Upcoming PayPal anti-phishing measures may block Safari
As part of a multi-tiered approach to guarding against online fraud on its site, PayPal says it will block the use of any web browser that doesn't provided added validation measures, potentially restricting the current version of Safari from the e-commerce site.
The money transfer service's Chief Information Security Officer, Michael Barrett, makes the new policy clear in a white paper (PDF) posted this week, which highlights the browser as a key means of putting an end to phishing (false website) scams alongside such steps as blocking fraudulent e-mail messages and criminal charges.
When addressing web access, Barrett argues that any user visiting a financial site such as PayPal should know not only that their browser will block fake sites meant to steal information, but also that the browser can properly indicate a legitimate site. Without either precaution, visitors may not only be victims of scams but may lose all trust in an otherwise safe business. This doubly harmful outcome is likened to a car crash without protection.
"In our view, letting users view the PayPal site on one of these browsers is equal to a car manufacturer allowing drivers to buy one of their vehicles without seatbelts," the expert says.
To that end, PayPal is said to be implementing steps that will first provide warnings against, and eventually block, any browser that doesn't meet these criteria.
Most modern web browsers, including Firefox and newer versions of Microsoft's Internet Explorer, are able to support at least basic blocking of phishing sites. The newest, such as Internet Explorer 7 or the upcoming Firefox 3, also support a new feature known as an Extended Validation Secure Socket Layer (EV SSL) certificate. The measure of authenticity turns the address bar green and identifies the company running the site, letting the user know any secure transactions are genuine.
Safari, however, lacks either of these features and so could fall prey to the blocks and warning messages. Barrett doesn't mention the browser by name but notes that any "very old and vulnerable" software would ultimately be blacklisted from the future update to PayPal's service, placing Safari in the same category of dangerous clients as Microsoft's ten-year-old Internet Explorer 4.
Apple's approach to browser security has so far been tentative. The Mac maker has briefly incorporated Google's database of fraudulent sites into a beta builds of Mac OS X Leopard this past fall, only to pull the feature in later test versions. Release builds of the stand-alone browser for both Macs and Windows PCs have also gone without the anti-phishing warnings, but notably leave code traces inside the software that raise the possiblity of improvements through a later update.
Apple hasn't responded to the white paper but is likely to face pressure as PayPal and similar institutions ask for an all-encompassing approach to fighting scams that involves EV SSL and other software techniques. Internet Explorer 7's debut has already had a demonstrated effect on customers, who are more likely to finish signing up for PayPal knowing that the web browser has authenticated the registration page.
"We couldn?t eradicate this problem on our own ? to make a dent in phishing, it would take collaboration with the Internet industry, law enforcement, and government around the world," Barrett explains.
The money transfer service's Chief Information Security Officer, Michael Barrett, makes the new policy clear in a white paper (PDF) posted this week, which highlights the browser as a key means of putting an end to phishing (false website) scams alongside such steps as blocking fraudulent e-mail messages and criminal charges.
When addressing web access, Barrett argues that any user visiting a financial site such as PayPal should know not only that their browser will block fake sites meant to steal information, but also that the browser can properly indicate a legitimate site. Without either precaution, visitors may not only be victims of scams but may lose all trust in an otherwise safe business. This doubly harmful outcome is likened to a car crash without protection.
"In our view, letting users view the PayPal site on one of these browsers is equal to a car manufacturer allowing drivers to buy one of their vehicles without seatbelts," the expert says.
To that end, PayPal is said to be implementing steps that will first provide warnings against, and eventually block, any browser that doesn't meet these criteria.
Most modern web browsers, including Firefox and newer versions of Microsoft's Internet Explorer, are able to support at least basic blocking of phishing sites. The newest, such as Internet Explorer 7 or the upcoming Firefox 3, also support a new feature known as an Extended Validation Secure Socket Layer (EV SSL) certificate. The measure of authenticity turns the address bar green and identifies the company running the site, letting the user know any secure transactions are genuine.
Safari, however, lacks either of these features and so could fall prey to the blocks and warning messages. Barrett doesn't mention the browser by name but notes that any "very old and vulnerable" software would ultimately be blacklisted from the future update to PayPal's service, placing Safari in the same category of dangerous clients as Microsoft's ten-year-old Internet Explorer 4.
Apple's approach to browser security has so far been tentative. The Mac maker has briefly incorporated Google's database of fraudulent sites into a beta builds of Mac OS X Leopard this past fall, only to pull the feature in later test versions. Release builds of the stand-alone browser for both Macs and Windows PCs have also gone without the anti-phishing warnings, but notably leave code traces inside the software that raise the possiblity of improvements through a later update.
Apple hasn't responded to the white paper but is likely to face pressure as PayPal and similar institutions ask for an all-encompassing approach to fighting scams that involves EV SSL and other software techniques. Internet Explorer 7's debut has already had a demonstrated effect on customers, who are more likely to finish signing up for PayPal knowing that the web browser has authenticated the registration page.
"We couldn?t eradicate this problem on our own ? to make a dent in phishing, it would take collaboration with the Internet industry, law enforcement, and government around the world," Barrett explains.
Comments
Well seeing that I dont use paypal much anymore if I cant view it on my mac just looks like I'll be canceling my paypal account!!!
So, what happens when the spammers/phishers/rip-offs figure out how to spoof the protocols?
And we all know that it is always just a matter of time.
They never have made any effort to support Safari anyway.
Is EV SSL really much better than SSL or is this just a money maker from the license distributers?
Short answer, nope. No more secure. They use the same encryption/validation technologies. The only distinctions are that:
A) they cost more
Since the normal screening process has proven effective so far... what's the point.
Also due to A, it would become harder for small businesses to afford them to be seen as "legitimate".
http://en.wikipedia.org/wiki/Extende...ty_to_Phishing
Paypal should be illegal anyway....The way ebay has manipulated everyone, forcing it as the only option and forbidding use of google checkout is simply unamerican and anti-competitive. Just my 2 cents.
I think they've only forced Paypal use in Australia. They do offer sellers a means to require PayPal, but the default is "off", a seller has to specifically turn it on. But it's just so much more convenient for both buyer and seller. When I sold, most would pay by PayPal anyway.
I don't like how they forbid PayPal competitors though.
Paypal should be illegal anyway....The way ebay has manipulated everyone, forcing it as the only option and forbidding use of google checkout is simply unamerican and anti-competitive. Just my 2 cents.
By that logic, iTunes and the iPod just are just as illegal. Apple is just as anti-competitive with their closed ecosystems. To me, the difference is that iTunes works and provides value to its customers. Whereas eBay has become increasingly complex and restrictive in their policies and fee structures at the expense of their customers.
even accept checks or money orders so if you don't have paypal your simply out of luck.
If google were to challenge this in court they would win...but ebay flexed its muscles by
cutting their adword buys when google threatened them. Long story short, google backed down and ebays paypal remains a monopoly in that closed system.
Isn't identifying a phishing site as easy as looking at the domain name to see if it matches your expectation? (e.g. don't enter your password into ebay.ripoff.ru) Not that I expect everyone to know that, but it's not rocket science, right?
Michael Oldenburg
PayPal Corporate Communications
Comment by Michael Oldenburg - April 18, 2008 at 8:11 pm"
Source: http://blogs.wsj.com/biztech/2008/04...g?mod=yahoo_hs
Update: I see it just appeared here too, up at the 7:24 post from TundraBoy.
AppleInsider might consider changing the headline, so as not to mislead.
Joseph
I can't renew my FAFSA (Free Application for Federal Student Aid) online with Sarafi... however I can with Netscape... whats up with that? Does anyone even use Netscape anymore? Also, I ran into the same problem with paying my Discover Card online (I could use Netscape, IE, and FireFox but not Safari). Whats the deal? I don't know what to think, but I don't think that all these companies are wrong in not supporting Safari. There has got to be some larger issue at hand. Any comments/explanations?
In Safari Preferences » Advanced you can turn on Show Develop Menu In Menu Bar. With this activated you get multiple options to adjust your User Agent. From there you should be able to access all the sites you mentioned above.
Since they work with Netscape and Firefox they clearly don't require ActiveX and they aren't allowing Safari because the code was written to only allow select browsers; but Safari should work just dandy. It's been a long time since I couldn't use Safari to render an internal corporate site or government site after spoofing the User Agent.
" We have absolutely no intention of blocking current versions of any browsers, including Apple?s Safari, from our website.
Michael Oldenburg
PayPal Corporate Communications
Comment by Michael Oldenburg - April 18, 2008 at 8:11 pm"
Source: http://blogs.wsj.com/biztech/2008/04...g?mod=yahoo_hs
The Wall Street Journal has a response from PayPal saying they are only blocking older obsolete OS & browser combos. Safari is NOT among them.
Joseph
Welcome to AI, Joseph, but you got pipped by Tundraboy.
I think they've only forced Paypal use in Australia.
For now. We (Australia) are just the testing ground for some major changes ahead worldwide, just wait and see. Better to start with a small number of people and upset them, rather than a large number (insert US or Europe here) and have all them rebel.
Been a guest here for ages, thought it about time I registered, this one I could not let pass as I will now be leaving Paypal, they have lost me, and I think a lot of Aussies will not be far behind me, there are a lot of peeved people here with this change.
Later
Mike