Forgot your password?
typodupeerror
Security Software The Almighty Buck

PayPal Plans To Ban Unsafe Browsers 367

Posted by Soulskill
from the we-are-the-boss-of-you dept.
Alternative Details brings news that PayPal is developing a plan to stop users from accessing its financial services if they aren't using browsers with anti-phishing protection. PayPal is recommending the use of blacklists, anti-fraud warning pages, and EV SSL certificates. Browsers without anti-phishing features will be considered "unsafe." It seems likely Safari will be included in this category given PayPal's warning about the Apple browser last month. "'At PayPal, we are in the process of reimplementing controls which will first warn our customers when logging in to PayPal of those browsers that we consider unsafe. Later, we plan on blocking customers from accessing the site from the most unsafe--usually the oldest--browsers,' he declared. Barrett only mentioned old, out-of-support versions of Microsoft's Internet Explorer among this group of 'unsafe browsers,' but it's clear his warning extends to Apple's Safari browser, which offers no anti-phishing protection and does not support the use of EV SSL certificates."
This discussion has been archived. No new comments can be posted.

PayPal Plans To Ban Unsafe Browsers

Comments Filter:
  • What If?... (Score:5, Insightful)

    by Slashdot Suxxors (1207082) on Thursday April 17, 2008 @09:15PM (#23113334)
    Instead of having to force PayPal users to use only specific browsers, they educate the consumers on safe browsing habits and not blindly clicking on "OMG SEND ME UR CC NUMBER AND BANK DETAILS LOLOL".
    • I don't like to blame the victim but who clicks a link in an email? Really. Any site that makes it hard for me to get things done from their front page does not deserve my business, so I'll never follow the phish. The reason people still fall for this stuff is because copyright warriors and other IPtards make browsers and sites more complex than they need to be.

      If Iceweasel and Konqueror are not on their "safe" list, I won't be able to use them even if I want to. Either the EWeek author or PayPal is

      • by pwizard2 (920421)
        <blockquote>I don't like to blame the victim but who clicks a link in an email? Really. </blockquote>

        More people than you think. Many of them aren't sophisticated enough to look at the URL of the site they are about to visit and notice the absence of the proper domain. Something like http://95.32.56.224/to/be/or/not/to/be/sucker.html (example, not an actual link) definitely isn't Paypal, but they don't figure that out until their browser (hopefully) sends up the phishing flag.
    • by Frankie70 (803801) on Thursday April 17, 2008 @09:37PM (#23113472)

      Instead of having to force PayPal users to use only specific browsers, they educate the consumers on safe browsing habits and not blindly clicking on "OMG SEND ME UR CC NUMBER AND BANK DETAILS LOLOL".


      Wow. That's a rather clever stragegy. I wonder why no one thought of it earlier.
      I think they should just get all paypal users to assemble one day (may be in the Arizona
      desert) and then teach all of them what you suggested.

      Thinking more about it, maybe they should not just restrict themselves to Paypal users -
      they should just assemble all internet users & teach them these things.
      • by csnydermvpsoft (596111) on Thursday April 17, 2008 @10:23PM (#23113762) Homepage
        I think they should just get all paypal users to assemble one day (may be in the Arizona
        desert) and then teach all of them what you suggested.


        Send out a spam like this:

        "I am the widow of a wealthy Arizonan entrepreneur. I am in need of assistance in transferring large sums ($153m) of money. Your help is appreciated. Meet me at the Tuscon desert state park at 8:00 in the evening on April the 19th to complete the transaction. I will give you 25% of the money as a reward for your assistance."

        Also:

        "Your PayPal account has been deactivated! To reactivate it, you must come to the Tuscon desert park at 8:00 PM on April 19. If you do not proceed, your account will be permanently closed!"

        That should get all of the people in need of such education to show up.<g>
    • Re:What If?... (Score:5, Insightful)

      by causality (777677) on Thursday April 17, 2008 @09:42PM (#23113508)
      Because whenever scammers come along to make stupidity more painful, we focus only on the fact that the scammers do this for their own short-term personal gain. Therefore, we lose sight of what happens to any community when all standards are lowered, no one is expected to think for themselves or make informed decisions, and causes (large number of clueless users) are confused with effects (criminals who take advantage of that cluelessness). It's easy for people who cannot separate their emotions from their intellect to get caught up in the outrage at parasitic people who profit from this situation and completely ignore why such scams are so successful in the first place.

      Unprincipled people apparently need a fire under their ass before they will willingly broaden their knowledge, expand their experience or otherwise understand anything beyond the superficial level. To me that's quite a shame that they really seem to consider learning, an appreciation for self-reliance, and thinking for yourself to be terribly hard work to be avoided at all costs, rather than a journey of discovery that makes life much less routine and much more interesting. At any rate, if the goal is to remove all incentive to ever actually understand the tools (computers, networks, etc) that we use each day, we are on the right track.

      As the saying goes, "A fool and his money are soon parted." Anyone who uses what he does not remotely understand and expects consistently good results qualifies as a fool. For some reason, when a computer is involved this commonsense concept is completely ignored.

      Now cue the apologists and their thousand excuses for why literate individuals with no learning disabilities should not be expected to understand the basic concepts behind tools that they decided, of their own free will, to use on a daily basis. It's willful helplessness, plain and simple.

      With the increasing social acceptability of this kind of victim mentality, the idea that you are responsible for your own well-being is apparently rather threatening to many people. This is obvious because they tend to give angry emotional responses instead of well-reasoned arguments explaining why they believe I am wrong.
      • Re:What If?... (Score:4, Insightful)

        by rtechie (244489) on Thursday April 17, 2008 @10:20PM (#23113740)
        People who fall for phishing scams are not stupid. They are often very smart people. Mere general intelligence is no defense against scams. Even being a scam artist or security expert yourself isn't a guarantee because NOBODY has encyclopedic knowledge of every scam in human history. If they run across a scam they're not familiar with they're just as vulnerable as "stupid" people.

        Knowing how to use the tools offers no protection against scams. Knowing how to use a telephone does not protect you from callers that contact you and attempt to scam you. Knowing how to open a door does not protect you from people who come to your door and try and scam you.

        You have a "blame the victim" mentality. It's clearly the fault of the stabbing victim that he got stabbed. He should have jumped out of the way. It's willful helplessness, plain and simple.

        Scammers existed long before computers. If you created a free tool that would 100% stop all phishing under all circumstances the scammers would just switch to a different scam. The PROBLEM is the scammers. Period. Crime is the fault of criminals, not the victims.

        • by zappepcs (820751)
          I think of myself as a bit above average when it comes to computers and the Internet. I remember the first time I saw mosaic :)

          In the early days of phishing, every now and then there would be a confusing but authentic looking email from one of my financial institution. Long after I started ignoring anything sent to ME from an institution, they stopped sending out stuff.

          Now, if you are smart, ignore anything, log in and get your email messages from the system itself. Much safer that way. Yes, there is man in
        • Re:What If?... (Score:5, Insightful)

          by Anonymous Coward on Thursday April 17, 2008 @10:50PM (#23113886)
          Grandparent is not equating being a victim with being stupid, but with being ignorant. Unfortunately in most cases, ignorant by choice. Notice he said "literate individuals with no leaning disabilities" should take responsibility for understanding what they are doing online. I imagine he, like me, would have more tolerance for the truly stupid who are literally incapable of doing any better.

          If you understand the basic concepts of how the internet works and apply critical judgment in your transactions, you don't need to have encyclopedic knowledge of every scam in human history -- that's the whole point.

          Grandparent also predicted that some would give "angry emotional responses instead of well-reasoned arguments." Nice job proving him right.
        • Re:What If?... (Score:5, Insightful)

          by causality (777677) on Thursday April 17, 2008 @11:06PM (#23113958)

          People who fall for phishing scams are not stupid. They are often very smart people. Mere general intelligence is no defense against scams. Even being a scam artist or security expert yourself isn't a guarantee because NOBODY has encyclopedic knowledge of every scam in human history. If they run across a scam they're not familiar with they're just as vulnerable as "stupid" people.

          There are many forms of stupidity. For some reason, intelligence keeps getting confused with wisdom. I'm honestly not sure if that confusion is deliberately encouraged in order to obscure the issue or if most people really have no working knowledge of what the difference is. They might both be true.

          At any rate, you can have a very high IQ, perform wonderfully at all sorts of logic and mathematics problems, and still be a gullable easily-scammed individual if you refuse to accept that plenty of people do not operate in good faith. You can be very intelligent and still make very stupid decisions. You can be very smart without being humble enough to recognize your limitations and therefore to understand when you are operating outside of your areas of expertise. You can be very smart without understanding that your area of expertise consists of having memorized the ins and outs of a particular inventory of knowledge and that you lack the practical, working knowledge component of true understanding.

          Knowing how to use the tools offers no protection against scams. Knowing how to use a telephone does not protect you from callers that contact you and attempt to scam you. Knowing how to open a door does not protect you from people who come to your door and try and scam you.

          You are exactly right. Knowing how to use the telephone shows that you have memorized a small bit of intellectual knowledge. Understanding that there are dishonest people in the world and that therefore, not everyone who calls you is truly who they claim to be demonstrates a working knowledge of the world and of the limitations of the telephone network; that is, a bit of wisdom. So why the need to apologize for people who can't tell the difference? Why send the message that people who have to learn the hard way are victims and therefore are helpless and cannot do better next time at all? Do you believe that you are doing them any favors?

          You have a "blame the victim" mentality. It's clearly the fault of the stabbing victim that he got stabbed. He should have jumped out of the way. It's willful helplessness, plain and simple.

          Your analogy is flawed because once someone is stabbed, the laws of physics dictate that there is going to be a wound and it will probably be a serious one. It's not like a stabbing victim can decide "hmm, the point of a knife just struck my body with considerable force... should I let that injure me or not?" This is not the case with a scammer. Just because you receive a phishing attempt, there is no law of physics that forces you to give your personal information to a complete stranger without first performing some due diligence to verify that the stranger is who he/she claims to be. So while you might think you just made some profound point, you have compared an apple to an orange and have effectively made the claim that people must accept everything at face value and believe every lie someone tells them. Is that really your view of the world? Is it really your highest expectation of human capability? I celebrate your right to believe whatever you want, but I cannot support this type of victim mentality; indeed, it seems to be so ingrained into our culture that most people don't even recognize it for what it is.
        • by jesser (77961)
          Knowing how to use the tools offers no protection against scams.

          Part of knowing how to use a browser is knowing how to parse URLs. That's unfortunate, but I think it makes more sense to blame browser makers (and perhaps also users) than to blame criminals in this case.
      • For some reason, when a computer is involved this commonsense concept is completely ignored.

        Disagree a little here. I don't believe a computer is necessary for common sense to be ignored, just an endocrine system.

    • by TheSpoom (715771) *
      Because PayPal's real reason for doing this is to extend the ways that they can keep you from withdrawing your money from your PayPal account, because they get more interest on it the longer it's in there.

      This is why I'm very careful whenever someone wants to pay me a large amount via PayPal. I usually prefer a check or direct deposit.
    • 3 reasons:

      1) It takes time and effort for everyone involved

      2) There will always be people who don't get it

      3) There will always be newcomers

      Yes, "knowing" is a good thing. However it is something the educated often take for granted because they believe the problem only applies to the uneducated, and they aren't the one's responsible for the education. Well, if it did apply to you you would be "surprised", and if you had to do the teaching, you'd try and think of something else once you realized what a waste
    • Re: (Score:2, Insightful)

      by SiddGaur (1275206)
      Paypal is a great way for internet payments but if they make it more difficult for users I am not sure that they will be great anymore.
  • by daeg (828071) on Thursday April 17, 2008 @09:16PM (#23113344)
    Dear PayPal User:

    After much consideration, we've determined that your browser is safe again! Please log in at http://127.0.0.1/some/unsafe/address/ [127.0.0.1].

    PayPal apologizes deeply for the inconvenience.

    • by BadAnalogyGuy (945258) <BadAnalogyGuy@gmail.com> on Thursday April 17, 2008 @09:21PM (#23113386)
      Heh. That address resolves! 404, though.

      But back up a bit and you get the whole directory structure. TONS of porn in a couple folders.
      • Re: (Score:3, Funny)

        by daeg (828071)
        Dear PayPal User:

        Please go to http://www.whatismyip.org/ [whatismyip.org] and copy and paste your IP address into a reply e-mail.

        PayPal thanks you for your time and effort.
        • Re: (Score:2, Funny)

          by BadAnalogyGuy (945258)
          Somewhat related:
          http://www.electric-escape.net/node/1475 [electric-escape.net]
          http://www.thehumorarchives.com/joke/IRC_Idiot [thehumorarchives.com]
        • by LoadWB (592248)
          Or just send a reply email and we can dig it out of your headers.
          • Let's look at a random email I have here. OMG the end user IP is 10.1.0.50? let me paste that into nmap and see what ports you have open.
            You can't always get end user public IP address if they are NAT'ed.

            I think paypal should just quadruple their usage fees for those users instead of banning them, then get rid of the fees for the rest of us. If people are retarded enough to use a Mac (Safari) or other unsafe browser then they are probably easily persuaded to pay the additional fees for no reason other than
            • by LoadWB (592248)
              So, in the end the end user's IP address from his or her email headers is as useless as the IP address given by whatismyip.com. My point was just one less step to confuse the potential victim, because then all you get is emails asking for help going to whatismyip?.com and you waste your time supporting rather than scamming.
              • The majority of them are useless, yes. The only really useful/accurate bit of header information is the IP address of the SMTP server connecting to your SMTP server which is the received line added by your SMTP server. Anything before that could be forged. Most legit email is generally going to have accurate info from anything more recent that the last RFC1918 address. But I was under the impression the majority of spam/scam emails used fake or forged from/reply addresses. In which case anyone replying woul
      • Re: (Score:2, Funny)

        by Anonymous Coward
        Holy fuck that's MY computer. WTF guys, that's not cool. Ok so maybe I don't have my firewall PERFECTLY configured, but why would you make fun of me by showing all my porn on slashdot? Shit dude I'm totally freaked out. I don't know how to fix it I'm fucking unplugging everything for the night. Fuck.
      • by Anonymous Coward on Thursday April 17, 2008 @10:50PM (#23113888)

        Heh. That address resolves! 404, though. But back up a bit and you get the whole directory structure. TONS of porn in a couple folders.
        Yeah, but it's stuff I already have.
    • by Anonymous Coward
      Dear PayPal User,

      Due to recent security upgrades, you may no longer be able to log in. In order to give all our customers the highest level of protection against fraud and identity theft, we are requiring that you have up-to-date security measures on your computer.

      Please install the enclosed program [malware.exe] to upgrade the security of your computer to ensure that you can continue to access your PayPal account.

      Thank you,
      - Scams R. Us
  • While probably rather nasty and nanny-statish of them to do so, I can't help but think that this will force at least some people using certain archaic standards-non-complaint browsers to use better ones, or at least heavily-patched copies of IE 6 (although, since Microsoft is big on IE 7, they might skip that entirely.) Who knows, it might improve standards compliance a little bit—at least as far as transparent PNGs are concerned. (Obviously, this does not count Safari.)
  • User Agent Change (Score:5, Interesting)

    by macbuzz01 (1074795) on Thursday April 17, 2008 @09:26PM (#23113410) Journal
    Safari for Mac:

    Preferences > Advanced > "Show Develop Menu in Menu Bar"

    Develop > User Agent > Firefox 2.0.0.12

    Suck it > Paypal
  • Not sure what to make of it at this point, but the gut feeling says this will be an excuse to be anticompetitive.
  • I have an idea... (Score:5, Insightful)

    by Snowspinner (627098) <philsand@@@ufl...edu> on Thursday April 17, 2008 @09:33PM (#23113442) Homepage
    Why don't you trust me not to be an idiot instead of requiring that I use a different browser due to the fact that other users of my browser are idiots?
  • by micheas (231635) on Thursday April 17, 2008 @09:40PM (#23113500) Homepage Journal
    Paypal is hyping Extended Validation certificates after Netcraft posts articles like this:

    Extended Validation certificates and XSS considered harmful [netcraft.com]

    Curious if nothing else.
  • by Antony-Kyre (807195) on Thursday April 17, 2008 @09:44PM (#23113526)
    Who are they to decide what is and isn't safe? They're not a bank, so I don't think they necessarily have any liability if one of their customers loses money, correct? Please correct me if I am mistaken.

    Is this even legal? Seriously. If someone has money in PayPal, and if that same someone happens to be using a browser that is deemed "unsafe" and is sequentially banned, isn't that like PayPal holding the money hostage? What happens to those who refuse to "upgrade" in order to access their account?

    Maybe instead of doing stupid stuff like this, which breeds a false sense of security among some less-smart users of PayPal, they should think of new and innovative ways to prevent unauthorized access to accounts. (I don't care to list my ideas right now.)
    • Re: (Score:2, Troll)

      by corsec67 (627446)
      You aren't at all mistaken:

      Paypal doesn't give a shit about anything but making money from themselves, and don't hesitate to take money from anybodys account for almost any reason.

      PayPalSucks.com [paypalsucks.com]

      It is kind of silly, forcing people to access PayPal with secure browsers when money stored at PayPal isn't secure from PayPal itself.
      (PayPal isn't a bank, nor does it even try to pretend to be one, so don't let them have any EFT account numbers, and never store any money there.)
    • gunna have to disagree on this one, thier test is fairly simple.
      Does it have fishing protection?
      yes = allow
      no=recommend one that does.

      OFC its legal, they're not forcing you to pay anybody anything, and people have been forced to use a certain browser for sites for years. hopefully they will do it via user strings, and assume anybody that is smart enough to fake a userstring is smart enough to not get phished.
    • Re: (Score:2, Insightful)

      by Anonymous Coward

      Not the same. They certainly would care if their customers lose money - PayPal isn't the only fish in the online payment sea, though it is the largest. If phishing becomes too common it impacts their image and reputation as a safe way to shop.

      And of course it's legal. Considering at least one allowed browser is FREE, and is available to basically every platform out there (Firefox), there's no burden on the consumer to have a "safe" browser.

      That's like complaining that your bank inconveniences bike riders by

    • by hendridm (302246)

      Who are they to decide what is and isn't safe?

      That's what I was thinking, sort of. Requiring a "safe" browser seems about as effective as the TSA - some bogies get through, some grannies get nailed.

  • by homerj79 (58075) on Thursday April 17, 2008 @09:45PM (#23113528) Homepage
    Is Lynx still considered unsafe? Have they fixed that graphics display hole yet? That was reported, like, 20 years ago.
  • by failedlogic (627314) on Thursday April 17, 2008 @09:45PM (#23113532)
    How about the other way around? Have safe browsers ban PayPal!
  • by Ron Bennett (14590) on Thursday April 17, 2008 @09:47PM (#23113538) Homepage
    And yet, Ebay still sends email to users regarding important matters despite the security risks that poses - ie. how can a user know the email is real, it's not encrypted, etc.

    Instead of banning browsers, Ebay should address the bigger security issue of Ebay sending email to users - instead Ebay should only send notices simply saying one has new messages in their Ebay message center, and require the user to actually visit Ebay to view the message contents - not fool-proof, but would substantially reduce the effectiveness of email spoofs.

    Ron
    • by Nushio (951488) on Thursday April 17, 2008 @09:59PM (#23113610) Homepage
      Dear eBay User,

      There is a new message waiting for you. You may login into here [slashdot.org] to access it.

      Sincerely,
      eBay Scammer.
    • by SpottedKuh (855161) on Thursday April 17, 2008 @10:08PM (#23113664)

      Ebay should only send notices simply saying one has new messages in their Ebay message center, and require the user to actually visit Ebay to view the message contents - not fool-proof, but would substantially reduce the effectiveness of email spoofs.

      One very important thing they would have to do is include some sort of identifying information, otherwise this would open the door to some very easy phishing attacks (as per Nushio's sibling comment).

      Perhaps in your eBay account, you could choose one from several thousand little pictures (e.g., as you do with video games and video game systems to choose an avatar picture). Then, the messages could read something like:

      Dear SpottedKuh: [picture of a little cow that I chose] ... check your eBay message centre, etc.

      Then again, I think things like this have been tried before (don't some banks do something similar to this when you log in?) I guess if the users don't care to pay attention, they won't notice the difference between what I wrote above and:

      Dear eBayUser: [picture of random anything] ...
      • by bendodge (998616)
        Even better than choosing some random thing G-Ma might forget would be requiring (or at least pushing) her to upload her own photo.

        Personally, I think this is a great thing. Finally, people will have major incentive to upgrade from IE5 and 6, the bane of web developers.

  • Wow, PayPal has figured out #2!

    1) Declare a browser as "unsafe"

    2) ???^H^H^H^H^H^H
    2) Block the browser from your popular site

    3) Profit! --> Approach the company that makes the browser... "we'll declare it safe... for a price".
  • by LoadWB (592248) on Thursday April 17, 2008 @09:52PM (#23113568) Journal
    If you want to try a new conspiracy on for size, maybe this is also a chance to try to push the use of EV SSL certificates.

    I have attended several of the webinars and read a number of the white papers on EV SSL certificates, and I am not completely sold on the usefulness.

    Sure, thorough validation of a requester's right to purchase an SSL certificate is a good idea. That should be done already for any SSL purchase, but it is and will not be done because it makes the process too difficult, time consuming, and expensive. Well, too expensive for GoDaddy to sell a $20 certificate and thoroughly validate it, but for the $350+ Verisign certificates? Please...

    More to the point, older browser showed a lock icon which indicated the site was secure. With the ease of SSL certificate purchases that quickly became less important because even phishing sites can have valid certificates. The EV SLL scheme is to put up a BIG GREEN BAR with the issued company's name in it. Why not just do that anyway? Those notification bars that come up when a pop-up is blocked, or an ActiveX control wants to install, or a file wants to download; how about use that to show critical information in the certificate, like the CN?

    Sure, the URL says www.paypal.com, but the certificate CN says "www.phishingurinfoz.ru".

    But then, I suppose a little Java and no protection of that particular window element could lead to a phalse display.
    • by TubeSteak (669689)

      Sure, the URL says www.paypal.com, but the certificate CN says "www.phishingurinfoz.ru".

      Sure, the URL says www.paypal.com, but the certificate CN says "www.paypa1.com".
      Sure, the URL says www.paypal.com, but the certificate CN says "wwwpaypal.com".
      Sure, the URL says www.paypal.com, but the certificate CN says "www.paypals.com".
      Sure, the URL says www.paypal.com, but the certificate CN says "www.baypal.com".

      That'll be more than enough to fool some of the people all of the time.

  • How about this? (Score:3, Insightful)

    by TheSpatulaOfLove (966301) on Thursday April 17, 2008 @09:54PM (#23113576)
    Can we ban Paypal for unsafe money exchange?
    • by dhaines (323241)
      Lately I've had a transactions where the site (not eBay) used a Paypal cart. Each time I contacted the merchant and requested another way to order/pay. Most of them mentioned how many complaints they hear about Paypal. One business gave me a $24 order for free because I detailed in writing why I won't use Paypal. All but one of the others either had a different merchant account or sent the order with an invoice, trusting me to send payment. Only one lost my business because they "had" to use Paypal.

      Paypa
  • Now the scammers/phishers just need to do the same thing. And voila!
  • by russotto (537200) on Thursday April 17, 2008 @10:03PM (#23113636) Journal
    ...but the head of the International Phishers Guild says that all of their sites will continue to work with any browser you want. Spokesman Anome Smith says "We will not be following Paypal's lead on this. Popular phishing sites like www.payypal.com, www.paypa1.com, and 192.168.178.287/paypal will all continue to work with any browser you please. "

  • by Thaelon (250687) on Thursday April 17, 2008 @10:04PM (#23113638)
    This is stupid and pointless.

    The problem isn't "unsafe browsers". Phishing is social engineering, not hacking. The problem is unsafe users.

    Give a stupid user a safe browser and a semi-sophisticated phish and they'll cough up that login.

    Give a smart user a IE 5.0 and they'll never get busted.

    If paypal really wanted to increase user safety they'd do it with user education.

    Tell users to very carefully navigate to the correct site, make a bookmark, and then never go to the site any other way again.
  • eBay and PayPal have demonstrated that they no longer deserve my business.
  • by fireheadca (853580) on Thursday April 17, 2008 @10:18PM (#23113718)
    Paypal not letting you in?

    Have no fear.. with paypalproxy.com you can use any browser to access your account.

    --
    So long and thanks for all the phish.
  • by prxp (1023979) on Thursday April 17, 2008 @10:34PM (#23113804)
    I am a PayPal customer. I have a paypal secure ID, a hardware token that generates 6 digits numbers (synchronized with paypal's servers) that are part my password authentication process. That means that even if someone gets my password (i.e. fisher), they won't be able to login that easily (they would need the hardware token to generate the current 6 digits number set, which changes periodically every 30 seconds). With all of that, I see no reason for paypal to block me if I am using Safari, even if Safari is a bit unsafer than other browsers. That would just mean adding an extra item to the list of things my iPhone can't do: access PayPal's webpage. That would really piss me off.
    • Re: (Score:3, Informative)

      by Apple Acolyte (517892)
      I reject the notion that Safari is less safe than other browsers. There have been very few serious security flaws found in Safari, even after Apple opened the platform to Windows. I'd say Safari is one of the most secure browsers out there.
  • by CrazyJim1 (809850) on Thursday April 17, 2008 @10:40PM (#23113836) Journal
    I'm not sure if there is a word for this(Phish and release), but it goes like this:
    Paypal should send out official looking emails with links to a site that isn't on Paypal.
    If someone enters their information on this fake site, Paypal would warn them that they got phished and released!
    Paypal could tell them important stuff like only manually going into paypal.com and never clicking on a link in an email.
  • A lot less phishing would go on if PayPal would just enforce it's trademark and force the FBI to investigate these phishers using those marks to compete with PayPal and rip off its customers.

    All these banks should be doing that. The FBI should be busy protecting us from these modern bank robbers, not all the domestic snooping and other abuses they waste their time and our money on.

    Trademark holders are supposed to lose their trademarks when they don't defend them against imitators. Banks are supposed to sec
  • Prime example (Score:5, Insightful)

    by v(*_*)vvvv (233078) on Thursday April 17, 2008 @11:00PM (#23113930)
    ... of where the Terrorists won.

    Ironically, phishing sites won't block users using "unsafe" browsers, which just makes them more user-friendly than paypal.

  • What's the point? (Score:4, Insightful)

    by AnuradhaRatnaweera (757812) on Friday April 18, 2008 @12:02AM (#23114236) Homepage

    There are four scenarios, assuming we agree to what "safe" is.

    • 1. Visiting paypal using a safe browser
    • 2. Visiting paypal using an unsafe browser
    • 3. Visiting a pishing site using a safe browser
    • 4. Visiting a pishing site using an unsafe browser

    The immediate result is only affecting scenario 2, so there will be some loss of business.

    In the long run, paypal expects users who hit the scenario 2 to switch to a safe browser. And paypal is big and important enough (whether we like it or not) for a reasonable number of users to do the switch.

  • by Jafafa Hots (580169) on Friday April 18, 2008 @12:05AM (#23114250) Homepage Journal
    "Dear Paypal User. We're sorry to hear that the person you bought the kidney from on eBay mailed you a kidney bean instead and won't return your $10,000.

    We regret to inform you that we will not be able to process your Paypal Buyer Protection claim for the money because we have determined that you are not using a "safe" browser - a violation of our terms.
    This, despite the fact that your victimization had nothing to do with phishing and your account was not actually compromised.

    Due to this violation and to protect Paypal internal security, we have locked your account (and will be keeping the other $20,000 you had in it.)

  • Stupid (Score:3, Interesting)

    by 56ksucks (516942) on Friday April 18, 2008 @12:22AM (#23114314) Homepage
    I use OpenDNS which will not resolve a phishing site. Also, Paypal is one to talk. Their own Paypal plugin for creating virtual debit card numbers detects their own site as a phishing site. There goes using paypal on my Wii.
  • If they were really being consistent, they would ban Internet Explorer first.

    No matter what soi-disant "security features" Microsoft implements, the fundamental design of IE is inherently insecure, and it can not be made secure without making deep changes in the API that will cause Microsoft to lose too much face to go through with it.
  • by SanityInAnarchy (655584) <ninja@slaphack.com> on Friday April 18, 2008 @04:00AM (#23115114) Journal
    I realize I'm a little late in the game for this, and I give myself 50/50 odds that I'll actually send it in, but here goes:

    I use PayPal right now because it is one of the more secure options out there. I give my financial details to one party (PayPal) instead of every site I do business with -- which means PayPal gives me the opportunity to review every single transaction, and approve or deny.

    It's also nice and reassuring to visit www.paypal.com, and see an https URL the whole way through -- knowing nothing important is ever transmitted in the clear.

    And for some small amount of money -- I forget exactly how much it is, but relatively cheap -- I can even get a physical security token, which, I believe, is also valid with VeriSign. And due to its implementation, this token requires no additional software -- I just read a number off the token and into a browser window. What's not to like?

    These are the reasons a highly technical and security-conscious person might want to use PayPal. Highly secure, with a lot of control and choice.

    Now, I can understand wanting to protect the less-technical users. Send them emails every now and then, telling them not to click links in emails. Warn them if they're not using a secure browser. Provide technical support, walkthroughs, and as much hand-holding as you like.

    But please don't alienate those of us who know what we are doing by removing our choice. Don't block browsers simply for not supporting anti-phishing, or having it disabled -- some of us know how to read the address bar, and value our privacy. Block older, actually vulnerable browsers if you must, but do not make it a whitelist.

    The day I have to turn on user-agent spoofing to get to my money is the day I take my money somewhere else.

The reason that every major university maintains a department of mathematics is that it's cheaper than institutionalizing all those people.

Working...