Slashdot Mirror

Entering my PayPal login details on some random webpage, without even the convenience of being able to verify the https://www.paypal.com/ in the address bar?

Phishing begins in 3... 2... 1...

Paypal has foreign transaction fees too. $0.30 + nearly 4%. I found out about this the hard way because I sold a high-value item to someone that had a Florida address, but whose Paypal account was apparently linked to a foreign bank. As a result, I paid about $30 extra in Paypal fees on a hand-made item that only had about $100 in pre-fee profit as it was. (And if you're wondering, the buyer was legit: not a scam.)

As a buyer, you never see these fees (and the seller is prohibited from adding them only to international orders), but rest assured that nearly all sellers take them into consideration when pricing their merchandise if any significant percentage of their sales are foreign.

PayPal calls this WebSite Payments Pro. They don't use the world "Open", at least not to developers.

What they are offering is essentially the same thing banks offer as "merchant accounts" that connect to "shopping cart" programs. But, this being PayPal, without all the consumer protections that banks are required to provide. I've been reading through the documentation, and there's no sign of all the security requirements Visa imposes on merchants.

(Well, actually there is - under "Legal Agreements, Exhibit A". But there's no sign of technical requirements to back them up.)

PayPal calls this WebSite Payments Pro. They don't use the world "Open", at least not to developers.

What they are offering is essentially the same thing banks offer as "merchant accounts" that connect to "shopping cart" programs. But, this being PayPal, without all the consumer protections that banks are required to provide. I've been reading through the documentation, and there's no sign of all the security requirements Visa imposes on merchants.

(Well, actually there is - under "Legal Agreements, Exhibit A". But there's no sign of technical requirements to back them up.)

Ditto, I also have integrated with that service, so this seems like a non-story, maybe a different rate schedule if anything.

"Website Payments Pro" https://www.paypal.com/uk/cgi-bin/webscr?cmd=_dcc_hub-outside

Do you really think the average user is going to notice a lack of green bar? Internet Explorer is going to accept this certificate as valid for https://www.paypal.com/ and there will be no hints to the user that it's actually illegitimate.

There are some things that should be taught in every school in America. Just as there are mandatory classes in sex education and home economics, there ought to be a mandatory class (at least a short one) about basic computer safety. This isn't a complete list, but it's a start:

• Never type a password into a site unless you see a lock icon in your browser.
• If you're used to seeing a green bar, and it disappears*, something is wrong.
• Don't click "ignore" when your computer gives you some gibberish about a certificate. That means something is wrong.
• Never open emailed attachments.
• Never click "yes" to dialogs you weren't expecting.
• Really, there is no prince wanting to give you millions of dollars for nothing.
• ...No, this particular prince isn't different.
• The dancing bunny isn't worth seeing.
• If a site asks you for personal information, ask yourself, "is this the kind of site that would legitimately ask for this kind of information?"

* browsers should warn about this case.

Do you really think the average user is going to notice a lack of green bar? Internet Explorer is going to accept this certificate as valid for https://www.paypal.com/ and there will be no hints to the user that it's actually illegitimate. Unless there's some other mechanism in Internet Explorer that will notice it got an EV cert in the past and is no longer getting it, then this cert is entirely usable for a man in the middle.

You're kidding, right? Paypal didn't send a mass e-mail to all its users saying "Dear Customers, We're jacking up our fees!". Instead, they sent out a mass mail that said "Dear Customers, We updated our Terms of Service. By doing nothing, you agree that you accept the changes."

Take a look at Paypal's legal page. The Paypal "Terms of Service" are actually 14 different agreements, all written in legalese, all saying that they can be changed at any time for any reason by Paypal. All together, the agreements add up 4000 lines, give or take. Not every user is subject to every agreement (some are for specific services), but many are.

So can you really say with a straight face that you believe it is reasonable to expect Paypal users to reread 4000 lines of legalese every time Paypal announces that they've made some change to the agreement? It's not like they're providing diffs. They do not want their customers to understand these agreements or how they have changed because they are dishonest. That's the crux of the issue - Paypal is acting in bad faith to screw their own customers and hiding behind legalese when called out on it.

It's not often that I point to Paypal, for the way to do something right, but...

Your original transaction fee will be credited to you. When issuing partial refunds, a portion of the original fees paid will be returned to you.

The certificate won't be valid for the site that you wanted, but that won't matter because it'll have redirected you to https://a/ load of characters that look like 'paypal.com/somepath' but are actually non-ASCII characters].evil.com with a wildcard certificate for *.evil.com and look like https://paypal.com/some-path-here-that-is-really-really-really-really-long.evil.com/

Hrm. I must have missed that; it's a clever trick. Then again, I've always thought international domain names were gratuitously unnecessary.

The solution to this problem is simple, and I'm surprised browsers don't do this already: add fake '/' character isn't in the IDN blacklist. In Firefox, network.IDN.blacklist_chars already contains plenty of things that look like '/'. Maybe other browsers need to follow its example.

If you read some of the articles (Forbes and a linked one) he can spoof the appearance of a valid certificate as well using International Domain Names. The certificate won't be valid for the site that you wanted, but that won't matter because it'll have redirected you to https://a/ load of characters that look like 'paypal.com/somepath' but are actually non-ASCII characters].evil.com with a wildcard certificate for *.evil.com and look like https://paypal.com/some-path-here-that-is-really-really-really-really-long.evil.com/

For the basic attack then actually checking for HTTPS and a proper validation (not just a padlock, but a padlock and the other markers), but for the fuller attack that takes advantage of the IDN then you'd probably need to read the certificate itself, which would require you to know which certificate you're expecting, which would require something like a page with the signature on saying "look for this", which could then also be spoofed (in cases where it was worth it, e.g. a bank).

Wrong. User types "paypal.com" into their URL bar. Browser sends a request for http://paypal.com/. PayPal might automatically redirect to HTTPS (in fact it does, when I try it), but by then it's too late. A MITM can have already served up the fake page as HTTP, and few users will notice the difference.

Replying with a 302 to an http request or responding to an "https link click" is not encrypting everything.

But paypal.com does not have to reply with a 302 to the http request. Or better yet, we could all just strongly discourage using a redirect from http to https under any circumstances, and utterly ban https clickys in http (like the wachovia site). The latter concern is totally unforgivable. The user has to take it on faith that the POST is secure.

The .secure TLD doesn't sound like a terrible idea, but wouldn't it be easier to approach this from the browser? We could accommodate the the keyboard-averse by having some gui element for "secure" urls, that would behave differently than the normal url bar, i.e. prepend "https://" instead of "http://". On the server side, no more responding to http. Instead show a static page telling the user how to access the site properly.

Apologies if you've already read this, but here is the pdf from the conference.

If they "would like it to be" secure all they would have to do is spend more money on their infrastructure to encrypt everything.

Wrong. User types "paypal.com" into their URL bar. Browser sends a request for http://paypal.com./ PayPal might automatically redirect to HTTPS (in fact it does, when I try it), but by then it's too late. A MITM can have already served up the fake page as HTTP, and few users will notice the difference.

What's needed is some way for the browser to know in advance that it should not accept any unencrypted traffic from the domain name. The only way I can see to do this is to encode that information in the domain name itself, for instance with a new .secure TLD. The only information available to the browser without going to the network is the domain name, so it seems like this is the only place to store "don't do stuff unencrypted" info.

Lame and not informative at all. I have actually setup merchant accounts myself so let me explain something basic. All the fees are negotiable. You can in addition ask for a lower transaction fee and in place pay a higher percentage. For a food service merchant account that is the way to go. For high dollar items you want a high transaction fee so you can get a low percentage.

Fees are not that high. For instance Paypal is 1.9% to 2.9% + $0.30 USD See here... https://www.paypal.com/cgi-bin/webscr?cmd=_wp-standard-overview-outside&nav=2.0.0 So basically you either had a shitty merchant bank or you pulled the numbers out of your ass.

Perhaps something like This?

Yes, some might even call 5% a lot...

Transaction Fees

Now, if the payment could somehow be processed via mobile, oh wait...

Mobile Payments

[note, I'm not affiliated with the company directed to by the above links]

I don't know Apple's terms and policies for iPhone very well, but from what I've heard they seem completely draconian.

Yes, some might even call 5% a lot...

Transaction Fees

Now, if the payment could somehow be processed via mobile, oh wait...

Mobile Payments

[note, I'm not affiliated with the company directed to by the above links]

I don't know Apple's terms and policies for iPhone very well, but from what I've heard they seem completely draconian.

It's $5, and it changes every 30 seconds, and I'm quite sure it's generated by an algorithm contained in the device itself – no satellite signal required. (Satellite signals have trouble penetrating buildings anyway.)

https://www.paypal.com/cgi-bin/webscr?cmd=xpt/Marketing_CommandDriven/securitycenter/PayPalSecurityKey-outside

found a public paypal page with more info about it.

PayPal has a keyfob which generates random security codes (every 30 seconds the code changes). You enter the current code, and it allows you to log in. Presumably the other sites work the same way (eBay should be identical since it merged with PayPal anyway).

Right... but somebody MITM's both the CA and PayPal, they can run an encrypted server "at" https://www.paypal.com/ -- and you just got phished, despite whatever precautions you thought would save you.

I don't have my copy of the ACM code of ethics, but this seems pretty borderline to me.

Depending on the details, I don't really see an ethical issue here.

If "scraping" is done so as to not put a heavy load on the servers, it's no more unethical to do it automatically than to hire a bunch of drones to compile the data manually. Copyright does not apply to the raw data. Site's "Terms of Service" are baloney (by reading this post this far you agree to send me $20); when you publish information you cannot put restrictions on its use. I see more of an ethical problem with putting up such bogus "Terms of Service" than with using the data.

As for using free accounts, it might make for an unprofessional and shoddy product - which would be grounds to object - but there's nothing inherently unethical about using a free service for business purposes. A lot of small businesses use a Gmail or Yahoo! e-mail account, for example.

What is the change to PayPal and my account? PayPal was granted a bank license with the Luxembourg bank authority. Under this license, PayPal will be regulated centrally by the Commission de Surveillance du Secteur Financier (CSSF), the Luxembourg bank authority. On 2 July 2007, your customer relationship will be automatically transferred from PayPal (Europe) Ltd. to PayPal Luxembourg.

So, Paypal (Europe) Ltd. may well have an e-money license, but you aren't a customer of them anymore :-)

Whether they're still regulated by the FSA is an interesting question. they claim to be. However, this may just be a relic of the pre-Luxembourg organisation, or it may be a way of avoiding the need to be re-approved as an e-money issuer.

E-Money balances aren't covered by any form of insurance or security - the FSA e-money sourcebook states that companies must invest in high-security bonds etc., but ultimately a company could go bust and their users would have no more claim on their holdings than any other creditor. The £1000 amount is just an upper limit on an account balance before they have to tell you, and you have to agree that you know, that you have no right to compensation. You have no right to compensation anyway (ELM section 1.5) - the notification regulation is just there to limit the losses of those people who would claim that they never knew.

lets not forget:

reports to the IRS
offers money market accounts
all non-money market accounts are FDIC insured for 1,000,000

it isn't just acting like a bank, it is a bank, and it doesn't deny that.

They don't need tougher regulation, the problems people have are *because of* the tough regulation- there are so many checks in place to try and stop money laundering, fraud etc
for example, if you've logged in from more than two computers in the past 24 hours (or as a result of the implementation, browsers..), if you and the person you are sending money to have logged in from the same ip address, if you are sending money to/from certain countries from outside of that country

HOWEVER that is rarely the case, home pages are always straight HTTP.

https://www.paypal.com/
https://mail.google.com/

It's worth mentioning that if the government is going to go to some expense to implement DNSSEC, it would be far more beneficial for them to simply SSL all their sites.

there are trivially simple ways evil hacker can present content to me that will be HTTPS and yet be going to whatever site he does control, like simply pointing an insecure FORM at an HTTPS target on a URL evil hacker DOES own

Except that if the page that form is on is encrypted, he can't intercept it and send the form. That is, unless said page is on a domain he controls, as you say -- in which case, the URL will be https://evilhackersite.com/whatever, and I won't fill out the form, nor will my browser auto-fill my information to that page.

Combine that with clever framing

Irrelevant. Still doesn't get around the problem where the root frame must be a domain I trust -- meaning that domain could very well choose not to use frames. Problem solved.

some plausible sounding URLs

Extremely unlikely that you'll be able to get a cert for https://paypals.com/, particularly an extended-validation cert.

And borderline impossible that you'll be able to get one of those for any .gov domain, which is what this is about. How, exactly, are you going to fool me into thinking I'm on an https://whatever.gov/ page when I'm not?

What's more, every single attack you've described works just as effectively over DNSSEC. There really aren't many attacks which work over DNSSEC but not HTTPS, compared to the attacks which work over HTTPS, but not DNSSEC.

Suppose I can spoof your DNS. HOW CAN YOU EVER BE SURE ANYTHING YOU DO FROM THEN ON FOREVER is not under my control?

Firstly, it's unlikely you can spoof my DNS -- I VPN home when on untrusted networks, so you won't be doing it on the Starbucks wifi.

Second, it's simple: I use HTTPS, or better. You're not getting my email, or my PayPal account, or my Slicehost account, or anything else I care about.

Anyone who wants to contribute to Ms. Lindor can do so here.

Ray, that link doesn't work, it looks like it was copied from someone in the process of administering their PayPal account or making a contribution, with a temporary session ID embedded in the URL.

You might want to get whoever's PayPal account that is to go into the administration of the account and get the correct link from there.

Give 'em hell, Ray. I don't even download music or movies illegally, and what the RIAA/MPAA is doing makes me sick. I've already donated today to the EFF specifically because of this story, and right now, I'm off to make a donation to Ray Beckerman PC. Keep up the great work, you really are making a difference.

Now stop reading Slashdot and go work on those response papers. :-P If you need character witnesses, post a story. I'm sure we can round up a few hundred thousand of them.

Thanks for the support. The RIAA's motion is frivolous, and I will be responding to it in short order. The responsive papers are due October 13th.

It's just an obvious attempt on their part to weasel out of their liability for attorneys fees, after torturing this innocent woman for the past 3 years.

Some folks have indicated an interest in contributing financially.

Anyone who wants to contribute to Ms. Lindor can do so here. Anyone who wants to contribute to the Expert Witness Defense Fund, which helps people like Ms. Lindor with hiring experts and tech consultants can do so here. Anyone who wants to contribute to me, to help me with the work I do in my blogging and getting the word out, can do so here. Another way to help out my blog is to make purchases through the affiliate ads I post on the blog. (If there are products or services you're looking for that aren't represented there, let me know, and I'll try to get affiliate ads posted for them.

Here is my post providing the details of the accusations.

The RIAA's litigation campaign is in its death throes, as are the 4 big record companies who are behind it. I guess this is the way dying hyenas act, they lash out. Not to worry, they will still lose.

you use one of these: https://www.paypal.com/securitykey

No matter who you bank with, you can make one-time payments using the PayPal Plugin, even to merchants who only accept traditional bank cards.

That's a reasonable idea... except that users have learned that "https" is synonymous with the padlock icon. The padlock is different in different browsers (Safari shows it in the corner of the titlebar, for example), and I think users are more likely to look at the URL than the padlock icon. Obviously this could change, if the padlock icon were made more prominent (and consistent across browsers) and users were retrained. In the mean time, most users (who are savvy enough to know anything about encryption at all) won't notice the difference between the real https://www.paypal.com/ (with the padlock icon to show the cert is signed by a trusted CA) and a fake https://www.paypal.com/ (without the padlock icon because it's a phishing site on a free wifi connection with a malicious DNS server).

Of course, none of this prevents a malicious network from redirecting http://www.paypal.com/ to https://www.paypal.com.phishing.example.com/ or other tricks that require the user to be paying less than 100% attention.

That's a reasonable idea... except that users have learned that "https" is synonymous with the padlock icon. The padlock is different in different browsers (Safari shows it in the corner of the titlebar, for example), and I think users are more likely to look at the URL than the padlock icon. Obviously this could change, if the padlock icon were made more prominent (and consistent across browsers) and users were retrained. In the mean time, most users (who are savvy enough to know anything about encryption at all) won't notice the difference between the real https://www.paypal.com/ (with the padlock icon to show the cert is signed by a trusted CA) and a fake https://www.paypal.com/ (without the padlock icon because it's a phishing site on a free wifi connection with a malicious DNS server).

Of course, none of this prevents a malicious network from redirecting http://www.paypal.com/ to https://www.paypal.com.phishing.example.com/ or other tricks that require the user to be paying less than 100% attention.

That's a reasonable idea... except that users have learned that "https" is synonymous with the padlock icon. The padlock is different in different browsers (Safari shows it in the corner of the titlebar, for example), and I think users are more likely to look at the URL than the padlock icon. Obviously this could change, if the padlock icon were made more prominent (and consistent across browsers) and users were retrained. In the mean time, most users (who are savvy enough to know anything about encryption at all) won't notice the difference between the real https://www.paypal.com/ (with the padlock icon to show the cert is signed by a trusted CA) and a fake https://www.paypal.com/ (without the padlock icon because it's a phishing site on a free wifi connection with a malicious DNS server).

Of course, none of this prevents a malicious network from redirecting http://www.paypal.com/ to https://www.paypal.com.phishing.example.com/ or other tricks that require the user to be paying less than 100% attention.

Self-signed certs are still strictly more secure that completely unencrypted traffic.

Assuming they're legitimate -- which is, you know, impossible to verify, which is the whole fucking point of a certificate authority -- to give you a means to verify that a given cert is legit.

And if they're not legitimate, depending on the site, it could be a huge warning that you're being subjected to a man-in-the-middle attack. Depending on the site, this could be much more likely.

Let me put it this way -- you go to https://www.paypal.com/, and you get a self-signed cert. Give me one good reason why the user shouldn't get a giant flashing red warning that they're probably about to be phished.

I had typed a response to this but I think slashdot ate it. I think it went something like this: You are an exceptional person and I greatly admire the continued commitment you have to the cause. I am not of the opinion that all lawyers are sleezeballs or anything like that and the phrase was meant to amuse as it typically does here though I suppose they'd be Maine country lawyers. Either way, you seem to be an exception in many ways. That you take the time to fight the case is not exceptional, there are a lot of great lawyers out there. That you ALSO take the time to update us, to keep us aware of the problems, and give us hope is above and beyond what I'd expect of anyone in any field. I did have a question: Does your client, if you can say, have a homepage or anything where they accept donations to assist them with their legal fund? As the first comment (hell both really) didn't suit properly I'll add that, in short (or really long actually), I truly appreciate the information you're sharing with us and thank you greatly for the time you take to keep us in the loop.

Thanks very much for your kind words.

In response to your question,

-you can contribute to Marie Lindor's legal defense fund by PayPal here, or by sending it to my firm and indicating that it's for Marie Lindor;

-you can contribute to the expert witness defense fund here;

-you can contribute to the legal defense funds of Tenise Barker, Joan Cassin, and/or Victor Torres, or to my blog, by making payment to my firm and indicating which defendant it's for;

if you want to contribute to a defendant being represented by another firm, I assume you can send payment to that firm and indicate which case it's earmarked for;

if you want to contribute to my blog you can send the payment to my firm, indicating it's a general contribution to the work of the law blog.

Also you can help support our work by patronizing the advertisers on Recording Industry vs. The People. We frequently have "affiliate ads" listed in the sidebar. If there are particular products or types of products you would be interested in, email me and I'll try to get advertisers of those products.

Hopefully Amazon takes a lesson from Google. One of the problems with Google Checkout is that they don't allow subscriptions to be created. Google's transaction fees are lower than PayPal's, or my merchant account's, so I'd love to use them more heavily, but that's a major roadblock. I'm sure a lot of other small businesses are in the same situation.

I actually don't mind the purely mathematical or purely algorithmic patents. Phil Katz patented some efficient string matching algorithms that became a well-known compression program. He was a pioneer who pushed the field of CS. If Burrows and Wheeler wanted to patent their algorithm and license it as a compression technology, then awesome. And if the Fraunhofer institute found an efficient lossy way of compressing DCT using psychoacoustic modeling and licensed it, that's good for everyone.

The problem with software patents are with the system itself:
1) They are too long. You could renew a software patent for a period of time that is actually longer than the home computer has even existed. That's not reasonable.
2) The patents on things that are NOT algorithmic. Like adding "over a network" to regular everyday things and claiming that is patentable. Running an auction ...over the internet or running an escrow service...over the internet or even buying something from a catalog...in a particular number of mouse clicks Those are not patentable. Those are absurd.

This foolishness is a recent development too. I doubt anyone has a patent on ordering from a mail order catalog...with a particular number of pen strokes . But for some brain-dead reason, adding "network" or "internet" makes it non-obvious.

"Interesting. Who exactly is holding the few dollars that are presently in my PayPal account?

A real bank does.

PayPal IS registered: See Paypal Liscencing page.

PayPal fees:
https://www.paypal.com/us/cgi-bin/webscr?cmd=_display-fees-outside&countries=ROW

In the table, see the row "Multiple Currency Transactions". It says, "Exchange rate includes a 2.5% fee**".

Also: "** If your transaction involves a currency conversion, it will be completed at a retail foreign exchange rate determined by PayPal, which is adjusted regularly based on market conditions." (My emphasis)

What I understand: We decide what the exchange rate is, then we add 2.5%.

Notice that there is also a link: "Fees for cross border payments". It goes to another page that mentions a 3.9% rate. I am not sure, but I think this is a fee that applies to all transactions through PayPal.

This definitely isn't good. However, I certainly believe it is fast.

Paypal is doing this now

I think this
https://www.paypal.com/us/cgi-bin/webscr?cmd=xpt/cps/securitycenter/general/PPSecurityKey-outside

is an ideal solution to keyloggers.

~Dan

lynx https://www.paypal.com/
SSL error:no issuer was found-Continue? (y) y
www.paypal.com cookie: (censored) Allow? (Y/N/Always/neVer)y
www.paypal.com cookie: (censored) Allow? (Y/N/Always/neVer)y
www.paypal.com cookie: cookie_check=yes Allow? (Y/N/Always/neVer)y
www.paypal.com cookie: navcmd=_home-general Allow? (Y/N/Always/neVer)y
www.paypal.com cookie: navlns=0.0 Allow? (Y/N/Always/neVer)y
# FINALLY there's a homepage. "Member Log In" is on the second page.
SSL error:no issuer was found-Continue? (y) y
www.paypal.com cookie: (censored) Allow? (Y/N/Always/neVer)y
www.paypal.com cookie: (censored) Allow? (Y/N/Always/neVer)y
www.paypal.com cookie: (censored) Allow? (Y/N/Always/neVer)y
www.paypal.com cookie: (censored) Allow? (Y/N/Always/neVer)y
www.paypal.com cookie: (censored) Allow? (Y/N/Always/neVer)y
www.paypal.com cookie: (censored) Allow? (Y/N/Always/neVer)y
www.paypal.com cookie: (censored) Allow? (Y/N/Always/neVer)y
www.paypal.com cookie: (censored) Allow? (Y/N/Always/neVer)y
Refresh: 1 seconds
https://.../
SSL error:no issuer was found-Continue? (y) y
www.paypal.com cookie: (censored) Allow? (Y/N/Always/neVer)y
www.paypal.com cookie: (censored) Allow? (Y/N/Always/neVer)y
www.paypal.com cookie: (censored) Allow? (Y/N/Always/neVer)y
www.paypal.com cookie: (censored) Allow? (Y/N/Always/neVer)y ...

Ok, if I'd hit "a" to those cookies, it would've been a lot better. And there are a fscking LOT of cookies.

Now, I haven't actually tried to do anything with it so far, but I suspect that it would, in fact, work just fine. It's curious that it doesn't like the SSL -- I suspect that's a problem with my version of Lynx, as Firefox and Konqueror don't give me any SSL warnings. But other than that, Paypal isn't doing anything to block Lynx, and it looks reasonably navigateable.

MITM... is actually pretty difficult

What makes you think I'll be connecting to my proxy as https://www.paypal.com?

It's not difficult to write an https client. It's marginally difficult to intercept all link URLs and replace them -- only really difficult because JavaScript may be involved, and it may be possible to simply filter JavaScript.

Regardless, I'll probably deal with it in a much simpler way: User-Agent spoofing till I can transfer my funds to people who don't discriminate by OS and browser.

June 2007, from PayPal:
Subject: "Shop with PayPal for sizzling summer deals"
Prominently featured: "Take the Fight Phishing Challenge, Test your ability to spot fake PayPal emails."

May 2007, from PayPal:
Subject: "Now send money and make free calls"
#2 article: "Fight back against phishing"

February 2007, from PayPal:
Subject: Get a $15 cash rebate from PayPal
#2 article: "No Phishing Allowed. Fight back with our new Anti-Phishing Guide."

June 2005, from PayPal:
Subject: "Ten Ways to Spot Fake Emails" The entire email is about spotting/avoiding phishing attacks

Admittedly, they've been slacking off lately, but it's not like they've never tried it before. Also, a quick look at the PayPal Security Center reveals to me:
- Report fake (phishing) email
- Report fake (spoof) websites
- ...and a plethora of other tips and bits of useful information that any half-wit can find and understand

Honestly, I don't see how PayPal can be blamed for people's lack of willingness to self educate and be vigilant. It's your money, you need to protect it, don't rely on other people. They offer all the tools, it's up to people to take advantage of them and learn a thing or two.

June 2007, from PayPal:
Subject: "Shop with PayPal for sizzling summer deals"
Prominently featured: "Take the Fight Phishing Challenge, Test your ability to spot fake PayPal emails."

May 2007, from PayPal:
Subject: "Now send money and make free calls"
#2 article: "Fight back against phishing"

February 2007, from PayPal:
Subject: Get a $15 cash rebate from PayPal
#2 article: "No Phishing Allowed. Fight back with our new Anti-Phishing Guide."

June 2005, from PayPal:
Subject: "Ten Ways to Spot Fake Emails" The entire email is about spotting/avoiding phishing attacks

Admittedly, they've been slacking off lately, but it's not like they've never tried it before. Also, a quick look at the PayPal Security Center reveals to me:
- Report fake (phishing) email
- Report fake (spoof) websites
- ...and a plethora of other tips and bits of useful information that any half-wit can find and understand

Honestly, I don't see how PayPal can be blamed for people's lack of willingness to self educate and be vigilant. It's your money, you need to protect it, don't rely on other people. They offer all the tools, it's up to people to take advantage of them and learn a thing or two.

June 2007, from PayPal:
Subject: "Shop with PayPal for sizzling summer deals"
Prominently featured: "Take the Fight Phishing Challenge, Test your ability to spot fake PayPal emails."

May 2007, from PayPal:
Subject: "Now send money and make free calls"
#2 article: "Fight back against phishing"

February 2007, from PayPal:
Subject: Get a $15 cash rebate from PayPal
#2 article: "No Phishing Allowed. Fight back with our new Anti-Phishing Guide."

June 2005, from PayPal:
Subject: "Ten Ways to Spot Fake Emails" The entire email is about spotting/avoiding phishing attacks

Admittedly, they've been slacking off lately, but it's not like they've never tried it before. Also, a quick look at the PayPal Security Center reveals to me:
- Report fake (phishing) email
- Report fake (spoof) websites
- ...and a plethora of other tips and bits of useful information that any half-wit can find and understand

Honestly, I don't see how PayPal can be blamed for people's lack of willingness to self educate and be vigilant. It's your money, you need to protect it, don't rely on other people. They offer all the tools, it's up to people to take advantage of them and learn a thing or two.

Located in San Jose, California, PayPal was founded in 1998 and was acquired by eBay in 2002.

Paypal is one of the least secure financial sites on the internet. Not only are email addresses used as user names, there are no secondary passwords or pins for transactions

You mean like this?

Then there is the issue of accounts being linked with eBay with passwords often matching.

That's a user/human problem, not something specific to E-bay and Paypal. While, in this case, because the two are the same company they could force consumers to have different passwords, it would negatively impact the user satisfaction and it wouldn't solve the problem that the same password is likely to work on the user's online banking as well.

The police need to investigate these crimes and send the bill to the sites where the crime occured.

Do you propose the same thing should apply to physical crimes as well?

They should also automatically fine the criminals 20x what they stole and charge them for rent for the time they lock them up (which can be as little as 3 days, I don't think this matters).

Many criminals are criminals because they don't have any money. Shall we lock them up if they are unable to pay? It's been tried already. Take away hope and you only force criminals into greater levels of dangerous activity.

If any credit card fraud occurs, even in the smallest amounts, these cases need to be processed by law enforcement and fines need to be handed out. Too many people know they can get away with it, and keep repeating the same crime.

All big business is a matter of risk analysis and risk assessment, and believe me, the credit card companies spend an awful lot of effort on the issue. There is a level of crime and fraud where the effort and more importantly cost to prevent and prosecute offenders is greater than the cost of just writing off the damage. And the biggest groups of criminals are aware of where that limit is and make sure that they stay under it. And given that a large amount of fraud and theft is overseas in countries where getting someone prosecuted is difficult if not impossible, how much time and money do you think is reasonable to spend trying to chase them?

Don't get me wrong, there are problems with the system that should be fixed, but it's not as simple as you make it out to be.