Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

PayPal Denies It Will Block Safari

Posted by kdawson on Mon Apr 21, 2008 10:18 PM
from the phishing-for-apples dept.
Security Businesses Apple
Despite reports that PayPal may drop support for Apple's Safari browser because it lacks anti-phishing features, PayPal now says it ain't so. Though PayPal telegraphed displeasure with Safari last January, they're now unambiguous about their position: "We have absolutely no intention of blocking current versions of any browsers, including Apple's Safari, from our website."
+ -
story

Related Stories

[+] Paypal Advises Users To Stop Using Safari 362 comments
eldavojohn writes "Over concerns for lack of an anti-phishing mechanism for Safari, Paypal is telling its Mac users to use another browser. An author from Ars Technica reveals that he has been using Camino and has fallen victim to a Paypal related phishing scam via e-mail so this story must hit home for him. 'Currently the Apple browser does not alert users to sites that could be phishing for your info, and it lacks support for Extended Validation. PayPal is, of course, a popular site among phishers in their neverending search for personal information, user IDs, and passwords. While it's not entirely fair singling out Safari (other Mac browsers like Camino also lack this support), it is perhaps at least a helpful reminder of the threat.'"
[+] PayPal Plans To Ban Unsafe Browsers 367 comments
Alternative Details brings news that PayPal is developing a plan to stop users from accessing its financial services if they aren't using browsers with anti-phishing protection. PayPal is recommending the use of blacklists, anti-fraud warning pages, and EV SSL certificates. Browsers without anti-phishing features will be considered "unsafe." It seems likely Safari will be included in this category given PayPal's warning about the Apple browser last month. "'At PayPal, we are in the process of reimplementing controls which will first warn our customers when logging in to PayPal of those browsers that we consider unsafe. Later, we plan on blocking customers from accessing the site from the most unsafe--usually the oldest--browsers,' he declared. Barrett only mentioned old, out-of-support versions of Microsoft's Internet Explorer among this group of 'unsafe browsers,' but it's clear his warning extends to Apple's Safari browser, which offers no anti-phishing protection and does not support the use of EV SSL certificates."
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

PayPal Denies It Will Block Safari 25 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • Current versions? (Score:5, Interesting)

    by calebt3 (1098475) on Monday April 21 2008, @10:23PM (#23153832)
    So up-to-date Lynx, Links2, Dillo, etc are all perfectly acceptable?

    • Re:Current versions? (Score:5, Insightful)

      by menace3society (768451) on Monday April 21 2008, @11:17PM (#23154232)
      I think the point is that they won't specifically block them. They will block browser programs that are known to be unsuitable, like the Netscape 2, or IE 4, or Mosaic.

      However, if you use browsers don't support plug-ins/protocols/captchas/whatever that paypal demands of the browser, you may still be SOL.

      In short: I expect there will be a black-list of unacceptable browser versions, rather than a white-list of accepted browser versions.

    • Trying with Lynx: (Score:5, Informative)

      by SanityInAnarchy (655584) <ninja@slaphack.com> on Monday April 21 2008, @11:30PM (#23154318) Journal
      lynx https://www.paypal.com/ [paypal.com]
      SSL error:no issuer was found-Continue? (y) y
      www.paypal.com cookie: (censored) Allow? (Y/N/Always/neVer)y
      www.paypal.com cookie: (censored) Allow? (Y/N/Always/neVer)y
      www.paypal.com cookie: cookie_check=yes Allow? (Y/N/Always/neVer)y
      www.paypal.com cookie: navcmd=_home-general Allow? (Y/N/Always/neVer)y
      www.paypal.com cookie: navlns=0.0 Allow? (Y/N/Always/neVer)y
      # FINALLY there's a homepage. "Member Log In" is on the second page.
      SSL error:no issuer was found-Continue? (y) y
      www.paypal.com cookie: (censored) Allow? (Y/N/Always/neVer)y
      www.paypal.com cookie: (censored) Allow? (Y/N/Always/neVer)y
      www.paypal.com cookie: (censored) Allow? (Y/N/Always/neVer)y
      www.paypal.com cookie: (censored) Allow? (Y/N/Always/neVer)y
      www.paypal.com cookie: (censored) Allow? (Y/N/Always/neVer)y
      www.paypal.com cookie: (censored) Allow? (Y/N/Always/neVer)y
      www.paypal.com cookie: (censored) Allow? (Y/N/Always/neVer)y
      www.paypal.com cookie: (censored) Allow? (Y/N/Always/neVer)y
      Refresh: 1 seconds
      https://.../ [...]
      SSL error:no issuer was found-Continue? (y) y
      www.paypal.com cookie: (censored) Allow? (Y/N/Always/neVer)y
      www.paypal.com cookie: (censored) Allow? (Y/N/Always/neVer)y
      www.paypal.com cookie: (censored) Allow? (Y/N/Always/neVer)y
      www.paypal.com cookie: (censored) Allow? (Y/N/Always/neVer)y ...

      Ok, if I'd hit "a" to those cookies, it would've been a lot better. And there are a fscking LOT of cookies.

      Now, I haven't actually tried to do anything with it so far, but I suspect that it would, in fact, work just fine. It's curious that it doesn't like the SSL -- I suspect that's a problem with my version of Lynx, as Firefox and Konqueror don't give me any SSL warnings. But other than that, Paypal isn't doing anything to block Lynx, and it looks reasonably navigateable.

  • Backpedaling faster tha you can say... (Score:3, Interesting)

    by Fluffeh (1273756) on Monday April 21 2008, @10:26PM (#23153848)
    Wowsa, that change is quicker than it takes the read the following:

    Previous: "We know better than you do about what you should and shouldn't be using, so we will stop you possibly getting yourself into trouble."

    Current: "Wow, there are so many of you that are quite happy to be wrong that we think you better be allowed to get yourselves into trouble."

    My interpretation: Right or wrong, the masses will always win it seems.

  • When I heard... (Score:5, Funny)

    by v(*_*)vvvv (233078) on Monday April 21 2008, @10:39PM (#23153940)
    they were going to deny certain browsers, I said the terrorists won.

    I take it back. PayPal are the terrorists.

  • People still use Paypal? (Score:3, Interesting)

    by Anonymous Coward on Monday April 21 2008, @11:16PM (#23154214)
    I closed my Paypal *and* eBay accounts when eBay said you HAD to accept Paypal in order to sell stuff and Paypal said they would hold payments for 21 days. Hated to see all that positive eBay feedback go, but I don't like being dicked around by corporate bozos.

    There are so many other alternatives to Paypal that I don't see why people bother with it.

    • Re:People still use Paypal? (Score:5, Interesting)

      by dgatwood (11270) on Tuesday April 22 2008, @12:29AM (#23154710) Journal

      If/when they do this in the U.S., I will stop using eBay. I'm no longer gong to deal with PayPal after the fiasco on a group buy I've been involved with.

      Backstory: A bunch of us on a home recording bulletin board set up a group buy to purchase microphones, preamps, shock mounts, etc. from a manufacturer in China. This is about the third or fourth group buy organized by the same person, so his reputation is darn near unquestionable.

      After order taking was done, we got sabotaged. Someone (who we strongly suspect works for a company that imports from this vendor and sells at a huge markup) signed up for a Yahoo email account and joined the group buy and requested a small item. Once about 10% of the people had paid their invoices, this person paid for the item, then sent in a claim to PayPal. The problem is that this person claimed to be a member of a bulletin board, yet that person has never been a member of the board in question. So basically the whole complaint was one giant fraud, and we're pretty sure we know who did it, as they have tried to sabotage group buys in the past....

      Since the complaint was filed, PayPal's story keeps changing. First, they said that the person claimed he hadn't received an invoice, which is absurd, but easily rectified if the person had contacted anyone involved. Next, PayPal provided lots of details about how the group buy worked (way more than you would normally expect) and said that it wasn't a type of transaction that they wanted to deal with. That I could believe, but it isn't a violation of their TOS as best I can tell. Finally, they claimed that someone had claimed the product was "not as described", which is pure comedy since the manufacturer hasn't started making the products yet. Basically one half truth after the next (and even that half is giving PayPal the benefit of the doubt...).

      After about a week of this crap, PayPal finally released everyone's funds. Fortunately, this time, one of the people they were screwing was friends with a highly placed executive at PayPal, so we had some leverage to get the situation expedited and get our funds back in a timely fashion. The last time PayPal screwed over a group buy, it took several weeks before we got our money back. (Yes, these dirty tricks have happened before thanks to a certain company who will remain nameless at least until I can prove it was them---if anybody in Yahoo's mail team would be willing to help with this, you'd have about 400 fans for life....)

      Unfortunately, however, the person who set up the group buy had received another payment for an unrelated sale and needed the money to pay his taxes. His account is frozen for something like six months, after which he'll get his money and his account will be closed... all because of a single complaint by someone who could not provide one shred of documentation of any communication with the seller prior to filing the complaint.

      Having seen how PayPal treats sellers, I'm no longer inclined to do business with PayPal. If I can't trust them to hold up their contractual obligations and do so in an equitable and reasonable fashion, then why should I trust them with my hard-earned money? I'm not protected any better than I used to be back when eBay sales all happened with cashier's checks, so why should PayPal be getting a cut if they aren't providing any real additional protection for the transaction?

      At this point all I can say is this: PayPal Sucks [paypalsucks.com], and if you deal with them long enough, you will eventually get burned. It's just a question of when.

      • Re:People still use Paypal? (Score:5, Interesting)

        by SirJorgelOfBorgel (897488) * on Tuesday April 22 2008, @07:24AM (#23156362)
        Yup, PayPal definitely sucks.

        I run a business, about a month ago we started to accept PayPal as payment (while waiting for our own merchant account to clear). We made about $17k in a week. We transferred the first $7.5k to our bank account (thank god!) after a day or two. After no more than seven days, PayPal closed our account, without giving any reason.

        After having our lawyer write some letters to them (they didn't respond to us ourselves at all), and PayPal giving several different and evasive andwers, it came out that the 'contact person' for our business account had once ordered something of an erotic nature with PayPal, and that is against their agreement.

        Now, several things are wrong with that. I won't go so far as to say that person has never bought erotica, I don't know and really don't care. What is definitely wrong with that, though, is that said person has only made two PayPal payments in his life and they weren't related to erotica (yes I am sure of this). Furthermore, PayPal mentions accounts that do not actually exist and never have. It's complete BS.

        What else is wrong with that, how the hell can they close a business account because they do not like the contact person's personal account. Since when is a company responsible for their employees' private actions? What's worse, their allegations aren't even true.

        So now PayPal is sitting on $10k of my money I desperately need, without a valid reason. They refuse to clear it, they refuse to discuss it. They have even refused giving us the 'offending' transaction details (how the hell can we dispute anything if we don't have access to the data?) - lawyer is dealing with that, though.

        All in all, the money, the lawyer costs, the lost customers, reputation damage, etc, are now easily more than a $50k loss for us.

        Should you read this and be a no cure no pay type lawyer (hey, PayPal got my money) in the UK, feel free to drop me a line so we can talk about sueing PayPal's pants off (our company lawyers cannot help us there, as PayPal Europe operates under English law and we're not from England).

        Hey, I thought it wouldn't happen to me. But yeah I got burned. Doing business with PayPal is an accident waiting to happen...

  • Too late, CTO should resign (Score:3, Informative)

    by Ilgaz (86384) * on Tuesday April 22 2008, @02:14AM (#23155202) Homepage
    I invite you to check Macworld discussion at
    http://forums.macworld.com/thread/98919?tstart=0 [macworld.com]

    I have never seen a thing like that. Macintosh community hates them so much after that disastrous stupid statement that I STILL get new message alerts after 2 months as people keep commenting how stupid they are, Verisign bribed them, MS lapdog, eBay is scam.

    This is a OS that loads ocsp on startup to check the SSL certs at core OS level:
    Apr 22 09:07:29 quad /usr/sbin/ocspd[1735]: starting (system.log)

    EV matters? How much it cost to a commercial site at size of Paypal? Does Paypal feel their consumers are insecure instead of using FREE data from community powered services like http://www.phishtank.com/ [phishtank.com] ?
    Post a job listing for Cocoa/Carbon, Objective C developer. Cough some money and distribute your plugin. Don't use "No XUL" as excuse, it is easy to watch current URL on Safari. ICQ from 2003 can still read it.

    • Re:Are you sure? (Score:4, Funny)

      by Anonymous Coward on Monday April 21 2008, @10:45PM (#23153974)
      I work for PayPal, so I'm getting a kick out of these replies. Some of you guys are very good at making it sound like you know what you are talking about.

      But trust me.... You don't.

      I think you just want to make yourself sound smart, when in reality you don't know what you are talking about.

      This is how bad info gets passed around.

      If you don't know about the topic....Don't make yourself sound like you do.

      PayPal's only motivation in blocking Safari is to keep the gays out. That's all. Don't paint any sinister motivation. That's just good business sense.

      • Re:Are you sure? (Score:4, Funny)

        by RiotingPacifist (1228016) on Tuesday April 22 2008, @05:09AM (#23155914)
        I work for the federal bank of Nigeria, i would like to inform you that a recently deceased prince, left 500 mod points in his acount. No one will ever come forward to claim them and according to The Law of Nigerian Government, at the expiration of 10 years the, Money will revert to the Ownership of the Nigerian Government. We decided to contact you to assist me in claiming these mod points for safe Keeping and investments on her behalf as everything will be taken over by the government as provided in section 129 sub 63(N), Africa Banking Edit of 1961.
        This prompted us to contact you. In exchange for passing on you slashdot account details you will be credited with 10% of the mod points, The Transaction is 100% Legal and totally free of risks as all modalities has been Perfected to ensure the hitch free success of the Transaction, however due to some security risks we can only accept applicants who are using an recent version of Mac os X

        I look forward to hearing from you http://www.slashdot.scam.nig/ [scam.nig]

    • Re:Are you sure? (Score:5, Insightful)

      by Admiral Ag (829695) on Monday April 21 2008, @11:09PM (#23154168)
      They can't afford to block Safari, not because of the Macintosh or Windows version, but because of the iPhone/iPod Touch version. The latter is rapidly becoming the standard for mobile browsing (or at least has such a large share that it cannot be ignored).

      The increasing popularity of mobile browsing is an opportunity for Paypal to act as a mobile digital wallet. There's certainly no point in carrying a debit card if you can just use your phone. I'm guessing that is Paypal's aim. Whether or not they can beat the banks to direct money transfer is debatable though.

    • That isn't a difference based on browser (Score:5, Informative)

      by patio11 (857072) on Tuesday April 22 2008, @12:03AM (#23154520)
      Its a difference based on whether you have a Paypal cookie on your system. If you do, they push the paypal option, since that means you move money from one Paypal account to another and Paypal gets an interchange fee but doesn't have to pay anything. If you don't, they give the credit card equal billing, since they know that maximizes the odds of them getting a transaction, even if they have to kick back most of their interchange fee to the credit card.

      Since your IE and Firefox cookies are not shared, my guess is that you haven't logged in on IE recently. Try logging in for both browsers then logging out and attempting a purchase. You'll get identical behavior.

      Disclaimer: IANAEOP (I am not an employee of Paypal) but half my business runs through them.

    • Re: (Score:3, Interesting)

      by Auckerman (223266)
      My suspicion is that when PayPal deals with browsers that are not "up to snuff", there will be differences in behaviour and additional back-end security measures that may not be used with "approved" secure browsers. But I doubt they will disallow any modern browser entirely.

      The real question is what exactly does this do for "security". Anything that PayPal does on their end will have no affect on phishing sites. All current web browsers, regardless of how PayPal treats them, will function with phishing si

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.