attacks, is working on a plan to block its users from making transactions from Web browsers that don’t provide anti-phishing protection,” Ryan Naraine reports for eWeek.
“The eBay-owned company, which runs a Web-based payment system that allows the transfer of funds between bank accounts and credit cards, said browsers that do not have support for blocking identity theft-related Web sites or for EV SSL (Extended Validation Secure Sockets Layer) certificates are considered ‘unsafe’ for financial transactions,” Naraine reports.
“‘In our view, letting users view the PayPal site on one of these browsers is equal to a car manufacturer allowing drivers to buy one of their vehicles without seat belts,’ said PayPal Chief Information Security Officer Michael Barrett,” Naraine reports.
“In a white paper that outlines a five-pronged action plan aimed at slowing the phishing epidemic, Barrett said there’s a ‘significant set of [PayPal customers] who use very old and vulnerable browsers’ and made it clear that any browser that falls into the ‘unsafe’ category will be banned,” Naraine reports.
“Barrett only mentioned old, out-of-support versions of Microsoft’s Internet Explorer among this group of ‘unsafe browsers,’ but it’s clear his warning extends to Apple’s Safari browser, which offers no anti-phishing protection and does not support the use of EV SSL certificates,” Naraine reports. “The EV SSL certificates are meant to provide trust to Web-based transactions. For example, if you use Microsoft’s IE 7 to visit a Web site secured with an EV SSL certificate, the URL address bar is displayed in green and offers the ability for the user to toggle between the organization name listed in the certificate and the issuing Certificate Authority.”
“Firefox and Opera have announced their intention to support EV SSL in upcoming releases,” Naraine reports. “Apple’s Safari browser, which is being aggressively pushed to Windows users, could conceivably be banned from accessing PayPal.com under the plan outlined by Barrett.”
Full article here.
[Thanks to MacDailyNews Reader “B-sabre” for the heads up.]
If you’re stupid enough to click on a “PayPal” link in an email, you must be a Windows user.
Q. How does blocking a browser from accessing PayPal’s legitimate site stop phishing?
A. It doesn’t.
PayPal just wants to teach everyone a lesson. Well, they just might get a costly one themselves instead.
This is all about Safari for Windows, not for Mac. Mac users have the Keychain. If you’re on a phishing site (a malevolent site masquerading as a legitimate site in order to steal your valuable info), your Keychain will not compete or autofill your username/password info. Gee, there’s a pretty huge sign that something’s wrong already, huh?
Should Apple add EV SSL to Safari? Maybe, maybe not; regardless it’s really no substitute for users’ common sense. What’s next, anyway, XL SSL? XXL? SuperSized? Puleeze.
If you’re not an idiot, you don’t need a green URL to tell you that you’re secure: When you use a website that handles private or financial information, make sure the website is secure. Look for a lock icon in the upper-right corner of the Safari window. The lock icon means that the website has a certificate signifying to Safari that it’s a legitimate website and that information you exchange with it will be encrypted. Make sure the website’s address begins with “https” (instead of “http”). If the website is not secure, you may have been given a choice between a secure and an insecure connection when logging in to the site. Go back to the page where you logged in and check for a link to a secure login. Even if you don’t plan to view private information, it’s best to use a secure login whenever possible, to ensure that your login information is encrypted.
Digital certificates are used to validate users and hosts on the Internet. When you receive certificates from the internet, you can add them to your keychain (including EV certificates) for quick access to secure websites and other resources. Once a certificate is added, it can be used by other compatible applications.
To add a certificate to a keychain:
1. Drag the certificate file onto the Keychain Access icon or double-click the certificate file (You can also add a certificate to a keychain by choosing File>Import).
2. If you want to view the contents of the certificate before you add it, click View Certificates in the dialog, and then click OK when you are done.
3. Choose a keychain from the pop-up menu and click OK.
4. If you’re asked to provide a name and password, type the name and password for an administrator user on this computer.
PayPal is not your mommy, users need to be responsible for themselves, and EV certificates are a scam designed to extract more money from website operators under the guise of more security. More about that last bit here.
One thing PayPal (and banks, online retailers, software developers, etc.) should keep in mind: Mac users, besides being better educated, also have more disposable income than your average web surfer and our numbers are growing. Block/ignore us at your own peril.
Want a faster, safer and more convenient way to shop online? Try Google Checkout. It’s Safari-compatible.
i do agree with the standing that Apple grounds it’s excellence on a user friendly, robust and secure inteface, so that the adding of this protocol, no matter if it’s nothing more than a visual indicator, will result in more serenity for customers that do not fill assured about payment and security on the web.
What do we care about : this is no help for us to have a visual indicator? What about others?
I don’t think Ebay didn’t mess with the danger of potentialy lose sells by banning most web brothers on an unusefully reason.
So why not offer consideration?
I do not use paypal at all.
Nonetheless, i’m curious to learn more on the EV-SSL and why not who’s pushing behind the lines to see this getting standardized.
Any clue?
EV-SSL on Wikipedia
http://en.wikipedia.org/wiki/Extended_Validation_Certificate
Well, isn’t that lovely. Can I get a PayPal representative to come sit with me to make sure I sit up straight, chew my food twenty times, don’t play with matches, and look both ways before I cross the street, too?
I’m frightenened, Auntie Em.
Well unlike many of the fanboys (who’ll cut off their nose to spite their face) if Safari isn’t a party to this feature I’ll just surf ebay with another browser. And guess what’s going to happen, Apple will put the feature in Safari because the company wants to remain competitive.
The attitudes of some people on this site reminds what Apple used to be like. A company who used to berate the market because people didn’t buy Apple products. Then Steve Jobs came back and stooped this self-destructive process and started giving people what they wanted…good quality, up-to-date products. And if this is what is needed to keep Safari competitive then they’ll do it. End of story!
I hate paypal, the just stole $984 from me! lying, cheating bastards… they can block safari, cuz I won’t be coming back there anytime soon…
Ee Ee Ee
I think you guys/gals are being a little too flippant about all of this. I agree with Paypal on this one. Not everyone is as computer literate as many of us on the board. Phishing/ID theft is serious business. It can ruin you.
I agree with Paypal’s efforts to try and decrease this problem. It is really time for Safari to become more secure. I think that conforming to standards is something that both Safari and IE should do to keep customers safe.
Although I like Firefox a lot better than Safari, I do think that you should be able to use any browser and know that you’re safe doing so.
Rick.
Ok: Yes, Apple should do and keep doing everything possible to ameliorate security problems — BUT Apple cannot fix user stupidity. And Apple cannot prevent false EV-SSL pages popping up.
Look at this:
“A cross-site scripting vulnerability on the popular SourceForge.net website shows how Extended Validation SSL certificates could be exploited by fraudsters. Piggybacking on the anticipated extra trust instilled by the presence of an EV SSL certificate, arbitrary content could be injected onto the secure page at SourceForge to create a very convincing phishing attack. The green address bar displayed by the web browser would assure users that they are looking at a website that can be trusted, even though the page they are looking at may contain scripts or HTML created by a remote attacker.”
So paypal has security issues so they want to block there legitimate customers from accessing there site. That’s really DUMB!!
Fix your security issues Paypal!
Well fuck Paypal. Any site that only uses Paypal as a payment option just lost me as a customer.
“There has been some concern that EV certificates, despite their improved authentication and higher cost, will not prevent phishing attacks[9].
In 2006, researchers at Stanford University and Microsoft conducted a usability study[10] of the EV display in Internet Explorer 7. The study measured users’ ability to distinguish real sites from fraudulent sites when presented with various kinds of phishing attacks, and found that there was no significant difference between users who saw extended validation indicators and those who did not. Users who received training with the Internet Explorer 7 help file were more likely to judge all sites legitimate, regardless of whether they were fraudulent.”
EV SSL sounds to me like a marketing scam. Does the new authentication scheme really improve the security? If someone figures out a way to turn the address bar green using javascript or more likely ActiveX (I think it is just a matter of time), how would IE7 users know it turned green because they are at EV SSL site or someone trying to phising. Meanwhile eBay/paypal is probably benefitting from a licensing requirement for EV SSL.
I don’t use Paypal anyway and won’t use them regardless.
“MacDailyNews Take: If you’re stupid enough to click on a “PayPal” link in an email, you must be a Windows user.”
Is this really necessary?
There are two types of people that get scammed.
1) Ignorant people
2) People who think they know how to avoid scams (i.e. smug people)
I think MDN fits into the second category.
“PayPal plans to block Safari users”
Kind of a misleading title.
They are blocking “incompatible” browsers, not as in, “Hey let’s block Safari”.
are you saying that paypal is not good to use, and we are going to remain using the “firefox”?. but i think there is some good about paypal do they?..
_____________________________________
bullfrog
New York Immigration Lawyer Marina Shepelsky, located in Brooklyn, assists clients from the New York metro area and across the United States in all immigration and naturalization matters http://www.e-us-visa.com