Alternative Details brings news that PayPal is developing a plan to stop users from accessing its financial services if they aren't using browsers with anti-phishing protection. PayPal is recommending the use of blacklists, anti-fraud warning pages, and EV SSL certificates. Browsers without anti-phishing features will be considered "unsafe." It seems likely Safari will be included in this category given PayPal's warning about the Apple browser last month.
"'At PayPal, we are in the process of reimplementing controls which will first warn our customers when logging in to PayPal of those browsers that we consider unsafe. Later, we plan on blocking customers from accessing the site from the most unsafe--usually the oldest--browsers,' he declared. Barrett only mentioned old, out-of-support versions of Microsoft's Internet Explorer among this group of 'unsafe browsers,' but it's clear his warning extends to Apple's Safari browser, which offers no anti-phishing protection and does not support the use of EV SSL certificates."
Instead of having to force PayPal users to use only specific browsers, they educate the consumers on safe browsing habits and not blindly clicking on "OMG SEND ME UR CC NUMBER AND BANK DETAILS LOLOL".
Instead of having to force PayPal users to use only specific browsers, they educate the consumers on safe browsing habits and not blindly clicking on "OMG SEND ME UR CC NUMBER AND BANK DETAILS LOLOL".
Wow. That's a rather clever stragegy. I wonder why no one thought of it earlier. I think they should just get all paypal users to assemble one day (may be in the Arizona desert) and then teach all of them what you suggested.
Thinking more about it, maybe they should not just restrict themselves to Paypal users - they should just assemble all internet users & teach them these things.
I think they should just get all paypal users to assemble one day (may be in the Arizona desert) and then teach all of them what you suggested.
Send out a spam like this:
"I am the widow of a wealthy Arizonan entrepreneur. I am in need of assistance in transferring large sums ($153m) of money. Your help is appreciated. Meet me at the Tuscon desert state park at 8:00 in the evening on April the 19th to complete the transaction. I will give you 25% of the money as a reward for your assistance."
Also:
"Your PayPal account has been deactivated! To reactivate it, you must come to the Tuscon desert park at 8:00 PM on April 19. If you do not proceed, your account will be permanently closed!"
That should get all of the people in need of such education to show up.<g>
Because whenever scammers come along to make stupidity more painful, we focus only on the fact that the scammers do this for their own short-term personal gain. Therefore, we lose sight of what happens to any community when all standards are lowered, no one is expected to think for themselves or make informed decisions, and causes (large number of clueless users) are confused with effects (criminals who take advantage of that cluelessness). It's easy for people who cannot separate their emotions from their intellect to get caught up in the outrage at parasitic people who profit from this situation and completely ignore why such scams are so successful in the first place.
Unprincipled people apparently need a fire under their ass before they will willingly broaden their knowledge, expand their experience or otherwise understand anything beyond the superficial level. To me that's quite a shame that they really seem to consider learning, an appreciation for self-reliance, and thinking for yourself to be terribly hard work to be avoided at all costs, rather than a journey of discovery that makes life much less routine and much more interesting. At any rate, if the goal is to remove all incentive to ever actually understand the tools (computers, networks, etc) that we use each day, we are on the right track.
As the saying goes, "A fool and his money are soon parted." Anyone who uses what he does not remotely understand and expects consistently good results qualifies as a fool. For some reason, when a computer is involved this commonsense concept is completely ignored.
Now cue the apologists and their thousand excuses for why literate individuals with no learning disabilities should not be expected to understand the basic concepts behind tools that they decided, of their own free will, to use on a daily basis. It's willful helplessness, plain and simple.
With the increasing social acceptability of this kind of victim mentality, the idea that you are responsible for your own well-being is apparently rather threatening to many people. This is obvious because they tend to give angry emotional responses instead of well-reasoned arguments explaining why they believe I am wrong.
People who fall for phishing scams are not stupid. They are often very smart people. Mere general intelligence is no defense against scams. Even being a scam artist or security expert yourself isn't a guarantee because NOBODY has encyclopedic knowledge of every scam in human history. If they run across a scam they're not familiar with they're just as vulnerable as "stupid" people.
Knowing how to use the tools offers no protection against scams. Knowing how to use a telephone does not protect you from callers that contact you and attempt to scam you. Knowing how to open a door does not protect you from people who come to your door and try and scam you.
You have a "blame the victim" mentality. It's clearly the fault of the stabbing victim that he got stabbed. He should have jumped out of the way. It's willful helplessness, plain and simple.
Scammers existed long before computers. If you created a free tool that would 100% stop all phishing under all circumstances the scammers would just switch to a different scam. The PROBLEM is the scammers. Period. Crime is the fault of criminals, not the victims.
by Anonymous Coward
on Thursday April 17 2008, @10:50PM (#23113886)
Grandparent is not equating being a victim with being stupid, but with being ignorant. Unfortunately in most cases, ignorant by choice. Notice he said "literate individuals with no leaning disabilities" should take responsibility for understanding what they are doing online. I imagine he, like me, would have more tolerance for the truly stupid who are literally incapable of doing any better.
If you understand the basic concepts of how the internet works and apply critical judgment in your transactions, you don't need to have encyclopedic knowledge of every scam in human history -- that's the whole point.
Grandparent also predicted that some would give "angry emotional responses instead of well-reasoned arguments." Nice job proving him right.
People who fall for phishing scams are not stupid. They are often very smart people. Mere general intelligence is no defense against scams. Even being a scam artist or security expert yourself isn't a guarantee because NOBODY has encyclopedic knowledge of every scam in human history. If they run across a scam they're not familiar with they're just as vulnerable as "stupid" people.
There are many forms of stupidity. For some reason, intelligence keeps getting confused with wisdom. I'm honestly not sure if that confusion is deliberately encouraged in order to obscure the issue or if most people really have no working knowledge of what the difference is. They might both be true.
At any rate, you can have a very high IQ, perform wonderfully at all sorts of logic and mathematics problems, and still be a gullable easily-scammed individual if you refuse to accept that plenty of people do not operate in good faith. You can be very intelligent and still make very stupid decisions. You can be very smart without being humble enough to recognize your limitations and therefore to understand when you are operating outside of your areas of expertise. You can be very smart without understanding that your area of expertise consists of having memorized the ins and outs of a particular inventory of knowledge and that you lack the practical, working knowledge component of true understanding.
Knowing how to use the tools offers no protection against scams. Knowing how to use a telephone does not protect you from callers that contact you and attempt to scam you. Knowing how to open a door does not protect you from people who come to your door and try and scam you.
You are exactly right. Knowing how to use the telephone shows that you have memorized a small bit of intellectual knowledge. Understanding that there are dishonest people in the world and that therefore, not everyone who calls you is truly who they claim to be demonstrates a working knowledge of the world and of the limitations of the telephone network; that is, a bit of wisdom. So why the need to apologize for people who can't tell the difference? Why send the message that people who have to learn the hard way are victims and therefore are helpless and cannot do better next time at all? Do you believe that you are doing them any favors?
You have a "blame the victim" mentality. It's clearly the fault of the stabbing victim that he got stabbed. He should have jumped out of the way. It's willful helplessness, plain and simple.
Your analogy is flawed because once someone is stabbed, the laws of physics dictate that there is going to be a wound and it will probably be a serious one. It's not like a stabbing victim can decide "hmm, the point of a knife just struck my body with considerable force... should I let that injure me or not?" This is not the case with a scammer. Just because you receive a phishing attempt, there is no law of physics that forces you to give your personal information to a complete stranger without first performing some due diligence to verify that the stranger is who he/she claims to be. So while you might think you just made some profound point, you have compared an apple to an orange and have effectively made the claim that people must accept everything at face value and believe every lie someone tells them. Is that really your view of the world? Is it really your highest expectation of human capability? I celebrate your right to believe whatever you want, but I cannot support this type of victim mentality; indeed, it seems to be so ingrained into our culture that most people don't even recognize it for what it is.
by Anonymous Coward
on Thursday April 17 2008, @09:23PM (#23113390)
Rob Malda has barely made any effort to fully describe the process of selecting Slashdot moderators. What little information that has been supplied is an outright lie. The story of Malda's moderation system is far more insidious than merely separating wheat from chaff. Last night, as I leaned over to give my Natalie Portman poster a tender kiss goodnight, I was psychically cast into a hypnotic trance. While entranced, my spirit guides delivered unto me the tale of the Slashdot moderators. Prepare to have your faith in Mr. Malda and moderation shaken to the core. Difficult as it is to believe, Rob Malda was an outcast teenager. He did well in some of his classes, but was terrible with English. As is so often the tragic case today, his teachers passed him anyway, just to get rid of him. Since Malda had no real life, he spent much of his time on the computer (of course), and watching the public-access cable channel. It was there that Malda heard of the mysterious Mongolian Monks. Malda was watching his favorite talk show, "Elizabeth Claire Prophet." The guests that night were a group of monks based in Mongolia. The monks described how they had been travelling to China to trade some of their cute teen daughters for Natalie Portman memorabilia. The monks had travelled no more than three days when they noticed a brilliant light in the daytime sky. The light grew larger. And larger. And larger. Soon the sky was completely hidden, from horizon to horizon, by a giant metallic disk. The monks were taken aboard the craft and placed under some sort of alien mind-control. There, they were given the deepest possible insights into the nature of man, the universe and God. A week later, the alien beings returned the monks to the Earth and vanished forever. The monks considered the area holy ground and constructed a new temple there, not bothering to return to their old monastery. They took their daughters as wives and began their own commune of worship, based on the teachings of the aliens. The monks practiced meditations which unleashed powerful spiritual forces within them. As the wives bore children, the community grew. Malda was intrigued by the spiritual insights received by the monks and excited by the idea of incestuous pleasures. Unfortunately, the monks had no internet connection and so Malda could not email them. Without hesitation, Malda booked a flight and left for Mongolia. The plane ride was long and tiring, but his curiosity kept him driven. After a month of searching, Malda finally located the commune. Initially, he, kept a safe distance, for fear of rejection. He studied the monks from afar. Malda had heard stories of the monks' bizarre meditations, which gave them extraordinary powers. Malda was somewhat skeptical of these stories at first, until he saw the truth first-hand. In the week that Malda studied the monks, he witnessed the breaking of every natural law. He was astonished as he watched the monks levitate, create pockets of lush weather within the commune and communicated with spirit forces. Malda grew more and more excited and he devised a plan for meeting them. Malda knew the monks would respect him if he could display his own "magical" powers. He was determined to win their confidence, and he had with him all of the necessary tools. He approached the commune confidently. The monks greeted him with skepticism at the gate. Malda took a deep breath and began his show. Using an AIBO, a can of Jolt Cola and an inflatable sex doll, Malda shocked the monks with his display of magical powers. The monks accepted him into the commune. Malda's head was shaved and he was given a robe and a room. The monks warned Malda to stay away from their daughters-wives. The monks methodically taught malda the word of the great messengers. He learned eagerly at first, but soon grew bored with his life in the commune. Malda's life was further stressed when his blow-up doll suffered a puncture-wound and became useless. A few days later, his AIBO's power dried up. With no pet and no woman, Malda slowly
Yes. Go to http://turbotax.intuit.com/freedom [intuit.com] and pretend you want to file your taxes there. Understandably, you need to enable cookies/javascript. But then what happens? "Your browser is not up to date" it says. "Please install Firefox 1.07, IE 6, or Netscape 8 on Windows, or some other stuff for Mac."
Wow...please install these out-of-date or defunct browsers. So I contacted tech-support to let them know their page was broken, and they actually took the time to *link to the firefox 1.0.7* page, which says it's the most up-to-date version of firefox. When you click the download link, it takes you to mozilla.com where you can download firefox 2. *facepalm*
So after a bit of googling, I found the user agent for firefox 2 on windows (firefox 3's windows user agent *still* wouldn't work) and plugged that into the User Agent Switcher extension. TurboTax worked like a charm after that! All I had to do was lie and say that I was using Firefox 2 on windows instead of firefox 3 on ubuntu.
Windows is not to blame for the phishing problem, PEOPLE are. Phishing has been around a lot longer than Windows and Internet Explorer, it was just a lot lower-tech and could not be perpetrated quite as fast.
What next, users have to pass an IQ test to get on the Internet? That way all of the stupid people who click on email links from phishing scams before looking at the message to see if it is fake or not, will forever see "Error ID10T: User is not smart enough to use the Internet. Request denied!"
What next, users have to pass an IQ test to get on the Internet? That way all of the stupid people who click on email links from phishing scams before looking at the message to see if it is fake or not, will forever see "Error ID10T: User is not smart enough to use the Internet. Request denied!"
We have those now. They are administered from a testing center in Nigeria. If you fail, your internet is soon cut off for non-payment.
First of all, thanks for belittling me. I was that bank IT guy, from 98 to 02. And contrary to your opinion, the IT staff of the average bank is quite good. It's just hard to find someone with good hacking skills and no police record these days.
What's true, though, is that the prophet ain't worth a dime in his own country. Only after I quitted and started consulting, they hired me and took me serious, essentially paying me to tell them the same thing I repeated over and over while i was there. Banks do take security serious. Mainly out of self interest. First of all, the obvious loss of money. But more important even, the possible loss of goodwill. Usually a bank settlement after a fraud takes place can be summed up as "we pay, you shut up".
So whether they're liable for the loss is moot anyway. Paying some moron the 2k he lost when his account was hijacked and ransacked is peanuts compared to bad press. Banks will pay. Even if they keep telling that they won't (this is mostly hoping people will start getting a bit more wary when doing online banking).
Banks already started to acknowledge that there is a problem. Recently we had a week long two page "bank security course" in our major newspaper. To understand the quality of this, you have to know that no paper can write anything the major banks don't want it to write (banks are amongst the most important ad buyers here, piss off the banks and you close your doors). Actually, I know it was some sort of "sponsored report", if you know what I mean.
So appearantly banks did wake up to hear the music. And when you look at their pages, they try to inform about the most recent frauds taking place, but that simply isn't enough. When you do your online banking once a week, you might already have clicked that "give info now or your account is gone" mail, without reading the warning.
What I'd envision is something like a quiz, where you can win a savings account with some token amount of money predeposited if you answer it all right. People like quizzes, especially when you can win something. The selling point would be that your bank does care about your money and your security, something that sells pretty well here (people would rather give you the keys to their home than their banking info, or tell you how much they earn, here).
And the reason people purchase products from large companies is so that they could offload some of the "hassle" or responsibility to the company that is hiring qualified professionals to analyze and develop the product they wish to sell. If me as a regular user (Pretend at the moment I'm not writing this from my linux laptop) wanted to trade my personal time to assume the responsibility of learning cutting edge counter phishing procedures, then I fail to see the purpose of paying for the service.
And thusly, we purchase a service from PayPal MegaCorp and expect them to take measures it deems necessary to protect the service it provides. The bottom line is simple: this is PayPal's business, it is PayPal's right to choose how to operate it, and we can take our ball and go home. And considering how many people think PayPal is evil, anyway, this should come as a neither surprise nor disappointment.
But I still stand firm that people are to blame for the lack of security on the Internet. The telephone, the radio, the television, the tabloids, the newspapers, books, and so on were all considered at one time a method of mass disinformation, and some still are to a lesser extent. Why else would we have phrases in our lexicon like "you can't believe everything you read/see on TV/hear on the radio"? Because people are willing to throw caution to the wind. We are more apt to scrutinize and discriminate against information people may throw at us in person, face-to-face, but as soon as the information is put into some form of communication medium, we lose our senses.
We know the guy on the street corner in New York is not selling real Rolex watches; we know the fella that chats you up on the bus is not legitimately selling prescription medications. Even so, we are more apt to believe that these things are available on web sites, because we have it drilled into us that the world is at our finger tips, every thing can be found on the Internet.
If you want to get down to brass tacks and point fingers, WE are to blame for the folly of those who surround us. Yes, WE are to blame. Because WE chose to learn and understand and ignore the plight of those who have not. WE are the shop class instructors letting the uninformed use the table saw without proper instruction and then blaming them when they lose fingers. It is our responsibility to educate and inform others why what they are doing is wrong -- and in many cases we even get paid for doing so.
And I do not mean that using Windows is wrong, but that clicking on email links without thorough scrutiny -- or even at all -- is wrong; that blast-forwarding unconfirmed rumors is wrong; that not understanding that the bank will never send an email and tell you to go to a site and enter all of your vital statistics (and if it does, then you should run like hell, anyway.); that the use of semicolons is ill-advised.
I find it amusing that some of us will take the "duty" to throw out Mom and Dad's Windows PC and replace it with a Linux or Mac box, then walk away pleased with ourselves over the "service" we have just done. When, in fact, the "service" we should be providing is education. It does not matter in front of what box Mom and Dad sit, without the proper knowledge, they are still vulnerable to phishing schemes and exploits.
Really, these so-called idiots out there are mostly just uninformed. Some non-BOFH-type PFY handed them a computer at the WorstBuy, CompUSELESS, or Radio Shanty, without taking the short amount of time it takes to instill a small bit of cynicism over unsolicited or unexpected information and requests. There were no pamphlets at the store explaining how email can be as dangerous as a phone call from "your phone company" or "your bank." Most of these people CAN be taught and guided.
And the ones that cannot will be eliminated one way or another, but of course not before making complete and utter asses of themselves.
And WE used to educate them every September. That is until AOL based their business on getting everyone to connect to the internet without bothering to properly educate them.
No more than we walked away from the telephone, fax machine, and postal mail. I simply found folly in your statement that the whole phishing thing was Microsoft's fault. Put blame where responsibility falls, on people who manage important data.
It is... Not only does it make more money for verisign, but it also raises the bar for retailers so that smaller shops can't afford the same certificate, and thus look to be "less secure" than their larger competitors.
A green bar means nothing, what's really needed is for users to make a white list of the sites they use, then when they visit a scam site it will say "this is a new site you've never visited before" as opposed to "this is paypal, one of your frequently visited sites"... The browser can tell the difference between www.paypal.com and www.p4yp4l.scam.cn, it just needs to communicate that to the user in a sensible way. Users need educating too, i can't believe people are still stupid enough to try logging in to paypal when the url bar contains something completely different. Also, it should be impossible to change the status bar (that shows where a link points when you hover over it) and mail clients should ALWAYS do something similar, hyperlinks in html can say one thing but point somewhere completely different, and html mail clients are a lot worse at telling that to the user than browsers.
Why don't you trust me not to be an idiot instead of requiring that I use a different browser due to the fact that other users of my browser are idiots?
Who are they to decide what is and isn't safe? They're not a bank, so I don't think they necessarily have any liability if one of their customers loses money, correct? Please correct me if I am mistaken.
Is this even legal? Seriously. If someone has money in PayPal, and if that same someone happens to be using a browser that is deemed "unsafe" and is sequentially banned, isn't that like PayPal holding the money hostage? What happens to those who refuse to "upgrade" in order to access their account?
Maybe instead of doing stupid stuff like this, which breeds a false sense of security among some less-smart users of PayPal, they should think of new and innovative ways to prevent unauthorized access to accounts. (I don't care to list my ideas right now.)
And yet, Ebay still sends email to users regarding important matters despite the security risks that poses - ie. how can a user know the email is real, it's not encrypted, etc.
Instead of banning browsers, Ebay should address the bigger security issue of Ebay sending email to users - instead Ebay should only send notices simply saying one has new messages in their Ebay message center, and require the user to actually visit Ebay to view the message contents - not fool-proof, but would substantially reduce the effectiveness of email spoofs.
Ebay should only send notices simply saying one has new messages in their Ebay message center, and require the user to actually visit Ebay to view the message contents - not fool-proof, but would substantially reduce the effectiveness of email spoofs.
One very important thing they would have to do is include some sort of identifying information, otherwise this would open the door to some very easy phishing attacks (as per Nushio's sibling comment).
Perhaps in your eBay account, you could choose one from several thousand little pictures (e.g., as you do with video games and video game systems to choose an avatar picture). Then, the messages could read something like:
Dear SpottedKuh: [picture of a little cow that I chose]... check your eBay message centre, etc.
Then again, I think things like this have been tried before (don't some banks do something similar to this when you log in?) I guess if the users don't care to pay attention, they won't notice the difference between what I wrote above and:
If you want to try a new conspiracy on for size, maybe this is also a chance to try to push the use of EV SSL certificates.
I have attended several of the webinars and read a number of the white papers on EV SSL certificates, and I am not completely sold on the usefulness.
Sure, thorough validation of a requester's right to purchase an SSL certificate is a good idea. That should be done already for any SSL purchase, but it is and will not be done because it makes the process too difficult, time consuming, and expensive. Well, too expensive for GoDaddy to sell a $20 certificate and thoroughly validate it, but for the $350+ Verisign certificates? Please...
More to the point, older browser showed a lock icon which indicated the site was secure. With the ease of SSL certificate purchases that quickly became less important because even phishing sites can have valid certificates. The EV SLL scheme is to put up a BIG GREEN BAR with the issued company's name in it. Why not just do that anyway? Those notification bars that come up when a pop-up is blocked, or an ActiveX control wants to install, or a file wants to download; how about use that to show critical information in the certificate, like the CN?
Sure, the URL says www.paypal.com, but the certificate CN says "www.phishingurinfoz.ru".
But then, I suppose a little Java and no protection of that particular window element could lead to a phalse display.
...but the head of the International Phishers Guild says that all of their sites will continue to work with any browser you want. Spokesman Anome Smith says "We will not be following Paypal's lead on this. Popular phishing sites like www.payypal.com, www.paypa1.com, and 192.168.178.287/paypal will all continue to work with any browser you please. "
I am a PayPal customer. I have a paypal secure ID, a hardware token that generates 6 digits numbers (synchronized with paypal's servers) that are part my password authentication process. That means that even if someone gets my password (i.e. fisher), they won't be able to login that easily (they would need the hardware token to generate the current 6 digits number set, which changes periodically every 30 seconds). With all of that, I see no reason for paypal to block me if I am using Safari, even if Safari is a bit unsafer than other browsers. That would just mean adding an extra item to the list of things my iPhone can't do: access PayPal's webpage. That would really piss me off.
There are four scenarios, assuming we agree to what "safe" is.
1. Visiting paypal using a safe browser
2. Visiting paypal using an unsafe browser
3. Visiting a pishing site using a safe browser
4. Visiting a pishing site using an unsafe browser
The immediate result is only affecting scenario 2, so there will be some loss of business.
In the long run, paypal expects users who hit the scenario 2 to switch to a safe browser. And paypal is big and important enough (whether we like it or not) for a reasonable number of users to do the switch.
I realize I'm a little late in the game for this, and I give myself 50/50 odds that I'll actually send it in, but here goes:
I use PayPal right now because it is one of the more secure options out there. I give my financial details to one party (PayPal) instead of every site I do business with -- which means PayPal gives me the opportunity to review every single transaction, and approve or deny.
It's also nice and reassuring to visit www.paypal.com, and see an https URL the whole way through -- knowing nothing important is ever transmitted in the clear.
And for some small amount of money -- I forget exactly how much it is, but relatively cheap -- I can even get a physical security token, which, I believe, is also valid with VeriSign. And due to its implementation, this token requires no additional software -- I just read a number off the token and into a browser window. What's not to like?
These are the reasons a highly technical and security-conscious person might want to use PayPal. Highly secure, with a lot of control and choice.
Now, I can understand wanting to protect the less-technical users. Send them emails every now and then, telling them not to click links in emails. Warn them if they're not using a secure browser. Provide technical support, walkthroughs, and as much hand-holding as you like.
But please don't alienate those of us who know what we are doing by removing our choice. Don't block browsers simply for not supporting anti-phishing, or having it disabled -- some of us know how to read the address bar, and value our privacy. Block older, actually vulnerable browsers if you must, but do not make it a whitelist.
The day I have to turn on user-agent spoofing to get to my money is the day I take my money somewhere else.
Banks should have been doing this since they introduced internet banking.
Are you nuts?
"We're sorry. You're not using IE. And if you are using IE, your IE configuration isn't permitting us to run the MegabanX proprietary ActiveX control that our conslutants [sic] told us would eliminate all our liability. Please enable ActiveX support in order to continue banking with us, or turn off that Netscape thingy and upgrade to IE4.0 and resize your window to 800x600 while you're at it."
Forgive me for the sarcasm, but I had to switch banks twice because of that sort of crap. Think back a few years. The last thing any of us would have wanted "since they introduced internet banking" was our banks doing User-Agent and Javashit-based snooping on our configuration.
They can always download and install Firefox. Then install an anti-phishing addon.
Firefox works as far back as Windows 95 IIRC? I installed Firefox on my uncle's Windows 98 box, the only issue was that the start bar title icon didn't show up properly but it ran.
Sure he can't use his iPod with Windows 98, but Firefox works great. If he gets a RAM upgrade he can run Windows 2000. But technically with 128M of RAM or more he can run Windows XP on his 333Mhz processor, but it will be really slow.
I don't think we can afford to buy a new machine, and his old machine runs great.
What If?... (Score:5, Insightful)
Re:What If?... (Score:5, Funny)
Wow. That's a rather clever stragegy. I wonder why no one thought of it earlier.
I think they should just get all paypal users to assemble one day (may be in the Arizona
desert) and then teach all of them what you suggested.
Thinking more about it, maybe they should not just restrict themselves to Paypal users -
they should just assemble all internet users & teach them these things.
Parent
Re:What If?... (Score:5, Funny)
desert) and then teach all of them what you suggested.
Send out a spam like this:
"I am the widow of a wealthy Arizonan entrepreneur. I am in need of assistance in transferring large sums ($153m) of money. Your help is appreciated. Meet me at the Tuscon desert state park at 8:00 in the evening on April the 19th to complete the transaction. I will give you 25% of the money as a reward for your assistance."
Also:
"Your PayPal account has been deactivated! To reactivate it, you must come to the Tuscon desert park at 8:00 PM on April 19. If you do not proceed, your account will be permanently closed!"
That should get all of the people in need of such education to show up.<g>
Parent
Re:What If?... (Score:5, Interesting)
Parent
Re:What If?... (Score:5, Insightful)
Unprincipled people apparently need a fire under their ass before they will willingly broaden their knowledge, expand their experience or otherwise understand anything beyond the superficial level. To me that's quite a shame that they really seem to consider learning, an appreciation for self-reliance, and thinking for yourself to be terribly hard work to be avoided at all costs, rather than a journey of discovery that makes life much less routine and much more interesting. At any rate, if the goal is to remove all incentive to ever actually understand the tools (computers, networks, etc) that we use each day, we are on the right track.
As the saying goes, "A fool and his money are soon parted." Anyone who uses what he does not remotely understand and expects consistently good results qualifies as a fool. For some reason, when a computer is involved this commonsense concept is completely ignored.
Now cue the apologists and their thousand excuses for why literate individuals with no learning disabilities should not be expected to understand the basic concepts behind tools that they decided, of their own free will, to use on a daily basis. It's willful helplessness, plain and simple.
With the increasing social acceptability of this kind of victim mentality, the idea that you are responsible for your own well-being is apparently rather threatening to many people. This is obvious because they tend to give angry emotional responses instead of well-reasoned arguments explaining why they believe I am wrong.
Parent
Re:What If?... (Score:4, Insightful)
Knowing how to use the tools offers no protection against scams. Knowing how to use a telephone does not protect you from callers that contact you and attempt to scam you. Knowing how to open a door does not protect you from people who come to your door and try and scam you.
You have a "blame the victim" mentality. It's clearly the fault of the stabbing victim that he got stabbed. He should have jumped out of the way. It's willful helplessness, plain and simple.
Scammers existed long before computers. If you created a free tool that would 100% stop all phishing under all circumstances the scammers would just switch to a different scam. The PROBLEM is the scammers. Period. Crime is the fault of criminals, not the victims.
Parent
Re:What If?... (Score:5, Insightful)
If you understand the basic concepts of how the internet works and apply critical judgment in your transactions, you don't need to have encyclopedic knowledge of every scam in human history -- that's the whole point.
Grandparent also predicted that some would give "angry emotional responses instead of well-reasoned arguments." Nice job proving him right.
Parent
Re:What If?... (Score:5, Insightful)
There are many forms of stupidity. For some reason, intelligence keeps getting confused with wisdom. I'm honestly not sure if that confusion is deliberately encouraged in order to obscure the issue or if most people really have no working knowledge of what the difference is. They might both be true.
At any rate, you can have a very high IQ, perform wonderfully at all sorts of logic and mathematics problems, and still be a gullable easily-scammed individual if you refuse to accept that plenty of people do not operate in good faith. You can be very intelligent and still make very stupid decisions. You can be very smart without being humble enough to recognize your limitations and therefore to understand when you are operating outside of your areas of expertise. You can be very smart without understanding that your area of expertise consists of having memorized the ins and outs of a particular inventory of knowledge and that you lack the practical, working knowledge component of true understanding.
You are exactly right. Knowing how to use the telephone shows that you have memorized a small bit of intellectual knowledge. Understanding that there are dishonest people in the world and that therefore, not everyone who calls you is truly who they claim to be demonstrates a working knowledge of the world and of the limitations of the telephone network; that is, a bit of wisdom. So why the need to apologize for people who can't tell the difference? Why send the message that people who have to learn the hard way are victims and therefore are helpless and cannot do better next time at all? Do you believe that you are doing them any favors?
Your analogy is flawed because once someone is stabbed, the laws of physics dictate that there is going to be a wound and it will probably be a serious one. It's not like a stabbing victim can decide "hmm, the point of a knife just struck my body with considerable force... should I let that injure me or not?" This is not the case with a scammer. Just because you receive a phishing attempt, there is no law of physics that forces you to give your personal information to a complete stranger without first performing some due diligence to verify that the stranger is who he/she claims to be. So while you might think you just made some profound point, you have compared an apple to an orange and have effectively made the claim that people must accept everything at face value and believe every lie someone tells them. Is that really your view of the world? Is it really your highest expectation of human capability? I celebrate your right to believe whatever you want, but I cannot support this type of victim mentality; indeed, it seems to be so ingrained into our culture that most people don't even recognize it for what it is.
Parent
Re:LOL. (Score:5, Funny)
Last night, as I leaned over to give my Natalie Portman poster a tender kiss goodnight, I was psychically cast into a hypnotic trance. While entranced, my spirit guides delivered unto me the tale of the Slashdot moderators. Prepare to have your faith in Mr. Malda and moderation shaken to the core.
Difficult as it is to believe, Rob Malda was an outcast teenager. He did well in some of his classes, but was terrible with English. As is so often the tragic case today, his teachers passed him anyway, just to get rid of him. Since Malda had no real life, he spent much of his time on the computer (of course), and watching the public-access cable channel. It was there that Malda heard of the mysterious Mongolian Monks.
Malda was watching his favorite talk show, "Elizabeth Claire Prophet." The guests that night were a group of monks based in Mongolia. The monks described how they had been travelling to China to trade some of their cute teen daughters for Natalie Portman memorabilia. The monks had travelled no more than three days when they noticed a brilliant light in the daytime sky. The light grew larger. And larger. And larger. Soon the sky was completely hidden, from horizon to horizon, by a giant metallic disk.
The monks were taken aboard the craft and placed under some sort of alien mind-control. There, they were given the deepest possible insights into the nature of man, the universe and God. A week later, the alien beings returned the monks to the Earth and vanished forever.
The monks considered the area holy ground and constructed a new temple there, not bothering to return to their old monastery. They took their daughters as wives and began their own commune of worship, based on the teachings of the aliens. The monks practiced meditations which unleashed powerful spiritual forces within them. As the wives bore children, the community grew.
Malda was intrigued by the spiritual insights received by the monks and excited by the idea of incestuous pleasures. Unfortunately, the monks had no internet connection and so Malda could not email them. Without hesitation, Malda booked a flight and left for Mongolia. The plane ride was long and tiring, but his curiosity kept him driven.
After a month of searching, Malda finally located the commune. Initially, he, kept a safe distance, for fear of rejection. He studied the monks from afar. Malda had heard stories of the monks' bizarre meditations, which gave them extraordinary powers. Malda was somewhat skeptical of these stories at first, until he saw the truth first-hand.
In the week that Malda studied the monks, he witnessed the breaking of every natural law. He was astonished as he watched the monks levitate, create pockets of lush weather within the commune and communicated with spirit forces. Malda grew more and more excited and he devised a plan for meeting them.
Malda knew the monks would respect him if he could display his own "magical" powers. He was determined to win their confidence, and he had with him all of the necessary tools. He approached the commune confidently. The monks greeted him with skepticism at the gate. Malda took a deep breath and began his show.
Using an AIBO, a can of Jolt Cola and an inflatable sex doll, Malda shocked the monks with his display of magical powers. The monks accepted him into the commune. Malda's head was shaved and he was given a robe and a room. The monks warned Malda to stay away from their daughters-wives.
The monks methodically taught malda the word of the great messengers. He learned eagerly at first, but soon grew bored with his life in the commune. Malda's life was further stressed when his blow-up doll suffered a puncture-wound and became useless. A few days later, his AIBO's power dried up. With no pet and no woman, Malda slowly
Parent
Re:LOL. (Score:5, Funny)
Parent
Re:LOL. (Score:5, Funny)
Parent
Re:LOL. (Score:5, Interesting)
Wow...please install these out-of-date or defunct browsers. So I contacted tech-support to let them know their page was broken, and they actually took the time to *link to the firefox 1.0.7* page, which says it's the most up-to-date version of firefox. When you click the download link, it takes you to mozilla.com where you can download firefox 2. *facepalm*
So after a bit of googling, I found the user agent for firefox 2 on windows (firefox 3's windows user agent *still* wouldn't work) and plugged that into the User Agent Switcher extension. TurboTax worked like a charm after that! All I had to do was lie and say that I was using Firefox 2 on windows instead of firefox 3 on ubuntu.
Parent
Re:LOL. (Score:5, Funny)
Parent
Re:Yes. (Score:5, Insightful)
Parent
Re:Yes. (Score:5, Insightful)
Parent
Re:Yes. (Score:5, Insightful)
Parent
Re:Yes. (Score:5, Funny)
Dear god in heaven, please let it be so!
Parent
Re:Yes. (Score:5, Funny)
We have those now. They are administered from a testing center in Nigeria. If you fail, your internet is soon cut off for non-payment.
Parent
Re:Yes. (Score:4, Informative)
What's true, though, is that the prophet ain't worth a dime in his own country. Only after I quitted and started consulting, they hired me and took me serious, essentially paying me to tell them the same thing I repeated over and over while i was there. Banks do take security serious. Mainly out of self interest. First of all, the obvious loss of money. But more important even, the possible loss of goodwill. Usually a bank settlement after a fraud takes place can be summed up as "we pay, you shut up".
So whether they're liable for the loss is moot anyway. Paying some moron the 2k he lost when his account was hijacked and ransacked is peanuts compared to bad press. Banks will pay. Even if they keep telling that they won't (this is mostly hoping people will start getting a bit more wary when doing online banking).
Banks already started to acknowledge that there is a problem. Recently we had a week long two page "bank security course" in our major newspaper. To understand the quality of this, you have to know that no paper can write anything the major banks don't want it to write (banks are amongst the most important ad buyers here, piss off the banks and you close your doors). Actually, I know it was some sort of "sponsored report", if you know what I mean.
So appearantly banks did wake up to hear the music. And when you look at their pages, they try to inform about the most recent frauds taking place, but that simply isn't enough. When you do your online banking once a week, you might already have clicked that "give info now or your account is gone" mail, without reading the warning.
What I'd envision is something like a quiz, where you can win a savings account with some token amount of money predeposited if you answer it all right. People like quizzes, especially when you can win something. The selling point would be that your bank does care about your money and your security, something that sells pretty well here (people would rather give you the keys to their home than their banking info, or tell you how much they earn, here).
Parent
Re: (Score:3, Insightful)
If me as a regular user (Pretend at the moment I'm not writing this from my linux laptop) wanted to trade my personal time to assume the responsibility of learning cutting edge counter phishing procedures, then I fail to see the purpose of paying for the service.
From the abo
Re:Yes. (Score:5, Insightful)
But I still stand firm that people are to blame for the lack of security on the Internet. The telephone, the radio, the television, the tabloids, the newspapers, books, and so on were all considered at one time a method of mass disinformation, and some still are to a lesser extent. Why else would we have phrases in our lexicon like "you can't believe everything you read/see on TV/hear on the radio"? Because people are willing to throw caution to the wind. We are more apt to scrutinize and discriminate against information people may throw at us in person, face-to-face, but as soon as the information is put into some form of communication medium, we lose our senses.
We know the guy on the street corner in New York is not selling real Rolex watches; we know the fella that chats you up on the bus is not legitimately selling prescription medications. Even so, we are more apt to believe that these things are available on web sites, because we have it drilled into us that the world is at our finger tips, every thing can be found on the Internet.
If you want to get down to brass tacks and point fingers, WE are to blame for the folly of those who surround us. Yes, WE are to blame. Because WE chose to learn and understand and ignore the plight of those who have not. WE are the shop class instructors letting the uninformed use the table saw without proper instruction and then blaming them when they lose fingers. It is our responsibility to educate and inform others why what they are doing is wrong -- and in many cases we even get paid for doing so.
And I do not mean that using Windows is wrong, but that clicking on email links without thorough scrutiny -- or even at all -- is wrong; that blast-forwarding unconfirmed rumors is wrong; that not understanding that the bank will never send an email and tell you to go to a site and enter all of your vital statistics (and if it does, then you should run like hell, anyway.); that the use of semicolons is ill-advised.
I find it amusing that some of us will take the "duty" to throw out Mom and Dad's Windows PC and replace it with a Linux or Mac box, then walk away pleased with ourselves over the "service" we have just done. When, in fact, the "service" we should be providing is education. It does not matter in front of what box Mom and Dad sit, without the proper knowledge, they are still vulnerable to phishing schemes and exploits.
Really, these so-called idiots out there are mostly just uninformed. Some non-BOFH-type PFY handed them a computer at the WorstBuy, CompUSELESS, or Radio Shanty, without taking the short amount of time it takes to instill a small bit of cynicism over unsolicited or unexpected information and requests. There were no pamphlets at the store explaining how email can be as dangerous as a phone call from "your phone company" or "your bank." Most of these people CAN be taught and guided.
And the ones that cannot will be eliminated one way or another, but of course not before making complete and utter asses of themselves.
Parent
Re:Yes. (Score:5, Funny)
Parent
Re: (Score:3, Insightful)
Re:It's a plot... (Score:5, Insightful)
Not only does it make more money for verisign, but it also raises the bar for retailers so that smaller shops can't afford the same certificate, and thus look to be "less secure" than their larger competitors.
A green bar means nothing, what's really needed is for users to make a white list of the sites they use, then when they visit a scam site it will say "this is a new site you've never visited before" as opposed to "this is paypal, one of your frequently visited sites"... The browser can tell the difference between www.paypal.com and www.p4yp4l.scam.cn, it just needs to communicate that to the user in a sensible way. Users need educating too, i can't believe people are still stupid enough to try logging in to paypal when the url bar contains something completely different.
Also, it should be impossible to change the status bar (that shows where a link points when you hover over it) and mail clients should ALWAYS do something similar, hyperlinks in html can say one thing but point somewhere completely different, and html mail clients are a lot worse at telling that to the user than browsers.
Parent
Still vulnerable to phishing... (Score:5, Insightful)
After much consideration, we've determined that your browser is safe again! Please log in at http://127.0.0.1/some/unsafe/address/ [127.0.0.1].
PayPal apologizes deeply for the inconvenience.
Re:Still vulnerable to phishing... (Score:5, Funny)
But back up a bit and you get the whole directory structure. TONS of porn in a couple folders.
Parent
Re: (Score:3, Funny)
Please go to http://www.whatismyip.org/ [whatismyip.org] and copy and paste your IP address into a reply e-mail.
PayPal thanks you for your time and effort.
Re:Still vulnerable to phishing... (Score:5, Funny)
Parent
User Agent Change (Score:5, Interesting)
Preferences > Advanced > "Show Develop Menu in Menu Bar"
Develop > User Agent > Firefox 2.0.0.12
Suck it > Paypal
Technically inclined user defeats barrier to... (Score:4, Funny)
Parent
I have an idea... (Score:5, Insightful)
Netcraft seems to have a slightly different take (Score:5, Insightful)
Extended Validation certificates and XSS considered harmful [netcraft.com]
Curious if nothing else.
Re:Netcraft seems to have a slightly different tak (Score:5, Funny)
Parent
Who are they to decide what is and isn't safe? (Score:5, Insightful)
Is this even legal? Seriously. If someone has money in PayPal, and if that same someone happens to be using a browser that is deemed "unsafe" and is sequentially banned, isn't that like PayPal holding the money hostage? What happens to those who refuse to "upgrade" in order to access their account?
Maybe instead of doing stupid stuff like this, which breeds a false sense of security among some less-smart users of PayPal, they should think of new and innovative ways to prevent unauthorized access to accounts. (I don't care to list my ideas right now.)
What about Lynx? (Score:5, Funny)
How about the other way around? (Score:5, Insightful)
First, Ebay Should BAN Sending Email to Users (Score:5, Insightful)
Instead of banning browsers, Ebay should address the bigger security issue of Ebay sending email to users - instead Ebay should only send notices simply saying one has new messages in their Ebay message center, and require the user to actually visit Ebay to view the message contents - not fool-proof, but would substantially reduce the effectiveness of email spoofs.
Ron
Re:First, Ebay Should BAN Sending Email to Users (Score:5, Insightful)
There is a new message waiting for you. You may login into here [slashdot.org] to access it.
Sincerely,
eBay Scammer.
Parent
Re:First, Ebay Should BAN Sending Email to Users (Score:4, Insightful)
One very important thing they would have to do is include some sort of identifying information, otherwise this would open the door to some very easy phishing attacks (as per Nushio's sibling comment).
Perhaps in your eBay account, you could choose one from several thousand little pictures (e.g., as you do with video games and video game systems to choose an avatar picture). Then, the messages could read something like:
Then again, I think things like this have been tried before (don't some banks do something similar to this when you log in?) I guess if the users don't care to pay attention, they won't notice the difference between what I wrote above and:
Parent
How valuable are EV SSL certs? (Score:5, Interesting)
I have attended several of the webinars and read a number of the white papers on EV SSL certificates, and I am not completely sold on the usefulness.
Sure, thorough validation of a requester's right to purchase an SSL certificate is a good idea. That should be done already for any SSL purchase, but it is and will not be done because it makes the process too difficult, time consuming, and expensive. Well, too expensive for GoDaddy to sell a $20 certificate and thoroughly validate it, but for the $350+ Verisign certificates? Please...
More to the point, older browser showed a lock icon which indicated the site was secure. With the ease of SSL certificate purchases that quickly became less important because even phishing sites can have valid certificates. The EV SLL scheme is to put up a BIG GREEN BAR with the issued company's name in it. Why not just do that anyway? Those notification bars that come up when a pop-up is blocked, or an ActiveX control wants to install, or a file wants to download; how about use that to show critical information in the certificate, like the CN?
Sure, the URL says www.paypal.com, but the certificate CN says "www.phishingurinfoz.ru".
But then, I suppose a little Java and no protection of that particular window element could lead to a phalse display.
How about this? (Score:3, Insightful)
Paypal blocks unsafe browsers... (Score:5, Funny)
stupid and pointless (Score:4, Insightful)
The problem isn't "unsafe browsers". Phishing is social engineering, not hacking. The problem is unsafe users.
Give a stupid user a safe browser and a semi-sophisticated phish and they'll cough up that login.
Give a smart user a IE 5.0 and they'll never get busted.
If paypal really wanted to increase user safety they'd do it with user education.
Tell users to very carefully navigate to the correct site, make a bookmark, and then never go to the site any other way again.
Easy Phish - Thank you Paypal (Score:5, Funny)
Have no fear.. with paypalproxy.com you can use any browser to access your account.
--
So long and thanks for all the phish.
I am an unhappy customer (Score:5, Insightful)
Prime example (Score:5, Insightful)
Ironically, phishing sites won't block users using "unsafe" browsers, which just makes them more user-friendly than paypal.
What's the point? (Score:4, Insightful)
There are four scenarios, assuming we agree to what "safe" is.
The immediate result is only affecting scenario 2, so there will be some loss of business.
In the long run, paypal expects users who hit the scenario 2 to switch to a safe browser. And paypal is big and important enough (whether we like it or not) for a reasonable number of users to do the switch.
Open letter to PayPal (Score:4, Interesting)
I use PayPal right now because it is one of the more secure options out there. I give my financial details to one party (PayPal) instead of every site I do business with -- which means PayPal gives me the opportunity to review every single transaction, and approve or deny.
It's also nice and reassuring to visit www.paypal.com, and see an https URL the whole way through -- knowing nothing important is ever transmitted in the clear.
And for some small amount of money -- I forget exactly how much it is, but relatively cheap -- I can even get a physical security token, which, I believe, is also valid with VeriSign. And due to its implementation, this token requires no additional software -- I just read a number off the token and into a browser window. What's not to like?
These are the reasons a highly technical and security-conscious person might want to use PayPal. Highly secure, with a lot of control and choice.
Now, I can understand wanting to protect the less-technical users. Send them emails every now and then, telling them not to click links in emails. Warn them if they're not using a secure browser. Provide technical support, walkthroughs, and as much hand-holding as you like.
But please don't alienate those of us who know what we are doing by removing our choice. Don't block browsers simply for not supporting anti-phishing, or having it disabled -- some of us know how to read the address bar, and value our privacy. Block older, actually vulnerable browsers if you must, but do not make it a whitelist.
The day I have to turn on user-agent spoofing to get to my money is the day I take my money somewhere else.
Re:Banks should do this. (Score:5, Insightful)
Are you nuts?
"We're sorry. You're not using IE. And if you are using IE, your IE configuration isn't permitting us to run the MegabanX proprietary ActiveX control that our conslutants [sic] told us would eliminate all our liability. Please enable ActiveX support in order to continue banking with us, or turn off that Netscape thingy and upgrade to IE4.0 and resize your window to 800x600 while you're at it."
Forgive me for the sarcasm, but I had to switch banks twice because of that sort of crap. Think back a few years. The last thing any of us would have wanted "since they introduced internet banking" was our banks doing User-Agent and Javashit-based snooping on our configuration.
Parent
Re:What about older OSes? (Score:4, Informative)
Firefox works as far back as Windows 95 IIRC? I installed Firefox on my uncle's Windows 98 box, the only issue was that the start bar title icon didn't show up properly but it ran.
Sure he can't use his iPod with Windows 98, but Firefox works great. If he gets a RAM upgrade he can run Windows 2000. But technically with 128M of RAM or more he can run Windows XP on his 333Mhz processor, but it will be really slow.
I don't think we can afford to buy a new machine, and his old machine runs great.
Parent