Paypal Advises Users To Stop Using Safari 362
eldavojohn writes "Over concerns for lack of an anti-phishing mechanism for Safari, Paypal is telling its Mac users to use another browser. An author from Ars Technica reveals that he has been using Camino and has fallen victim to a Paypal related phishing scam via e-mail so this story must hit home for him. 'Currently the Apple browser does not alert users to sites that could be phishing for your info, and it lacks support for Extended Validation. PayPal is, of course, a popular site among phishers in their neverending search for personal information, user IDs, and passwords. While it's not entirely fair singling out Safari (other Mac browsers like Camino also lack this support), it is perhaps at least a helpful reminder of the threat.'"
Maybe Apple should... (Score:4, Insightful)
Tell Safari users to stop using PayPal...
Re:Maybe Apple should... (Score:5, Insightful)
Apple is deficient here - no doubt about it. If you want Mom & Pop to click "pay now", you don't expect 'em to be able to parse "http://www.barclays.validation.co.uk". You don't have to be an "idiot" to fall for this - just outside your area of expertise.
I have replaced Safari with FireFox on every friend and family mac I get my hands on. Re-theme it, copy and paste the icon resource, and they don't notice the change!
Except for the missing ads - thanks to Ad Block+
Re: (Score:3, Interesting)
Re: (Score:3, Informative)
Re: (Score:2, Insightful)
I 'never' use Safari, and don't consider my Mac 'broken' (any more than it usually is).
Re:Maybe Apple should... (Score:4, Insightful)
Minimalist use of screen real estate is not a Mac virtue: Apple's principle is that screen real estate should be used well, not minimally. That's why they've made a big deal out of having bigger icons than Windows, for example, even though that means the Dock takes up about three times as much screen real estate as Windows' taskbar. Big icons = easier to hit = more efficient for the user. You aren't wasting that space, you're trading it for your time. And I assure you, unless you flip burgers or something then your time is valuable enough that you can certainly justify buying a bigger screen if you really need more working space.
(Incidentally, I do rather wonder why, with modern Macs all having wide-aspect monitors, the default Dock position is still along the bottom of the screen, and why windows still have their toolbars along the top rather than down the side, but those are whole other cans of worms...)
Re: (Score:2)
I would say that MacOS X has generally become more minimalist in both its spacial and overall feel. Leopard had a few drawbacks (3D dock, transparent menus), but even then it toned down a lot of needless flair in other areas.
I would generally agree that MacOS X isn't exactly what I woul
Re:Maybe Apple should... (Score:4, Insightful)
Big icons is your only example of this? On the contrary:
* The 'Maximize' button will only open the app window as large as the content inside of it requires, it will not fill the screen.
* One menu bar along the top for all open windows ensures no screen space is wasted with repeated displays of a menu bar.
* Mac OS X automatically resizes dialog boxes to accommodate the content inside of them.
* Dialog boxes that open off the edge of the screen will be automatically moved back into the screen along with the rest of the app, and when closed the OS will shift the app back where it was before you opened the dialog box.
* Most apps do not have a 'background' window as to allow interaction with the desktop while the app is open. One common example is Photoshop.
Most Windows users I observe maximize all their open apps to completely cover the desktop and use the Start bar as a full-screen task-switcher. In other words, a multi-tasking MS-DOS.
Re: (Score:3, Insightful)
Why does Microsoft Windows have such big titlebars and buttons on all windows? Why does it always have these unnecessary 'ok' 'close' buttons everywhere? Why doesn't it have fast, easy keyboard shortcuts for most tasks?
Actually, the huge, hunking graphics in Windows
Re:Maybe Apple should... (Score:5, Interesting)
Why doesn't it [Windows] have fast, easy keyboard shortcuts for most tasks?
Enter - hit the default button. Closes all those annoying "OK" dialogs.
Space - hit the currently selected button. Like a left mouse-click, but for the soul.
Tab - Switch between buttons/check boxes/tabs/etc in a form. Use arrow keys to select an option from a series of radio buttons.
Shift+Tab - Switch between buttons/check boxes/tabs/etc, but going the other way.
Windows+R - Bring up the "Run" dialog.
Windows+E - Bring up Explorer.
Windows+D - Minimize everything to your desktop. (Or restore everything again.)
F1 - Help.
CTRL+C or CTRL+INS - Copy files/selected text/etc. to clipboard. (Sorry, meta+C.)
CTRL+V or SHIFT+INS - Paste files/selected text/etc. from clipboard.
ALT+F4 - Close current program or dialog box.
CTRL+SHIFT+ESC - Bring up task manager.
CTRL+ALT+DEL - You should know what this does. Also brings up "Windows 2000" style login from the welcome (user selection) screen in XP.
You can run Windows without a mouse. No, really, you can - my desktop only has icons for games with long paths hidden in program files. With Windows 98 (and maybe others) you could set the default shell in WIN.INI or some other file to the command prompt instead of explorer.exe - the effect was a DOS-looking computer that could run all your Windows 98 apps! (My parents didn't see the novelty in this.)
As for honking graphics... Aero! (ducks)
But, I use a DAS Keyboard 2 and type 140 wpm on a slow day. I hate the lag time involved in reaching for the bloody 2-dimensional X,Y coordinate translocator, so I use these shortcuts daily. I'm sure there are others; these are just the ones that came to mind.
Re: (Score:3, Informative)
Anyways, there's an easy, system-independent solution for at the very least your input troubles: Localized keyboards. You seem to be using lots of international characters (ë is french, ö is german, £ english), you may want to try the German (Switzerland) keyboard layout. It's a bit more convoluted than en-US (up to four or five characters on a single key), but it does have all the chars you get on en-US, all the chars you need fo
Re: (Score:2)
Re: (Score:3)
Which standard dialogs are you talking about? Open, Save and Quit dialogs definitely have non-titlebar buttons for each possible action. Would be kind of hard to use them otherwise since they are actually sheets and share the titlebar with document windows.
Offhand, I can only confirm that applications' about Dialogs are lacking buttons. Do you really bring them up often enough to have trouble using the titlebar to dismiss them?
Re:Maybe Apple should... (Score:5, Funny)
Re: (Score:3, Interesting)
Why shade truths? One of my maths professors, who contracted polio in his younger years, was quite content to use that term to describe himself, when it was relevant.
Unless you have some physical condition that prevents it, there's really very little excuse for poor mousing skills. If the mouse doesn't track properly, or isn't weighted correctly, buy a new one.
Re: (Score:3, Interesting)
Re: (Score:2)
iSafari Leopard [mozilla.org]
Resource? Command "I" to "get info" on Safari. Click on the Icon, and Command "C" to copy. Command "I" on FireFox to "get info". Click on the Icon and Command "V" to paste. Close all dialogues.
Re:Maybe Apple should... (Score:5, Insightful)
C'mon.
Apple is deficient here - no doubt about it.
Deficient eh? I use Omniweb. Same issues I'm sure, but I'm comfortable with it. I have something I feel is far more secure than a colored URL bar and Extended Validation box that begs for attention... I have an encrypted system wide keychain [xvsxp.com] that is not going to have a username/password for paypa|.com. I might not catch that pipe as a lower case L... I my not catch a cyrillic character that looks just like an 'a' in there, but my keychain aware browser certainly will. It won't have a password for that domain, and that will instantly alert me to the fact that something is fishy. Proceed to open a new window and manually enter the address as a test... I rely on my keychain so much, I generally don't know the password for most websites I use, so I therefore cannot be suckered into revealing it. I'm sure Safari can be configured the same way.
Instead of railing on Apple for not adopting the technologically deficient solution of other browser makers, perhaps they should instead focus on what is IMHO a superior approach to security... No dice on Windows Safari, sure, but on the Mac I have no fear of phishers.
Re: (Score:2)
Apple is deficient here - no doubt about it. If you want Mom & Pop to click "pay now", you don't expect 'em to be able to parse "http://www.barclays.validation.co.uk". You don't have to be an "idiot" to fall for this - just outside your area of expertise.
And if the phishing filter doesn't alert them, do you want to encourage Mom & Pop to go ahead and enter their credit card info on an unknown URL opened from an e-mail message? I, for one, welcome our new botnets with phishing web pages running on infected desktops overlords.
I have replaced Safari with FireFox on every friend and family mac I get my hands on. Re-theme it, copy and paste the icon resource, and they don't notice the change!
Maybe they want, but people here will certainly notice that their blogs no longer benefit from Apple's built-in spellchecker for text fields. You shouldn't muck with people's machines unless there is a compelling reason. Someday th
Re: (Score:2)
Re: (Score:3, Insightful)
Re:Maybe Apple should... (Score:5, Informative)
Safari is better for this strategy since it uses the secure key chain and not the - last time I checked - weak obfuscation that Firefox uses.
Re:Maybe Apple should... (Score:4)
I spent five years doing pen/VA for banks and insurance companies. I take none of this crap for granted.
Physical security of your laptop becomes far too high a risk.
"Keychain" is for
Re: (Score:2)
Re: (Score:3)
Not a choice I sneak on to their computer, in the dead of night!
Re: (Score:3, Insightful)
But if I did have it on my laptop, I'd sure as hell change my passwords the first chance I get.
Re: (Score:3, Insightful)
"But if I did have it on my laptop, I'd sure as hell change my passwords the first chance I get."
This seems like a bit of an illogical statement, along the lines of calling to cancel a lost credit card. You seem to be making the claim that a laptop with those saved credentials can be lost, which is a good enough reason to not make use of it, and yet people have been losing and canceling credit cards for years, a laptop is much easier to notice missing than a piece
Re:Maybe Apple should... (Score:5, Interesting)
And with Firefox 3, you don't even need a theme. They look very similar now. Firefox 3 even seems to use the Aqua style widgets.
-matthew
Re: (Score:3, Insightful)
Re: (Score:3, Insightful)
No ads required in Safari (Score:4, Informative)
Re: (Score:3, Interesting)
Re-theme it, copy and paste the icon resource, and they don't notice the change!
Yeah right. Firefox fails because of the way it handles text fields in a totally non-Mac-like way. Have your cursor at the end of a single-line text field (like the URL entry field) and want to go back to edit something at the beginning of the line? In just about every other Mac application, you simply hit the up-arrow once, and it goes to the beginning of the line of text. But not in Firefox, for some reason. Instead, I have to hold down the left-arrow and wait for it to get to the start of the line.
The
Re: (Score:2)
Easier to camouflage than re-train! They don't complain about the difference, and say "Thanks!"
Re: (Score:3, Insightful)
Re: (Score:3, Funny)
Oh, stop whining. (Score:5, Insightful)
They don't recommend against Safari, they just recommend browsers that support anti-phishing features.
No doubt when Apple gets around to adding these features (pity Safari's not OSS, or it could be added easily by third parties), PayPal will add them to the list.
A clash of the titans! (Score:3, Funny)
Re: (Score:2)
I'm afraid that it is an OSS issue. You see, anti-phishing functionality appeared (briefly) in Safari 3.0 betas. If Safari was OSS, you could just use that code rather than writing a completely new extension.
Re: (Score:2)
What does that have to do with being OSS or not? Safari has an extension model just like IE, and neither are open source. Prior to IE7, several third-party extensions added anti-phishing support for IE (MSN, Google, etc), and as far as I can tell there's nothing in Safari's extension model that would prevent others from doing the same there as well. OSS vs. non-OSS doesn't even come into play here.
Well put and there actually is such a plug-in for Safari that comes with the 1password [1password.com] password and identity management software. (Although it is not a whitelist/blacklist setup, but instead relies more upon the fact that it is really obvious a page is not genuine when you can't automatically log in using your 1password identity.)
Re: (Score:2)
Thanks for adding to the discussion tho' - very helpful.
IE (Score:2, Insightful)
Re: (Score:2, Insightful)
Re: (Score:3, Insightful)
1) No financial institution should ever ask for your email address. Ever. Not as a required field, not as an optional field. The person signing up should be informed that they are deliberately not being asked for this information either.
2) The exception to this: Reminders. These are setup WHILE logged in to the sit
That's about the size of it. (Score:2)
The Yahoo article has more information and reasoning. I link to it, quote it and give an alternate explanation here [slashdot.org]. Basically, Paypal is losing customers of all browsers but least of all from IE7 users. I think this is because IE7 users are sheep not people sharp enough to have noticed a new tool.
Uhm, no (Score:3, Interesting)
This is most assuredly wrong. You see, the browser can be completely secure and if you are loging into a fake website your login will be stolen and your bank account emptied. Note that there are TWO ways to deal with this. One is anti-phishing features in browsers and the other is a stronger login mechanism like the one ING uses. ING just recently had the lowest repor
Re:Uhm, no (Score:4, Informative)
OpenDNS to the rescue (Score:5, Informative)
Re:OpenDNS to the rescue (Score:5, Insightful)
That's assuming, of course, that it's using a unique DNS name. For pages hosted on SourceForge, Geocities, etc. it won't do anything at all, and may provide a false sense of security.
Furthermore, it's really easy to create phishing pages that will only show their contents to humans, and not spiders.
Re: (Score:3, Insightful)
Does there phishing information originate from a spider, anyhow?
Re:OpenDNS to the rescue (Score:5, Funny)
What nonsense. (Score:5, Informative)
IE over Safari? Really? I can understand wanting a good free browser like Firefox on OSX but IE? Do they even have IE 7 for OSX yet? The article Ars points to [yahoo.com] says that this is driven by IE7 users not quiting PayPal. The fishing stuff is pure speculation and not even Microsoft thinks IE7 fishing protection is effective:
Rather than percieved security, I think the reason they see more IE7 users still logging in is because IE7 users are the kind of sheep that move along when prodded. They are using Windows, right? Like sheep to the slaughter, every day.
I've got a paypal account. I don't use it much because I don't use Ebay much. I would never use an emailed link to visit the site because it's just as easy to find the right page through Paypal itself. If they make it hard, they don't deserve my business.
Re: (Score:3, Informative)
Re: (Score:2)
Yahoo article from Infoworld vanished. (Score:2)
Infoworld still has the original article [infoworld.com], but I can understand wanting to pull a story like that.
Now it's back. (Score:2)
Has Yahoo moved to Server 2007 or something? Weird.
here phishie phishie (Score:3, Insightful)
snark: And Safari users are advised to stop using PayPal.
Re:here phishie phishie (Score:5, Insightful)
I'm all for exercising personal responsibility, but I'd never argue that anybody 'deserves' to fall victim to a phishing scam.
The fact of the matter is that there are some people (my grandparents, for example) who like to use the Web, but who are perhaps just a little bit senile and might one day fall for this sort of thing. If even an Ars Technica writer can fall for it, how can we expect an 80+ year-old to constantly exercise due vigilance?
I'm actually quite OK with this PayPal advisory: the kind of people who will act upon it -- computing amateurs, basically -- probably should be using a browser that raises a big fat red flag when it hits a known scam site, and I'd recommend that such people use Firefox, Opera, or even IE 7 rather than Safari. The rest of us, those who are clueful enough to know how to protect themselves, aren't really the ones that PayPal is addressing here.
Re: (Score:3, Interesting)
Look, if you're not checking what's in the URL of your browser, or are in the habit of clicking on links in email blindly, you get the phishing you deserve.
On this I must disagree. Right now the best solution probably is double checking URLs, but that is realistically not a good solution for the majority of people. Apple (and every other browser developer) should be working on a a URL whitelist/greylist/blacklist detection and warning technology. I'm not sure, however, that they should rush to deploy such technology. It might be better to wait until it is reliable enough to provide real benefit without providing a false sense of security. Right not IE has su
Re: (Score:3, Interesting)
Why is double checking the URL not a good solution for most people?
First, because as more and more services become dependent upon URLs there are fewer and fewer URLs that don't have some feature that might indicate they are really a phishing attempt. Also, as the Web becomes more international more characters that look the same or very similar are introduced. More and more legitimate e-mail messages, even automated ones, reference Web sites. Am I going to look at every single e-mail I get from Netflix to make sure the URL that pops up really is NetFlix? Maybe, or maybe I
Re: (Score:2)
I use the same machine for most tasks and it manages all my passwords for me. If I have to type anything, well it probably is a phishing attempt.
Re: (Score:2)
Yes, that last letter was the numeral 1. pretty hard to tell, huh? Especially if the font wasn't serifed.
How about those sites which used the multilingual capabilities of certain browsers like firefox to list non-anglo-roman characters into the address bar which looked similar or identical to the literal versions of those letters?
The fact is, the phishers are crafty, generally more crafty then your Average Joe when it comes to internet tri
Re: (Score:2)
Re: (Score:2)
The insurance companies would think so in both cases, you'd be completely on the hook if there was evidence of negligence.
Phishing protection? Really? (Score:5, Insightful)
So why not cut the middleman and just advise them to not fall for phishing scams -- that is, to always verify https://www.paypal.com/ [paypal.com] in the URL?
Re:Phishing protection? Really? (Score:5, Funny)
It might be a phishing scam!
Re: (Score:2)
Every browser has and anti-phishing mechanism (Score:5, Interesting)
Re: (Score:2)
Re: (Score:2)
Re:Every browser has and anti-phishing mechanism (Score:4, Insightful)
But DNS cache poisoning isn't really a browser issue, is it? (although I suppose a browser exploit could be used to pollute the local DNS cache on a user's machine)
/Mikael
Re: (Score:2)
Re: (Score:2)
Of course, in the case of a really neat phishing where the address is really close, this may not work all the time. Do you actually check every link you follow to make sure it's correct? maybe, say, if it was e-mailed from a personal friend or something?
I'm sure a lot of doctors would say that if people just washed their hands more, you wouldn't get as sick... but if you DO get sick, they don't just tell you "Pft, too bad, you should have washed your hands. Next."
Besides... if it's possible for a brows
Re: (Score:2)
Re: (Score:2)
Yes of course! Why didn't they realize that DNS has been an absolutely reliable indicator of the authenticity of a site, ever since DNSSEC was implemented way back in 1997.
I'll tell you why: because that happened in an alternate reality, not this one!
Re: (Score:2)
Oh, and I almost forgot about iframes. You know, that feature that lets you put another site inside your site, without changing the address bar or showing an obvious frame border? Yeah.
By the way, chances are I am not behind a firewall or proxy, can we get that stupid condescending message changed to just "Slow down Cowboy, do you think this is a discussion forum?"
Re: (Score:2)
i've gotten those scam e-mails before... (Score:3, Interesting)
mine was similar, only it claimed they were doing a fraud investigation about fraudulent use to my account.
they use the images and everything it looks exactly like a paypal e-mail, only the hyper link when you hover over it says a different website than in the email message. (they're doing a simple html trick, which is always the first thing i look for)
I've seen them do the same thing with say, yahoo mail login sites, etc. one of my less savvy friends got her IM name stolen for use sending IM spam.
safari is bass acwards to not show the real url on a tool bar! i couldn't live a day without that feature.
Re: (Score:2)
Maybe you're the confused one.
Re: (Score:2, Insightful)
Re: (Score:2)
Browsers cannot help (Score:2, Insightful)
the headline could have also just said "Paypal tells idiots to stop clicking on paypal emails"
but that would potentially stop the 1 in 1000000 clicks that are legit and paypal would not want that transaction to not happen, so it's message to us is to stop using Safari.
isn't anything going on worth reporting? this is filler...
They've had it too good for too long... (Score:5, Funny)
Re: (Score:2, Funny)
Windows users have a battle-scarred paranoia...they've seen worms that can rewrite their BIOS, steal their credit cards, and kidnap their firstborn.
And the fuckers STILL just click every YES button that pops up.
Use IE? One problem... (Score:4, Insightful)
Microsoft stopped making (and supporting) IE for Mac in 2003. See for yourself [wikipedia.org].
clicking links in email = bad (Score:2)
Fish all you want... (Score:5, Informative)
They can get my paypal username and password, but they still need the electronic key that only *I* have. I suggest anyone who actually uses paypal get one of these, they are trivial to use and paypal is selling them incredibly cheaply.
Re: (Score:2)
Eric
EASILY fixed - never click on email links (Score:5, Informative)
Paypal will NEVER require you to click on a link in an email. All ebay functions can be accessed from my.ebay.com. My bank specifically states 'we will never send you links in an email, ALWAYS type in our website address yourself'.
Follow that advice and you have no problems. PERIOD.
If you think the email is legit, log into the site you type in yourself and see if there is an alert. Or ring them yourself. (On a side note I once had a credit card company ring ME and refuse to say who they were until I confirmed who I was by giving my DOB. I rang them back on the proper number and went off at them.)
Case closed yadda yadda.
Re: (Score:3, Informative)
Happened to me once, with a Wells Fargo credit card. Except it wasn't a person, it was a computer! (ie, voice prompts). And it wanted me to enter not my DOB, but my SSN!! At first I was sure it was a scam, that there was no way my bank would do something so stupid. But after hanging up & calling them back directly, I found out i
Questionable Motives (Score:4, Insightful)
And don't even get me started on how effective I think the whole "keep a list of the bad guys" approach is.
Solution is simple (Score:4, Informative)
Re:How good Ars Technica writers at tech and revie (Score:5, Insightful)
I'm very happy for you, that you've never made a single careless mistake in your life. However, please do try to have a little mercy on those of us who are merely human, especially when we're honest enough to admit it.
Re: (Score:3, Insightful)
Step 2: There's no step 2. There's no step 2!
It's not exactly rocket science.
Comment removed (Score:5, Insightful)
Re:In other news... (Score:5, Funny)
Re:In other news... (Score:4, Funny)
Re: (Score:3, Insightful)
Now it's snarfed your bank info from some notepad you keep.
USB Key gets into an internet connected machine someday, its autorun notices that there's an internet connection, so it uploads what it found.
Re: (Score:2)
I think I speak for almost all of Slashdot when I say, "Is she cute?"
Re: (Score:2)
The user has to tell the different from bad sites and the real site.
Yeah, and on my old truck I had to shift gears by hand using a double clutch and putting it in 4WD mean climbing out and locking the wheels by hand. That doesn't mean users don't want something easier and better.
If a girl called you saying they are from your bank asking for the numbers on your Bank card would you give it to her?
No, but I never get calls from my bank. I do get regular e-mail messages from various Web services. I do enjoy having my cell phone tell me the identity of callers automatically, without my having to get out a little black book and check before answering. Given that my computer is even more of
Re: (Score:2, Insightful)