Upcoming PayPal anti-phishing measures may block Safari

Posted:
in macOS edited January 2014
As part of a multi-tiered approach to guarding against online fraud on its site, PayPal says it will block the use of any web browser that doesn't provided added validation measures, potentially restricting the current version of Safari from the e-commerce site.



The money transfer service's Chief Information Security Officer, Michael Barrett, makes the new policy clear in a white paper (PDF) posted this week, which highlights the browser as a key means of putting an end to phishing (false website) scams alongside such steps as blocking fraudulent e-mail messages and criminal charges.



When addressing web access, Barrett argues that any user visiting a financial site such as PayPal should know not only that their browser will block fake sites meant to steal information, but also that the browser can properly indicate a legitimate site. Without either precaution, visitors may not only be victims of scams but may lose all trust in an otherwise safe business. This doubly harmful outcome is likened to a car crash without protection.



"In our view, letting users view the PayPal site on one of these browsers is equal to a car manufacturer allowing drivers to buy one of their vehicles without seatbelts," the expert says.



To that end, PayPal is said to be implementing steps that will first provide warnings against, and eventually block, any browser that doesn't meet these criteria.



Most modern web browsers, including Firefox and newer versions of Microsoft's Internet Explorer, are able to support at least basic blocking of phishing sites. The newest, such as Internet Explorer 7 or the upcoming Firefox 3, also support a new feature known as an Extended Validation Secure Socket Layer (EV SSL) certificate. The measure of authenticity turns the address bar green and identifies the company running the site, letting the user know any secure transactions are genuine.



Safari, however, lacks either of these features and so could fall prey to the blocks and warning messages. Barrett doesn't mention the browser by name but notes that any "very old and vulnerable" software would ultimately be blacklisted from the future update to PayPal's service, placing Safari in the same category of dangerous clients as Microsoft's ten-year-old Internet Explorer 4.



Apple's approach to browser security has so far been tentative. The Mac maker has briefly incorporated Google's database of fraudulent sites into a beta builds of Mac OS X Leopard this past fall, only to pull the feature in later test versions. Release builds of the stand-alone browser for both Macs and Windows PCs have also gone without the anti-phishing warnings, but notably leave code traces inside the software that raise the possiblity of improvements through a later update.



Apple hasn't responded to the white paper but is likely to face pressure as PayPal and similar institutions ask for an all-encompassing approach to fighting scams that involves EV SSL and other software techniques. Internet Explorer 7's debut has already had a demonstrated effect on customers, who are more likely to finish signing up for PayPal knowing that the web browser has authenticated the registration page.



"We couldn?t eradicate this problem on our own ? to make a dent in phishing, it would take collaboration with the Internet industry, law enforcement, and government around the world," Barrett explains.
«13

Comments

  • Reply 1 of 45
    Well seeing that I dont use paypal much anymore if I cant view it on my mac just looks like I'll be canceling my paypal account!!!
  • Reply 2 of 45
    crebcreb Posts: 276member
    Screw PayPal, and eBay...I loathe them both.
  • Reply 3 of 45
    derevderev Posts: 64member
    Quote:
    Originally Posted by btitusjr View Post


    Well seeing that I dont use paypal much anymore if I cant view it on my mac just looks like I'll be canceling my paypal account!!!





    So, what happens when the spammers/phishers/rip-offs figure out how to spoof the protocols?

    And we all know that it is always just a matter of time.

  • Reply 4 of 45
    crebcreb Posts: 276member
    I use 1Password, by Agile Web Solutions, to keep my information safe. And again, screw PayPal and eBay.
  • Reply 5 of 45
    solipsismsolipsism Posts: 25,726member
    Is EV SSL really much better than SSL or is this just a money maker from the license distributers?
  • Reply 6 of 45
    Big deal. Some PayPal features (shipping, for example) already don't work right in Safari.



    They never have made any effort to support Safari anyway.
  • Reply 7 of 45
    Quote:
    Originally Posted by solipsism View Post


    Is EV SSL really much better than SSL or is this just a money maker from the license distributers?



    Short answer, nope. No more secure. They use the same encryption/validation technologies. The only distinctions are that:

    A) they cost more

    B) in theory, there is a more thorough background check on the company receiving it



    Since the normal screening process has proven effective so far... what's the point.

    Also due to A, it would become harder for small businesses to afford them to be seen as "legitimate".



    http://en.wikipedia.org/wiki/Extende...ty_to_Phishing
  • Reply 8 of 45
    mercury7mercury7 Posts: 203member
    Paypal should be illegal anyway....The way ebay has manipulated everyone, forcing it as the only option and forbidding use of google checkout is simply unamerican and anti-competitive. Just my 2 cents.
  • Reply 9 of 45
    SpamSandwichSpamSandwich Posts: 33,407member
    PayPal is no pal of mine.
  • Reply 10 of 45
    jeffdmjeffdm Posts: 12,951member
    Quote:
    Originally Posted by mercury7 View Post


    Paypal should be illegal anyway....The way ebay has manipulated everyone, forcing it as the only option and forbidding use of google checkout is simply unamerican and anti-competitive. Just my 2 cents.



    I think they've only forced Paypal use in Australia. They do offer sellers a means to require PayPal, but the default is "off", a seller has to specifically turn it on. But it's just so much more convenient for both buyer and seller. When I sold, most would pay by PayPal anyway.



    I don't like how they forbid PayPal competitors though.
  • Reply 11 of 45
    carbocarbo Posts: 3member
    Quote:
    Originally Posted by mercury7 View Post


    Paypal should be illegal anyway....The way ebay has manipulated everyone, forcing it as the only option and forbidding use of google checkout is simply unamerican and anti-competitive. Just my 2 cents.



    By that logic, iTunes and the iPod just are just as illegal. Apple is just as anti-competitive with their closed ecosystems. To me, the difference is that iTunes works and provides value to its customers. Whereas eBay has become increasingly complex and restrictive in their policies and fee structures at the expense of their customers.
  • Reply 12 of 45
    mercury7mercury7 Posts: 203member
    Well the problem is that a lot of sellers have bought in to their BS and will not

    even accept checks or money orders so if you don't have paypal your simply out of luck.



    If google were to challenge this in court they would win...but ebay flexed its muscles by

    cutting their adword buys when google threatened them. Long story short, google backed down and ebays paypal remains a monopoly in that closed system.
  • Reply 13 of 45
    arlomediaarlomedia Posts: 271member
    I find IE7 (and Vista) to be hardly usable because of all the various security "warnings" which are mostly false positives. I hope Apple isn't led in that direction with Safari, which is my favorite browser because of its streamlined interface.



    Isn't identifying a phishing site as easy as looking at the domain name to see if it matches your expectation? (e.g. don't enter your password into ebay.ripoff.ru) Not that I expect everyone to know that, but it's not rocket science, right?
  • Reply 14 of 45
    mercury7mercury7 Posts: 203member
    phishing sites would not exist though if at least some people did not fall for it.....example, I got a email offer from philips electronics today for a refurbed 42 inch plasma for 679.00, the address was info.philips.com/something or another....still have no idea if it was legit but no doubt someone will click on that link and find out.
  • Reply 15 of 45
    tundraboytundraboy Posts: 1,884member
    " We have absolutely no intention of blocking current versions of any browsers, including Apple?s Safari, from our website.



    Michael Oldenburg

    PayPal Corporate Communications

    Comment by Michael Oldenburg - April 18, 2008 at 8:11 pm"



    Source: http://blogs.wsj.com/biztech/2008/04...g?mod=yahoo_hs
  • Reply 16 of 45
    Eh, I think I'm with PayPal with this one. But before I go there ... lemme just say, I hate paypal. They're retards that kept me from my own money for 40 days due ludicrous security measures. I don't think they're well managed and I don't appreciate their customer service. But at the same time, I don't think they're really that far off. I can't renew my FAFSA (Free Application for Federal Student Aid) online with Sarafi... however I can with Netscape... whats up with that? Does anyone even use Netscape anymore? Also, I ran into the same problem with paying my Discover Card online (I could use Netscape, IE, and FireFox but not Safari). Whats the deal? I don't know what to think, but I don't think that all these companies are wrong in not supporting Safari. There has got to be some larger issue at hand. Any comments/explanations?
  • Reply 17 of 45
    The Wall Street Journal has a response from PayPal saying they are only blocking older obsolete OS & browser combos. Safari is NOT among them.



    Update: I see it just appeared here too, up at the 7:24 post from TundraBoy.



    AppleInsider might consider changing the headline, so as not to mislead.



    Joseph
  • Reply 18 of 45
    solipsismsolipsism Posts: 25,726member
    Quote:
    Originally Posted by HyteProsector View Post


    I can't renew my FAFSA (Free Application for Federal Student Aid) online with Sarafi... however I can with Netscape... whats up with that? Does anyone even use Netscape anymore? Also, I ran into the same problem with paying my Discover Card online (I could use Netscape, IE, and FireFox but not Safari). Whats the deal? I don't know what to think, but I don't think that all these companies are wrong in not supporting Safari. There has got to be some larger issue at hand. Any comments/explanations?



    In Safari Preferences » Advanced you can turn on Show Develop Menu In Menu Bar. With this activated you get multiple options to adjust your User Agent. From there you should be able to access all the sites you mentioned above.



    Since they work with Netscape and Firefox they clearly don't require ActiveX and they aren't allowing Safari because the code was written to only allow select browsers; but Safari should work just dandy. It's been a long time since I couldn't use Safari to render an internal corporate site or government site after spoofing the User Agent.
  • Reply 19 of 45
    solipsismsolipsism Posts: 25,726member
    Quote:
    Originally Posted by tundraboy View Post


    " We have absolutely no intention of blocking current versions of any browsers, including Apple?s Safari, from our website.



    Michael Oldenburg

    PayPal Corporate Communications

    Comment by Michael Oldenburg - April 18, 2008 at 8:11 pm"



    Source: http://blogs.wsj.com/biztech/2008/04...g?mod=yahoo_hs



    Quote:
    Originally Posted by MJosephS View Post


    The Wall Street Journal has a response from PayPal saying they are only blocking older obsolete OS & browser combos. Safari is NOT among them.



    Joseph



    Welcome to AI, Joseph, but you got pipped by Tundraboy.
  • Reply 20 of 45
    Quote:
    Originally Posted by JeffDM View Post


    I think they've only forced Paypal use in Australia.



    For now. We (Australia) are just the testing ground for some major changes ahead worldwide, just wait and see. Better to start with a small number of people and upset them, rather than a large number (insert US or Europe here) and have all them rebel.



    Been a guest here for ages, thought it about time I registered, this one I could not let pass as I will now be leaving Paypal, they have lost me, and I think a lot of Aussies will not be far behind me, there are a lot of peeved people here with this change.



    Later

    Mike
Sign In or Register to comment.