Upcoming PayPal anti-phishing measures may block Safari

[AppleInsider]

As part of a multi-tiered approach to guarding against online fraud on its site, PayPal says it will block the use of any web browser that doesn't provided added validation measures, potentially restricting the current version of Safari from the e-commerce site.

The money transfer service's Chief Information Security Officer, Michael Barrett, makes the new policy clear in a white paper (PDF) posted this week, which highlights the browser as a key means of putting an end to phishing (false website) scams alongside such steps as blocking fraudulent e-mail messages and criminal charges.

When addressing web access, Barrett argues that any user visiting a financial site such as PayPal should know not only that their browser will block fake sites meant to steal information, but also that the browser can properly indicate a legitimate site. Without either precaution, visitors may not only be victims of scams but may lose all trust in an otherwise safe business. This doubly harmful outcome is likened to a car crash without protection.

"In our view, letting users view the PayPal site on one of these browsers is equal to a car manufacturer allowing drivers to buy one of their vehicles without seatbelts," the expert says.

To that end, PayPal is said to be implementing steps that will first provide warnings against, and eventually block, any browser that doesn't meet these criteria.

Most modern web browsers, including Firefox and newer versions of Microsoft's Internet Explorer, are able to support at least basic blocking of phishing sites. The newest, such as Internet Explorer 7 or the upcoming Firefox 3, also support a new feature known as an Extended Validation Secure Socket Layer (EV SSL) certificate. The measure of authenticity turns the address bar green and identifies the company running the site, letting the user know any secure transactions are genuine.

Safari, however, lacks either of these features and so could fall prey to the blocks and warning messages. Barrett doesn't mention the browser by name but notes that any "very old and vulnerable" software would ultimately be blacklisted from the future update to PayPal's service, placing Safari in the same category of dangerous clients as Microsoft's ten-year-old Internet Explorer 4.

Apple's approach to browser security has so far been tentative. The Mac maker has briefly incorporated Google's database of fraudulent sites into a beta builds of Mac OS X Leopard this past fall, only to pull the feature in later test versions. Release builds of the stand-alone browser for both Macs and Windows PCs have also gone without the anti-phishing warnings, but notably leave code traces inside the software that raise the possiblity of improvements through a later update.

Apple hasn't responded to the white paper but is likely to face pressure as PayPal and similar institutions ask for an all-encompassing approach to fighting scams that involves EV SSL and other software techniques. Internet Explorer 7's debut has already had a demonstrated effect on customers, who are more likely to finish signing up for PayPal knowing that the web browser has authenticated the registration page.

"We couldn’t eradicate this problem on our own – to make a dent in phishing, it would take collaboration with the Internet industry, law enforcement, and government around the world," Barrett explains.

[ View this article at AppleInsider.com ]

[btitusjr]

Well seeing that I dont use paypal much anymore if I cant view it on my mac just looks like I'll be canceling my paypal account!!!

[CREB]

Screw PayPal, and eBay...I loathe them both.

[derev]

Quote:

Originally Posted by btitusjr

Well seeing that I dont use paypal much anymore if I cant view it on my mac just looks like I'll be canceling my paypal account!!!

So, what happens when the spammers/phishers/rip-offs figure out how to spoof the protocols?
And we all know that it is always just a matter of time.

[CREB]

I use 1Password, by Agile Web Solutions, to keep my information safe. And again, screw PayPal and eBay.

[solipsism]

Is EV SSL really much better than SSL or is this just a money maker from the license distributers?

[slicedbread]

Big deal. Some PayPal features (shipping, for example) already don't work right in Safari.

They never have made any effort to support Safari anyway.

[Axcess99]

Quote:

Originally Posted by solipsism

Is EV SSL really much better than SSL or is this just a money maker from the license distributers?

Short answer, nope. No more secure. They use the same encryption/validation technologies. The only distinctions are that:
A) they cost more
B) in theory, there is a more thorough background check on the company receiving it

Since the normal screening process has proven effective so far... what's the point.
Also due to A, it would become harder for small businesses to afford them to be seen as "legitimate".

http://en.wikipedia.org/wiki/Extende...ty_to_Phishing

[mercury7]

Paypal should be illegal anyway....The way ebay has manipulated everyone, forcing it as the only option and forbidding use of google checkout is simply unamerican and anti-competitive. Just my 2 cents.

[SpamSandwich]

PayPal is no pal of mine.

[JeffDM]

Quote:

Originally Posted by mercury7

Paypal should be illegal anyway....The way ebay has manipulated everyone, forcing it as the only option and forbidding use of google checkout is simply unamerican and anti-competitive. Just my 2 cents.

I think they've only forced Paypal use in Australia. They do offer sellers a means to require PayPal, but the default is "off", a seller has to specifically turn it on. But it's just so much more convenient for both buyer and seller. When I sold, most would pay by PayPal anyway.

I don't like how they forbid PayPal competitors though.

[Carbo]

Quote:

Originally Posted by mercury7

Paypal should be illegal anyway....The way ebay has manipulated everyone, forcing it as the only option and forbidding use of google checkout is simply unamerican and anti-competitive. Just my 2 cents.

By that logic, iTunes and the iPod just are just as illegal. Apple is just as anti-competitive with their closed ecosystems. To me, the difference is that iTunes works and provides value to its customers. Whereas eBay has become increasingly complex and restrictive in their policies and fee structures at the expense of their customers.

[mercury7]

Well the problem is that a lot of sellers have bought in to their BS and will not
even accept checks or money orders so if you don't have paypal your simply out of luck.

If google were to challenge this in court they would win...but ebay flexed its muscles by
cutting their adword buys when google threatened them. Long story short, google backed down and ebays paypal remains a monopoly in that closed system.

[arlomedia]

I find IE7 (and Vista) to be hardly usable because of all the various security "warnings" which are mostly false positives. I hope Apple isn't led in that direction with Safari, which is my favorite browser because of its streamlined interface.

Isn't identifying a phishing site as easy as looking at the domain name to see if it matches your expectation? (e.g. don't enter your password into ebay.ripoff.ru) Not that I expect everyone to know that, but it's not rocket science, right?

[mercury7]

phishing sites would not exist though if at least some people did not fall for it.....example, I got a email offer from philips electronics today for a refurbed 42 inch plasma for 679.00, the address was info.philips.com/something or another....still have no idea if it was legit but no doubt someone will click on that link and find out.

[tundraboy]

" We have absolutely no intention of blocking current versions of any browsers, including Apple’s Safari, from our website.

Michael Oldenburg
PayPal Corporate Communications
Comment by Michael Oldenburg - April 18, 2008 at 8:11 pm"

Source: http://blogs.wsj.com/biztech/2008/04...g?mod=yahoo_hs

[HyteProsector]

Eh, I think I'm with PayPal with this one. But before I go there ... lemme just say, I hate paypal. They're retards that kept me from my own money for 40 days due ludicrous security measures. I don't think they're well managed and I don't appreciate their customer service. But at the same time, I don't think they're really that far off. I can't renew my FAFSA (Free Application for Federal Student Aid) online with Sarafi... however I can with Netscape... whats up with that? Does anyone even use Netscape anymore? Also, I ran into the same problem with paying my Discover Card online (I could use Netscape, IE, and FireFox but not Safari). Whats the deal? I don't know what to think, but I don't think that all these companies are wrong in not supporting Safari. There has got to be some larger issue at hand. Any comments/explanations?

[MJosephS]

The Wall Street Journal has a response from PayPal saying they are only blocking older obsolete OS & browser combos. Safari is NOT among them.

Update: I see it just appeared here too, up at the 7:24 post from TundraBoy.

AppleInsider might consider changing the headline, so as not to mislead.

Joseph

[solipsism]

Quote:

Originally Posted by HyteProsector

I can't renew my FAFSA (Free Application for Federal Student Aid) online with Sarafi... however I can with Netscape... whats up with that? Does anyone even use Netscape anymore? Also, I ran into the same problem with paying my Discover Card online (I could use Netscape, IE, and FireFox but not Safari). Whats the deal? I don't know what to think, but I don't think that all these companies are wrong in not supporting Safari. There has got to be some larger issue at hand. Any comments/explanations?

In Safari Preferences » Advanced you can turn on Show Develop Menu In Menu Bar. With this activated you get multiple options to adjust your User Agent. From there you should be able to access all the sites you mentioned above.

Since they work with Netscape and Firefox they clearly don't require ActiveX and they aren't allowing Safari because the code was written to only allow select browsers; but Safari should work just dandy. It's been a long time since I couldn't use Safari to render an internal corporate site or government site after spoofing the User Agent.

[solipsism]

Quote:

Originally Posted by tundraboy

" We have absolutely no intention of blocking current versions of any browsers, including Apple’s Safari, from our website.

Michael Oldenburg
PayPal Corporate Communications
Comment by Michael Oldenburg - April 18, 2008 at 8:11 pm"

Source: http://blogs.wsj.com/biztech/2008/04...g?mod=yahoo_hs

Quote:

Originally Posted by MJosephS

The Wall Street Journal has a response from PayPal saying they are only blocking older obsolete OS & browser combos. Safari is NOT among them.

Joseph

Welcome to AI, Joseph, but you got pipped by Tundraboy.

[cage123au]

Quote:

Originally Posted by JeffDM

I think they've only forced Paypal use in Australia.

For now. We (Australia) are just the testing ground for some major changes ahead worldwide, just wait and see. Better to start with a small number of people and upset them, rather than a large number (insert US or Europe here) and have all them rebel.

Been a guest here for ages, thought it about time I registered, this one I could not let pass as I will now be leaving Paypal, they have lost me, and I think a lot of Aussies will not be far behind me, there are a lot of peeved people here with this change.

Later
Mike

[solipsism]

Quote:

Originally Posted by cage123au

For now. We (Australia) are just the testing ground for some major changes ahead worldwide, just wait and see. Better to start with a small number of people and upset them, rather than a large number (insert US or Europe here) and have all them rebel.

It's an island full of convicts anyway.


<sarcasm>Bet you haven't heard that one before</sarcasm>

[lostkiwi]

Quote:

Originally Posted by solipsism

It's an island full of convicts anyway.


<sarcasm>Bet you haven't heard that one before</sarcasm>

Apart from all the New Zealanders in Bondi and the Gold Coast classing up the place

Looking forward to the new Apple Store in Sydney and Melbourne though!

[JeffDM]

Quote:

Originally Posted by mercury7

Well the problem is that a lot of sellers have bought in to their BS and will not
even accept checks or money orders so if you don't have paypal your simply out of luck.

What BS again? All I remember is that it was a choice given to the seller, I didn't see a big case made next to the option. I think you're making it out to be something that it's not.

[derev]

Quote:

Originally Posted by solipsism

In Safari Preferences » Advanced you can turn on Show Develop Menu In Menu Bar. With this activated you get multiple options to adjust your User Agent. From there you should be able to access all the sites you mentioned above.

Since they work with Netscape and Firefox they clearly don't require ActiveX and they aren't allowing Safari because the code was written to only allow select browsers; but Safari should work just dandy. It's been a long time since I couldn't use Safari to render an internal corporate site or government site after spoofing the User Agent.

If you block javascript popups. many formfields will not work.

[JeffDM]

Quote:

Originally Posted by cage123au

For now. We (Australia) are just the testing ground for some major changes ahead worldwide, just wait and see. Better to start with a small number of people and upset them, rather than a large number (insert US or Europe here) and have all them rebel.

Been a guest here for ages, thought it about time I registered, this one I could not let pass as I will now be leaving Paypal, they have lost me, and I think a lot of Aussies will not be far behind me, there are a lot of peeved people here with this change.

Running things by a test market is generally a good idea.

If the test fails, I doubt they'd push the changes elsewhere. It's smart to test things out, even if there is a high confidence for success.

Quote:

Originally Posted by derev

If you block javascript popups. many formfields will not work.

User agent strings and javascript are completely different things.

[Walter Slocombe]

Quote:

Originally Posted by JeffDM

User agent strings and javascript are completely different things.

of course they are.

The similarity is that both can lead to problems with a webpage operating as expected.

[solipsism]

Quote:

Originally Posted by Walter Slocombe

of course they are.

The similarity is that both can lead to problems with a webpage operating as expected.

But how does blocking JS function as a workaround for sites that check the User Agent for approved browsers? My reply to HyteProsector is a method to allow him to use Safari on sites that try to tell him he can't.

[aresee]

Quote:

Originally Posted by Axcess99

Short answer, nope. No more secure. They use the same encryption/validation technologies. The only distinctions are that:
A) they cost more
B) in theory, there is a more thorough background check on the company receiving it

Since the normal screening process has proven effective so far... what's the point.
Also due to A, it would become harder for small businesses to afford them to be seen as "legitimate".

http://en.wikipedia.org/wiki/Extende...ty_to_Phishing

The same if they do not like you or want you to be in business.

[macjunkie82]

Quote:

"In our view, letting users view the PayPal site on one of these browsers is equal to a car manufacturer allowing drivers to buy one of their vehicles without seatbelts," the expert says.

Umm, I think his metaphor is flawed. A better metaphor be "Letting users view the PayPal site on one of these browsers [one without anti-phishing features] is equal to a car manufacturer allowing drivers to drive without seatbelts."

Which, they do allow people to not wear seatbelts (just because it's against the law doesn't mean you have to wear it). It's not the car manufacturer's responsibility to make me use my seatbelt, just as it's not PayPal's responsibility to make me use a browser that helps identify phishing scams.

[JeffDM]

Quote:

Originally Posted by macjunkie82

just as it's not PayPal's responsibility to make me use a browser that helps identify phishing scams.

If you have a problem with it, I say vote with your money if they follow through and your favorite doesn't support it by then. A reduction in losses & potentially fewer lawsuits may well more than offset the lost customers.

I really don't see the fuss.

[Swift]

Recent episodes of Security Now! from grc.com have shown that a) there's a lot of breach of privacy going on between Paypal and Doubleclick -- the mere presence of an ad banner on a Paypal page exposes you to a Doubleclick cookie that follows you everywhere -- and is there sharing of Paypal's info with their "partner"? And they expose a lot of your personal banking info on a regular basis. Just go to grc.com, look in the menus for Security now, then do a site search for Paypal Double-click and Paypal privacy, and read it and weep.

The idea of a blacklist for bad sites is just stupid. Anybody who wants to see the list can, and the bad guys just switch their identities. And the brand-new, special security certs are a moneymaker, purely and simply. Those new certificates come at a high price, and who says they can't be spoofed?

[Haggar]

Quote:

Originally Posted by JeffDM

I think they've only forced Paypal use in Australia. They do offer sellers a means to require PayPal, but the default is "off", a seller has to specifically turn it on. But it's just so much more convenient for both buyer and seller. When I sold, most would pay by PayPal anyway.

I don't like how they forbid PayPal competitors though.

eBay sellers already have to pay a percentage of the final sale amount on items sold. Then they have to pay a percentage of the transaction amount for PayPal payment, on top of the eBay seller fees. Since PayPal is owned by eBay, people who sell on eBay are being charged twice.

[MacNewb]

http://www.macdailynews.com/index.ph..._safari_users/

Not true. Safari rules. Behind Firefox... and Camino...

Quote:

Originally Posted by AppleInsider

As part of a multi-tiered approach to guarding against online fraud on its site, PayPal says it will block the use of any web browser that doesn't provided added validation measures, potentially restricting the current version of Safari from the e-commerce site.

The money transfer service's Chief Information Security Officer, Michael Barrett, makes the new policy clear in a white paper (PDF) posted this week, which highlights the browser as a key means of putting an end to phishing (false website) scams alongside such steps as blocking fraudulent e-mail messages and criminal charges.

When addressing web access, Barrett argues that any user visiting a financial site such as PayPal should know not only that their browser will block fake sites meant to steal information, but also that the browser can properly indicate a legitimate site. Without either precaution, visitors may not only be victims of scams but may lose all trust in an otherwise safe business. This doubly harmful outcome is likened to a car crash without protection.

"In our view, letting users view the PayPal site on one of these browsers is equal to a car manufacturer allowing drivers to buy one of their vehicles without seatbelts," the expert says.

To that end, PayPal is said to be implementing steps that will first provide warnings against, and eventually block, any browser that doesn't meet these criteria.

Most modern web browsers, including Firefox and newer versions of Microsoft's Internet Explorer, are able to support at least basic blocking of phishing sites. The newest, such as Internet Explorer 7 or the upcoming Firefox 3, also support a new feature known as an Extended Validation Secure Socket Layer (EV SSL) certificate. The measure of authenticity turns the address bar green and identifies the company running the site, letting the user know any secure transactions are genuine.

Safari, however, lacks either of these features and so could fall prey to the blocks and warning messages. Barrett doesn't mention the browser by name but notes that any "very old and vulnerable" software would ultimately be blacklisted from the future update to PayPal's service, placing Safari in the same category of dangerous clients as Microsoft's ten-year-old Internet Explorer 4.

Apple's approach to browser security has so far been tentative. The Mac maker has briefly incorporated Google's database of fraudulent sites into a beta builds of Mac OS X Leopard this past fall, only to pull the feature in later test versions. Release builds of the stand-alone browser for both Macs and Windows PCs have also gone without the anti-phishing warnings, but notably leave code traces inside the software that raise the possiblity of improvements through a later update.

Apple hasn't responded to the white paper but is likely to face pressure as PayPal and similar institutions ask for an all-encompassing approach to fighting scams that involves EV SSL and other software techniques. Internet Explorer 7's debut has already had a demonstrated effect on customers, who are more likely to finish signing up for PayPal knowing that the web browser has authenticated the registration page.

"We couldn’t eradicate this problem on our own – to make a dent in phishing, it would take collaboration with the Internet industry, law enforcement, and government around the world," Barrett explains.

[ View this article at AppleInsider.com ]

[solipsism]

Quote:

Originally Posted by MacNewb

http://www.macdailynews.com/index.ph..._safari_users/

Not true. Safari rules. Behind Firefox... and Camino...

Why do people quote the entire article? And why do some put the quoted text below their response so you have to read the thread like a yo-yo?

[solipsism]

Quote:

Originally Posted by Haggar

eBay sellers already have to pay a percentage of the final sale amount on items sold. Then they have to pay a percentage of the transaction amount for PayPal payment, on top of the eBay seller fees. Since PayPal is owned by eBay, people who sell on eBay are being charged twice.

But they are being charged for different services. And the seller has the option to choose other payment methods.

[MacNewb]

Quote:

Originally Posted by solipsism

Why do people quote the entire article? And why do some put the quoted text below their response so you have to read the thread like a yo-yo?

... I'm the MacNEWB!

[solipsism]

Quote:

Originally Posted by MacNewb

... I'm the MacNEWB!

I apologize for the angry emoticons. I do now see you are new to AI and your name, well, does say you are a newb. I guess I let my pet peeve get the bette of me. Welcome to AI.

[2112]

I noticed I just received an email from eBay the other day saying my account has been accessed illegally approx. 5X from a certain IP address. Is this phishing?

[solipsism]

Quote:

Originally Posted by 2112

I noticed I just received an email from eBay the other day saying my account has been accessed illegally approx. 5X from a certain IP address. Is this phishing?

Probably. You can check the email address by hovering over the link and seeing where it actually takes you.