PayPal Plans To Ban Unsafe Browsers

Alternative Details brings news that PayPal is developing a plan to stop users from accessing its financial services if they aren't using browsers with anti-phishing protection. PayPal is recommending the use of blacklists, anti-fraud warning pages, and EV SSL certificates. Browsers without anti-phishing features will be considered "unsafe." It seems likely Safari will be included in this category given PayPal's warning about the Apple browser last month. "'At PayPal, we are in the process of reimplementing controls which will first warn our customers when logging in to PayPal of those browsers that we consider unsafe. Later, we plan on blocking customers from accessing the site from the most unsafe--usually the oldest--browsers,' he declared. Barrett only mentioned old, out-of-support versions of Microsoft's Internet Explorer among this group of 'unsafe browsers,' but it's clear his warning extends to Apple's Safari browser, which offers no anti-phishing protection and does not support the use of EV SSL certificates."

What If?...

Instead of having to force PayPal users to use only specific browsers, they educate the consumers on safe browsing habits and not blindly clicking on "OMG SEND ME UR CC NUMBER AND BANK DETAILS LOLOL".

Re:What If?...

Instead of having to force PayPal users to use only specific browsers, they educate the consumers on safe browsing habits and not blindly clicking on "OMG SEND ME UR CC NUMBER AND BANK DETAILS LOLOL".

Wow. That's a rather clever stragegy. I wonder why no one thought of it earlier.
I think they should just get all paypal users to assemble one day (may be in the Arizona
desert) and then teach all of them what you suggested.

Thinking more about it, maybe they should not just restrict themselves to Paypal users -
they should just assemble all internet users & teach them these things.

Re:What If?...

I think they should just get all paypal users to assemble one day (may be in the Arizona
desert) and then teach all of them what you suggested.

Send out a spam like this:

"I am the widow of a wealthy Arizonan entrepreneur. I am in need of assistance in transferring large sums ($153m) of money. Your help is appreciated. Meet me at the Tuscon desert state park at 8:00 in the evening on April the 19th to complete the transaction. I will give you 25% of the money as a reward for your assistance."

Also:

"Your PayPal account has been deactivated! To reactivate it, you must come to the Tuscon desert park at 8:00 PM on April 19. If you do not proceed, your account will be permanently closed!"

That should get all of the people in need of such education to show up.<g>

Re:What If?...

Because whenever scammers come along to make stupidity more painful, we focus only on the fact that the scammers do this for their own short-term personal gain. Therefore, we lose sight of what happens to any community when all standards are lowered, no one is expected to think for themselves or make informed decisions, and causes (large number of clueless users) are confused with effects (criminals who take advantage of that cluelessness). It's easy for people who cannot separate their emotions from their intellect to get caught up in the outrage at parasitic people who profit from this situation and completely ignore why such scams are so successful in the first place.

Unprincipled people apparently need a fire under their ass before they will willingly broaden their knowledge, expand their experience or otherwise understand anything beyond the superficial level. To me that's quite a shame that they really seem to consider learning, an appreciation for self-reliance, and thinking for yourself to be terribly hard work to be avoided at all costs, rather than a journey of discovery that makes life much less routine and much more interesting. At any rate, if the goal is to remove all incentive to ever actually understand the tools (computers, networks, etc) that we use each day, we are on the right track.

As the saying goes, "A fool and his money are soon parted." Anyone who uses what he does not remotely understand and expects consistently good results qualifies as a fool. For some reason, when a computer is involved this commonsense concept is completely ignored.

Now cue the apologists and their thousand excuses for why literate individuals with no learning disabilities should not be expected to understand the basic concepts behind tools that they decided, of their own free will, to use on a daily basis. It's willful helplessness, plain and simple.

With the increasing social acceptability of this kind of victim mentality, the idea that you are responsible for your own well-being is apparently rather threatening to many people. This is obvious because they tend to give angry emotional responses instead of well-reasoned arguments explaining why they believe I am wrong.

Re:LOL.

Rob Malda has barely made any effort to fully describe the process of selecting Slashdot moderators. What little information that has been supplied is an outright lie. The story of Malda's moderation system is far more insidious than merely separating wheat from chaff.
Last night, as I leaned over to give my Natalie Portman poster a tender kiss goodnight, I was psychically cast into a hypnotic trance. While entranced, my spirit guides delivered unto me the tale of the Slashdot moderators. Prepare to have your faith in Mr. Malda and moderation shaken to the core.
Difficult as it is to believe, Rob Malda was an outcast teenager. He did well in some of his classes, but was terrible with English. As is so often the tragic case today, his teachers passed him anyway, just to get rid of him. Since Malda had no real life, he spent much of his time on the computer (of course), and watching the public-access cable channel. It was there that Malda heard of the mysterious Mongolian Monks.
Malda was watching his favorite talk show, "Elizabeth Claire Prophet." The guests that night were a group of monks based in Mongolia. The monks described how they had been travelling to China to trade some of their cute teen daughters for Natalie Portman memorabilia. The monks had travelled no more than three days when they noticed a brilliant light in the daytime sky. The light grew larger. And larger. And larger. Soon the sky was completely hidden, from horizon to horizon, by a giant metallic disk.
The monks were taken aboard the craft and placed under some sort of alien mind-control. There, they were given the deepest possible insights into the nature of man, the universe and God. A week later, the alien beings returned the monks to the Earth and vanished forever.
The monks considered the area holy ground and constructed a new temple there, not bothering to return to their old monastery. They took their daughters as wives and began their own commune of worship, based on the teachings of the aliens. The monks practiced meditations which unleashed powerful spiritual forces within them. As the wives bore children, the community grew.
Malda was intrigued by the spiritual insights received by the monks and excited by the idea of incestuous pleasures. Unfortunately, the monks had no internet connection and so Malda could not email them. Without hesitation, Malda booked a flight and left for Mongolia. The plane ride was long and tiring, but his curiosity kept him driven.
After a month of searching, Malda finally located the commune. Initially, he, kept a safe distance, for fear of rejection. He studied the monks from afar. Malda had heard stories of the monks' bizarre meditations, which gave them extraordinary powers. Malda was somewhat skeptical of these stories at first, until he saw the truth first-hand.
In the week that Malda studied the monks, he witnessed the breaking of every natural law. He was astonished as he watched the monks levitate, create pockets of lush weather within the commune and communicated with spirit forces. Malda grew more and more excited and he devised a plan for meeting them.
Malda knew the monks would respect him if he could display his own "magical" powers. He was determined to win their confidence, and he had with him all of the necessary tools. He approached the commune confidently. The monks greeted him with skepticism at the gate. Malda took a deep breath and began his show.
Using an AIBO, a can of Jolt Cola and an inflatable sex doll, Malda shocked the monks with his display of magical powers. The monks accepted him into the commune. Malda's head was shaved and he was given a robe and a room. The monks warned Malda to stay away from their daughters-wives.
The monks methodically taught malda the word of the great messengers. He learned eagerly at first, but soon grew bored with his life in the commune. Malda's life was further stressed when his blow-up doll suffered a puncture-wound and became useless. A few days later, his AIBO's power dried up. With no pet and no woman, Malda slowly

Re:LOL.

I have never before been so entertained by a troll/weird off-topic story. But I loved this line:

He took apart the AIBO and used its quality Sony components to enhance the machete with a nuclear driven flaming mechanism

Re:LOL.

Yes. Go to http://turbotax.intuit.com/freedom [intuit.com] and pretend you want to file your taxes there. Understandably, you need to enable cookies/javascript. But then what happens? "Your browser is not up to date" it says. "Please install Firefox 1.07, IE 6, or Netscape 8 on Windows, or some other stuff for Mac."

Wow...please install these out-of-date or defunct browsers. So I contacted tech-support to let them know their page was broken, and they actually took the time to *link to the firefox 1.0.7* page, which says it's the most up-to-date version of firefox. When you click the download link, it takes you to mozilla.com where you can download firefox 2. *facepalm*

So after a bit of googling, I found the user agent for firefox 2 on windows (firefox 3's windows user agent *still* wouldn't work) and plugged that into the User Agent Switcher extension. TurboTax worked like a charm after that! All I had to do was lie and say that I was using Firefox 2 on windows instead of firefox 3 on ubuntu.

Re:Yes.

Windows is not to blame for the phishing problem, PEOPLE are. Phishing has been around a lot longer than Windows and Internet Explorer, it was just a lot lower-tech and could not be perpetrated quite as fast.

Re:Yes.

What next, users have to pass an IQ test to get on the Internet? That way all of the stupid people who click on email links from phishing scams before looking at the message to see if it is fake or not, will forever see "Error ID10T: User is not smart enough to use the Internet. Request denied!"

Re:Yes.

Obviously IQ tests are not required to use the Internet, nor have children, nor drive, etc.

Still vulnerable to phishing...

Dear PayPal User:

After much consideration, we've determined that your browser is safe again! Please log in at http://127.0.0.1/some/unsafe/address/ [127.0.0.1].

PayPal apologizes deeply for the inconvenience.

Re:Still vulnerable to phishing...

Heh. That address resolves! 404, though.

But back up a bit and you get the whole directory structure. TONS of porn in a couple folders.

User Agent Change

Safari for Mac:

Preferences > Advanced > "Show Develop Menu in Menu Bar"

Develop > User Agent > Firefox 2.0.0.12

Suck it > Paypal

I have an idea...

Why don't you trust me not to be an idiot instead of requiring that I use a different browser due to the fact that other users of my browser are idiots?

Netcraft seems to have a slightly different take

Paypal is hyping Extended Validation certificates after Netcraft posts articles like this:

Extended Validation certificates and XSS considered harmful [netcraft.com]

Curious if nothing else.

Re:Netcraft seems to have a slightly different tak

Netcraft is dead. Paypal confirms it. And E-bay swapped it for some military hardware.

Who are they to decide what is and isn't safe?

Who are they to decide what is and isn't safe? They're not a bank, so I don't think they necessarily have any liability if one of their customers loses money, correct? Please correct me if I am mistaken.

Is this even legal? Seriously. If someone has money in PayPal, and if that same someone happens to be using a browser that is deemed "unsafe" and is sequentially banned, isn't that like PayPal holding the money hostage? What happens to those who refuse to "upgrade" in order to access their account?

Maybe instead of doing stupid stuff like this, which breeds a false sense of security among some less-smart users of PayPal, they should think of new and innovative ways to prevent unauthorized access to accounts. (I don't care to list my ideas right now.)

What about Lynx?

Is Lynx still considered unsafe? Have they fixed that graphics display hole yet? That was reported, like, 20 years ago.

How about the other way around?

How about the other way around? Have safe browsers ban PayPal!

First, Ebay Should BAN Sending Email to Users

And yet, Ebay still sends email to users regarding important matters despite the security risks that poses - ie. how can a user know the email is real, it's not encrypted, etc.

Instead of banning browsers, Ebay should address the bigger security issue of Ebay sending email to users - instead Ebay should only send notices simply saying one has new messages in their Ebay message center, and require the user to actually visit Ebay to view the message contents - not fool-proof, but would substantially reduce the effectiveness of email spoofs.

Ron

Re:First, Ebay Should BAN Sending Email to Users

Dear eBay User,

There is a new message waiting for you. You may login into here [slashdot.org] to access it.

Sincerely,
eBay Scammer.

How valuable are EV SSL certs?

If you want to try a new conspiracy on for size, maybe this is also a chance to try to push the use of EV SSL certificates.

I have attended several of the webinars and read a number of the white papers on EV SSL certificates, and I am not completely sold on the usefulness.

Sure, thorough validation of a requester's right to purchase an SSL certificate is a good idea. That should be done already for any SSL purchase, but it is and will not be done because it makes the process too difficult, time consuming, and expensive. Well, too expensive for GoDaddy to sell a $20 certificate and thoroughly validate it, but for the $350+ Verisign certificates? Please...

More to the point, older browser showed a lock icon which indicated the site was secure. With the ease of SSL certificate purchases that quickly became less important because even phishing sites can have valid certificates. The EV SLL scheme is to put up a BIG GREEN BAR with the issued company's name in it. Why not just do that anyway? Those notification bars that come up when a pop-up is blocked, or an ActiveX control wants to install, or a file wants to download; how about use that to show critical information in the certificate, like the CN?

Sure, the URL says www.paypal.com, but the certificate CN says "www.phishingurinfoz.ru".

But then, I suppose a little Java and no protection of that particular window element could lead to a phalse display.

Paypal blocks unsafe browsers...

...but the head of the International Phishers Guild says that all of their sites will continue to work with any browser you want. Spokesman Anome Smith says "We will not be following Paypal's lead on this. Popular phishing sites like www.payypal.com, www.paypa1.com, and 192.168.178.287/paypal will all continue to work with any browser you please. "

Easy Phish - Thank you Paypal

Paypal not letting you in?

Have no fear.. with paypalproxy.com you can use any browser to access your account.

--
So long and thanks for all the phish.

Re:Banks should do this.

Banks should have been doing this since they introduced internet banking.

Are you nuts?

"We're sorry. You're not using IE. And if you are using IE, your IE configuration isn't permitting us to run the MegabanX proprietary ActiveX control that our conslutants [sic] told us would eliminate all our liability. Please enable ActiveX support in order to continue banking with us, or turn off that Netscape thingy and upgrade to IE4.0 and resize your window to 800x600 while you're at it."

Forgive me for the sarcasm, but I had to switch banks twice because of that sort of crap. Think back a few years. The last thing any of us would have wanted "since they introduced internet banking" was our banks doing User-Agent and Javashit-based snooping on our configuration.