PayPal Plans To Ban Unsafe Browsers

Alternative Details brings news that PayPal is developing a plan to stop users from accessing its financial services if they aren't using browsers with anti-phishing protection. PayPal is recommending the use of blacklists, anti-fraud warning pages, and EV SSL certificates. Browsers without anti-phishing features will be considered "unsafe." It seems likely Safari will be included in this category given PayPal's warning about the Apple browser last month. "'At PayPal, we are in the process of reimplementing controls which will first warn our customers when logging in to PayPal of those browsers that we consider unsafe. Later, we plan on blocking customers from accessing the site from the most unsafe--usually the oldest--browsers,' he declared. Barrett only mentioned old, out-of-support versions of Microsoft's Internet Explorer among this group of 'unsafe browsers,' but it's clear his warning extends to Apple's Safari browser, which offers no anti-phishing protection and does not support the use of EV SSL certificates."

User Agent Change

[macbuzz01]

Safari for Mac:

Preferences > Advanced > "Show Develop Menu in Menu Bar"

Develop > User Agent > Firefox 2.0.0.12

Suck it > Paypal

What about older OSes?

[Anonymous Coward]

What if you're on an older OS (e.x. Windows 2000) and you don't have access to a browser that supports EV SSL?

This sounds like eBay trying to get too controlling of PayPal users. I have a feeling that "security" might mandate a browser plugin in the future to verify that you are viewing the real paypal site (coincidentally, it automatically fills out transaction information if PayPal is the payment method)....

How valuable are EV SSL certs?

[LoadWB]

If you want to try a new conspiracy on for size, maybe this is also a chance to try to push the use of EV SSL certificates.

I have attended several of the webinars and read a number of the white papers on EV SSL certificates, and I am not completely sold on the usefulness.

Sure, thorough validation of a requester's right to purchase an SSL certificate is a good idea. That should be done already for any SSL purchase, but it is and will not be done because it makes the process too difficult, time consuming, and expensive. Well, too expensive for GoDaddy to sell a $20 certificate and thoroughly validate it, but for the $350+ Verisign certificates? Please...

More to the point, older browser showed a lock icon which indicated the site was secure. With the ease of SSL certificate purchases that quickly became less important because even phishing sites can have valid certificates. The EV SLL scheme is to put up a BIG GREEN BAR with the issued company's name in it. Why not just do that anyway? Those notification bars that come up when a pop-up is blocked, or an ActiveX control wants to install, or a file wants to download; how about use that to show critical information in the certificate, like the CN?

Sure, the URL says www.paypal.com, but the certificate CN says "www.phishingurinfoz.ru".

But then, I suppose a little Java and no protection of that particular window element could lead to a phalse display.

Will take my business elsewhere

[wshwe]

eBay and PayPal have demonstrated that they no longer deserve my business.

Re:LOL.

[fluffman86]

Yes. Go to http://turbotax.intuit.com/freedom [intuit.com] and pretend you want to file your taxes there. Understandably, you need to enable cookies/javascript. But then what happens? "Your browser is not up to date" it says. "Please install Firefox 1.07, IE 6, or Netscape 8 on Windows, or some other stuff for Mac."

Wow...please install these out-of-date or defunct browsers. So I contacted tech-support to let them know their page was broken, and they actually took the time to *link to the firefox 1.0.7* page, which says it's the most up-to-date version of firefox. When you click the download link, it takes you to mozilla.com where you can download firefox 2. *facepalm*

So after a bit of googling, I found the user agent for firefox 2 on windows (firefox 3's windows user agent *still* wouldn't work) and plugged that into the User Agent Switcher extension. TurboTax worked like a charm after that! All I had to do was lie and say that I was using Firefox 2 on windows instead of firefox 3 on ubuntu.

If Paypal wanted to slow phishers

[CrazyJim1]

I'm not sure if there is a word for this(Phish and release), but it goes like this:
Paypal should send out official looking emails with links to a site that isn't on Paypal.
If someone enters their information on this fake site, Paypal would warn them that they got phished and released!
Paypal could tell them important stuff like only manually going into paypal.com and never clicking on a link in an email.

Re:What If?...

[complete loony]

Or you could embed the time and GPS coordinates into a seemingly harmless web comic [xkcd.com] and see what happens [xkcd.com].

Re:Yes.

[Anonymous Coward]

Its the whole idea of specialization. People specialize in various trades, and sell services to each other.

"A human being should be able to change a diaper, plan an invasion, butcher a hog, conn a ship, design a building, write a sonnet, balance accounts, build a wall, set a bone, comfort the dying, take orders, give orders, cooperate, act alone, solve equations, analyze a new problem, pitch manure, program a computer, cook a tasty meal, fight efficiently, die gallantly. Specialization is for insects." -- Robert A. Heinlein

Stupid

[56ksucks]

I use OpenDNS which will not resolve a phishing site. Also, Paypal is one to talk. Their own Paypal plugin for creating virtual debit card numbers detects their own site as a phishing site. There goes using paypal on my Wii.

Open letter to PayPal

[SanityInAnarchy]

I realize I'm a little late in the game for this, and I give myself 50/50 odds that I'll actually send it in, but here goes:

I use PayPal right now because it is one of the more secure options out there. I give my financial details to one party (PayPal) instead of every site I do business with -- which means PayPal gives me the opportunity to review every single transaction, and approve or deny.

It's also nice and reassuring to visit www.paypal.com, and see an https URL the whole way through -- knowing nothing important is ever transmitted in the clear.

And for some small amount of money -- I forget exactly how much it is, but relatively cheap -- I can even get a physical security token, which, I believe, is also valid with VeriSign. And due to its implementation, this token requires no additional software -- I just read a number off the token and into a browser window. What's not to like?

These are the reasons a highly technical and security-conscious person might want to use PayPal. Highly secure, with a lot of control and choice.

Now, I can understand wanting to protect the less-technical users. Send them emails every now and then, telling them not to click links in emails. Warn them if they're not using a secure browser. Provide technical support, walkthroughs, and as much hand-holding as you like.

But please don't alienate those of us who know what we are doing by removing our choice. Don't block browsers simply for not supporting anti-phishing, or having it disabled -- some of us know how to read the address bar, and value our privacy. Block older, actually vulnerable browsers if you must, but do not make it a whitelist.

The day I have to turn on user-agent spoofing to get to my money is the day I take my money somewhere else.

Re:Yes.

[Opportunist]

Thanks for posting this, it saves me some typing.

The only thing that changes is that the fraudsters don't have to be physically at your wallet anymore to steal your cards. ID theft has been around for as long as paying with your ID (be it CC or cash card) has been around. The only thing that changed is that they don't have to steal your card anymore, then phone you, pose as your bank and ask for your secret number to void your card. As stupid as it sounds, people fell for that.

There is one, and only one, thing we can do to make ID theft harder (not impossible, though): Educate people that their personal information is not to be handed out like candy. Unfortunately, I don't expect much help from our governments in this issue. It kinda works against their agenda.

Re:Yes.

[Opportunist]

The obvious Userfriendly cartoon to this topic: http://ars.userfriendly.org/cartoons/?id=19991114 [userfriendly.org]

Illiad already had that idea a decade ago. And it was already a good one back then. Unfortunately, how do you want to enforce it?

I wouldn't react with keeping the "dumb" people out. But I would highly recommend (not require, just recommend) that people get some sort of "internet 101, do's and dont's" class before hooking up. I'm honestly amazed that no bank or other financial page ever had the idea of offering such a course, free of charge. Just a few pages, informing you of the various scams and practices, as well as some counterstrategies when you think you might have already done something foolish. Setting up such a page, especially if you outsource it, runs in the four or lower five digit range. A single ID theft attack can easily reach 6 digits in damages.

So I wouldn't say that only "dumb" people fall for such scams. It's simply that people don't even think a lot of the things that happen are possible. When they click a link, they expect to visit the page this link displays, they don't even know it's possible to show a completely different URL than what you link to. And that's just the tip of the iceberg. The idea that some BHO could hook into their browser and hijack a secure transaction is completely beyond their imagination. We have to educate the users. Information is the only sensible shield against ID theft.