Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

Paypal Advises Users To Stop Using Safari

Posted by Zonk on Mon Mar 03, 2008 07:31 PM
from the watch-where-you-click dept.
Security Businesses Apple
eldavojohn writes "Over concerns for lack of an anti-phishing mechanism for Safari, Paypal is telling its Mac users to use another browser. An author from Ars Technica reveals that he has been using Camino and has fallen victim to a Paypal related phishing scam via e-mail so this story must hit home for him. 'Currently the Apple browser does not alert users to sites that could be phishing for your info, and it lacks support for Extended Validation. PayPal is, of course, a popular site among phishers in their neverending search for personal information, user IDs, and passwords. While it's not entirely fair singling out Safari (other Mac browsers like Camino also lack this support), it is perhaps at least a helpful reminder of the threat.'"
+ -
story

Related Stories

Firehose:Paypal Advises Users to Stop Using Safari by eldavojohn (898314)
[+] PayPal Plans To Ban Unsafe Browsers 367 comments
Alternative Details brings news that PayPal is developing a plan to stop users from accessing its financial services if they aren't using browsers with anti-phishing protection. PayPal is recommending the use of blacklists, anti-fraud warning pages, and EV SSL certificates. Browsers without anti-phishing features will be considered "unsafe." It seems likely Safari will be included in this category given PayPal's warning about the Apple browser last month. "'At PayPal, we are in the process of reimplementing controls which will first warn our customers when logging in to PayPal of those browsers that we consider unsafe. Later, we plan on blocking customers from accessing the site from the most unsafe--usually the oldest--browsers,' he declared. Barrett only mentioned old, out-of-support versions of Microsoft's Internet Explorer among this group of 'unsafe browsers,' but it's clear his warning extends to Apple's Safari browser, which offers no anti-phishing protection and does not support the use of EV SSL certificates."
[+] PayPal Denies It Will Block Safari 98 comments
Despite reports that PayPal may drop support for Apple's Safari browser because it lacks anti-phishing features, PayPal now says it ain't so. Though PayPal telegraphed displeasure with Safari last January, they're now unambiguous about their position: "We have absolutely no intention of blocking current versions of any browsers, including Apple's Safari, from our website."
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Paypal Advises Users To Stop Using Safari 25 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • Maybe Apple should... (Score:4, Insightful)

    by gillbates (106458) on Monday March 03 2008, @07:33PM (#22629560) Homepage Journal

    Tell Safari users to stop using PayPal...

    • Re:Maybe Apple should... (Score:5, Insightful)

      by Jeremiah Cornelius (137) * on Monday March 03 2008, @07:39PM (#22629616) Homepage Journal
      C'mon.

      Apple is deficient here - no doubt about it. If you want Mom & Pop to click "pay now", you don't expect 'em to be able to parse "http://www.barclays.validation.co.uk". You don't have to be an "idiot" to fall for this - just outside your area of expertise.

      I have replaced Safari with FireFox on every friend and family mac I get my hands on. Re-theme it, copy and paste the icon resource, and they don't notice the change!

      Except for the missing ads - thanks to Ad Block+

      • Re:Maybe Apple should... (Score:5, Insightful)

        by MacDork (560499) on Monday March 03 2008, @08:03PM (#22629910) Journal

        C'mon.

        Apple is deficient here - no doubt about it.

        Deficient eh? I use Omniweb. Same issues I'm sure, but I'm comfortable with it. I have something I feel is far more secure than a colored URL bar and Extended Validation box that begs for attention... I have an encrypted system wide keychain [xvsxp.com] that is not going to have a username/password for paypa|.com. I might not catch that pipe as a lower case L... I my not catch a cyrillic character that looks just like an 'a' in there, but my keychain aware browser certainly will. It won't have a password for that domain, and that will instantly alert me to the fact that something is fishy. Proceed to open a new window and manually enter the address as a test... I rely on my keychain so much, I generally don't know the password for most websites I use, so I therefore cannot be suckered into revealing it. I'm sure Safari can be configured the same way.

        Instead of railing on Apple for not adopting the technologically deficient solution of other browser makers, perhaps they should instead focus on what is IMHO a superior approach to security... No dice on Windows Safari, sure, but on the Mac I have no fear of phishers.

      • Re:Maybe Apple should... (Score:5, Informative)

        by MightyYar (622222) on Monday March 03 2008, @08:24PM (#22630118)
        Let Safari/Firefox save your username/password. Then when it doesn't auto fill-in, you know something is up.

        Safari is better for this strategy since it uses the secure key chain and not the - last time I checked - weak obfuscation that Firefox uses.

      • Re:Maybe Apple should... (Score:5, Interesting)

        by misleb (129952) on Monday March 03 2008, @08:41PM (#22630284)

        I have replaced Safari with FireFox on every friend and family mac I get my hands on. Re-theme it, copy and paste the icon resource, and they don't notice the change!


        And with Firefox 3, you don't even need a theme. They look very similar now. Firefox 3 even seems to use the Aqua style widgets.

        -matthew

        • Re:Maybe Apple should... (Score:4, Insightful)

          by Anonymous Coward on Monday March 03 2008, @08:07PM (#22629958)

          What theme do you recommend as the most "mac-like" and minimalist in screen real estate?
          Please - that's like asking for "the most Windows-like and stylish".

          Minimalist use of screen real estate is not a Mac virtue: Apple's principle is that screen real estate should be used well, not minimally. That's why they've made a big deal out of having bigger icons than Windows, for example, even though that means the Dock takes up about three times as much screen real estate as Windows' taskbar. Big icons = easier to hit = more efficient for the user. You aren't wasting that space, you're trading it for your time. And I assure you, unless you flip burgers or something then your time is valuable enough that you can certainly justify buying a bigger screen if you really need more working space.

          (Incidentally, I do rather wonder why, with modern Macs all having wide-aspect monitors, the default Dock position is still along the bottom of the screen, and why windows still have their toolbars along the top rather than down the side, but those are whole other cans of worms...)

              • Re:Maybe Apple should... (Score:5, Interesting)

                by Z34107 (925136) <[ten.epacsten] [ta] [repinssuolaez]> on Tuesday March 04 2008, @12:23AM (#22631868)

                Why doesn't it [Windows] have fast, easy keyboard shortcuts for most tasks?

                Enter - hit the default button. Closes all those annoying "OK" dialogs.

                Space - hit the currently selected button. Like a left mouse-click, but for the soul.

                Tab - Switch between buttons/check boxes/tabs/etc in a form. Use arrow keys to select an option from a series of radio buttons.

                Shift+Tab - Switch between buttons/check boxes/tabs/etc, but going the other way.

                Windows+R - Bring up the "Run" dialog.

                Windows+E - Bring up Explorer.

                Windows+D - Minimize everything to your desktop. (Or restore everything again.)

                F1 - Help.

                CTRL+C or CTRL+INS - Copy files/selected text/etc. to clipboard. (Sorry, meta+C.)

                CTRL+V or SHIFT+INS - Paste files/selected text/etc. from clipboard.

                ALT+F4 - Close current program or dialog box.

                CTRL+SHIFT+ESC - Bring up task manager.

                CTRL+ALT+DEL - You should know what this does. Also brings up "Windows 2000" style login from the welcome (user selection) screen in XP.

                You can run Windows without a mouse. No, really, you can - my desktop only has icons for games with long paths hidden in program files. With Windows 98 (and maybe others) you could set the default shell in WIN.INI or some other file to the command prompt instead of explorer.exe - the effect was a DOS-looking computer that could run all your Windows 98 apps! (My parents didn't see the novelty in this.)

                As for honking graphics... Aero! (ducks)

                But, I use a DAS Keyboard 2 and type 140 wpm on a slow day. I hate the lag time involved in reaching for the bloody 2-dimensional X,Y coordinate translocator, so I use these shortcuts daily. I'm sure there are others; these are just the ones that came to mind.

    • All Paypal did was have a faq [paypal.com] containing a list of anti-phishing features & browsers that support those features.

      They don't recommend against Safari, they just recommend browsers that support anti-phishing features.

      No doubt when Apple gets around to adding these features (pity Safari's not OSS, or it could be added easily by third parties), PayPal will add them to the list.

  • OpenDNS to the rescue (Score:5, Informative)

    by bstadil (7110) on Monday March 03 2008, @07:38PM (#22629608) Homepage
    Just change your DNS to OpenDNS [opendns.com] and you are covered. OpenDNS monitors Phising sites and will not let you resolve to it. You don't need to sign up just use their nameservers at 208.67.222.222 and 208.67.220.220. It's free. If you sign up you get some additional cool features like blocking selected domain types Like Pron if that's not your thing.

    • Re:OpenDNS to the rescue (Score:5, Insightful)

      by karmatic (776420) on Monday March 03 2008, @07:59PM (#22629864)
      OpenDNS monitors Phising sites and will not let you resolve to it.
      That's assuming, of course, that it's using a unique DNS name. For pages hosted on SourceForge, Geocities, etc. it won't do anything at all, and may provide a false sense of security.

      Furthermore, it's really easy to create phishing pages that will only show their contents to humans, and not spiders.

    • Re:OpenDNS to the rescue (Score:5, Funny)

      by fm6 (162816) on Monday March 03 2008, @08:28PM (#22630156) Homepage Journal

      OpenDNS monitors Phising sites and will not let you resolve to it.
      OpenDNS monitors known phishing sites. Phishers really should update the database when they start a new site, but for some strange reason, they rarely bother.

  • What nonsense. (Score:5, Informative)

    by gnutoo (1154137) on Monday March 03 2008, @07:38PM (#22629610) Journal

    IE over Safari? Really? I can understand wanting a good free browser like Firefox on OSX but IE? Do they even have IE 7 for OSX yet? The article Ars points to [yahoo.com] says that this is driven by IE7 users not quiting PayPal. The fishing stuff is pure speculation and not even Microsoft thinks IE7 fishing protection is effective:

    Last year, researchers at Microsoft and Stanford University published a study showing that, without training, people were unlikely to notice the green address-bar notification provided by EV certificates.

    Barrett says data compiled on PayPal's Web site show that the EV certificates are having an effect. He says IE 7 users are more likely to sign on to PayPal's Web site than users who don't have EV certificate technology, presumably because they're confident that they're visiting a legitimate site.

    Over the past few months, IE 7 users have been less likely to drop out and abandon the process of signing on to PayPal, he said. "It's a several percentage-point drop in abandonment rates," he said. "That number is... measurably lower for IE 7 users."

    Rather than percieved security, I think the reason they see more IE7 users still logging in is because IE7 users are the kind of sheep that move along when prodded. They are using Windows, right? Like sheep to the slaughter, every day.

    I've got a paypal account. I don't use it much because I don't use Ebay much. I would never use an emailed link to visit the site because it's just as easy to find the right page through Paypal itself. If they make it hard, they don't deserve my business.

  • Phishing protection? Really? (Score:5, Insightful)

    by SanityInAnarchy (655584) <ninja@slaphack.com> on Monday March 03 2008, @07:39PM (#22629634) Journal
    The kinds of people who fall for phishing scams aren't likely to pay attention to what PayPal advises them to do.

    So why not cut the middleman and just advise them to not fall for phishing scams -- that is, to always verify https://www.paypal.com/ [paypal.com] in the URL?
  • It's called the address bar. It's very easy to use, just type where you want to go and press return. Before entering sensitive information into a browser window check the address bar and make sure you are where you think you are. I know your mom and my mom might not fully understand the address bar, but I think it would be easier for them to learn about it than installing a new browser.

  • They've had it too good for too long... (Score:5, Funny)

    by SterlingSylver (1122973) on Monday March 03 2008, @07:53PM (#22629796)
    Well, if there's group of users that has been told repeatedly that their computer is safe from viruses, that it "just works," and that they don't need to be concerned with computer threats of any kind...it's Apple users. Sitting in their offices, wearing their turtlenecks and sipping their lattes, the only thing about phishing they've heard about is that it happens to other people. Uglier people. They're not used to having to defend themselves, not like Windows users. Windows users have a battle-scarred paranoia...they've seen worms that can rewrite their BIOS, steal their credit cards, and kidnap their firstborn. Their 50 yard stares have been earned by fixing their mom's computer for the eighth time this month, and damnit if they're going to lose another computer to some Ethiopian scammer...not after the last time. Their nightmares are the stuff of Steven King novels, the earlier stuff with lovecraftian clowns and superplagues that are the start of apocalyptic battles between good and evil. Their best days on the internet involve life and death struggles against the next pop-up, because it might be their last. Ironically, Mac users have never had to live with the terror that clicking on that "win a free iPod" might just cause their computer to explode, spamming their grandmother with anal tranny porn on its way out. Maybe it's time they should... ...wait, what the hell was I talking about?

  • Use IE? One problem... (Score:4, Insightful)

    by Myrkridian42 (840659) on Monday March 03 2008, @08:03PM (#22629906)
    There is *NO* Internet Explorer for Mac!

    Microsoft stopped making (and supporting) IE for Mac in 2003. See for yourself [wikipedia.org].

  • Fish all you want... (Score:5, Informative)

    by cybereal (621599) on Monday March 03 2008, @08:15PM (#22630026) Homepage
    I bought the $5 keyfob for paypal and ebay, (plus it works on my verisign openid provider) and this phishing problem is no longer an issue for me.

    They can get my paypal username and password, but they still need the electronic key that only *I* have. I suggest anyone who actually uses paypal get one of these, they are trivial to use and paypal is selling them incredibly cheaply.

  • EASILY fixed - never click on email links (Score:5, Informative)

    by grrrl (110084) on Monday March 03 2008, @09:24PM (#22630630)
    I'm with those who think this is simply avoided by NEVER clicking on a link in an email.

    Paypal will NEVER require you to click on a link in an email. All ebay functions can be accessed from my.ebay.com. My bank specifically states 'we will never send you links in an email, ALWAYS type in our website address yourself'.

    Follow that advice and you have no problems. PERIOD.

    If you think the email is legit, log into the site you type in yourself and see if there is an alert. Or ring them yourself. (On a side note I once had a credit card company ring ME and refuse to say who they were until I confirmed who I was by giving my DOB. I rang them back on the proper number and went off at them.)

    Case closed yadda yadda.

    • Re:here phishie phishie (Score:5, Insightful)

      by Niten (201835) on Monday March 03 2008, @07:55PM (#22629802) Homepage

      Look, if you're not checking what's in the URL of your browser, or are in the habit of clicking on links in email blindly, you get the phishing you deserve.

      I'm all for exercising personal responsibility, but I'd never argue that anybody 'deserves' to fall victim to a phishing scam.

      The fact of the matter is that there are some people (my grandparents, for example) who like to use the Web, but who are perhaps just a little bit senile and might one day fall for this sort of thing. If even an Ars Technica writer can fall for it, how can we expect an 80+ year-old to constantly exercise due vigilance?

      I'm actually quite OK with this PayPal advisory: the kind of people who will act upon it -- computing amateurs, basically -- probably should be using a browser that raises a big fat red flag when it hits a known scam site, and I'd recommend that such people use Firefox, Opera, or even IE 7 rather than Safari. The rest of us, those who are clueful enough to know how to protect themselves, aren't really the ones that PayPal is addressing here.

    • Re:How good Ars Technica writers at tech and revie (Score:5, Insightful)

      by Niten (201835) on Monday March 03 2008, @07:58PM (#22629860) Homepage

      I'm very happy for you, that you've never made a single careless mistake in your life. However, please do try to have a little mercy on those of us who are merely human, especially when we're honest enough to admit it.

    • Re:How good Ars Technica writers at tech and revie (Score:5, Insightful)

      by pandrijeczko (588093) on Tuesday March 04 2008, @04:07AM (#22633130)
      I've been into computers for 25-odd years, I'm Linux and Windows certified, I program in shell, Perl & C & I work as a security consultant...

      ...and 3 months ago even I fell for a Paypal phishing scam where I handed over my username, password and account details.

      Fortunately, I realised what had happened within a few minutes, immediately changed my Paypal password and cancel my bank card. I also reported the site to Paypal where it was taken down within an hour. As a result, I've not had any problems between then and now.

      Yes, it's all about attention, I agree - but it just takes a lapse in concentration to fall for one of these scams.

      Oh, and before it happened to me, I, like you, was mouthing off on Slashdot about how it could never happen to me also...

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.