Slashdot Mirror

Screw paypal. You don't need a paypal account to receive paypal payments - just an email address and a bank account ... https://www.paypal.com/uk/cgi-bin/webscr?cmd=p/ema/index-outside

In other words, paypal is trying to intermediate themselves between the banks, which already offer this exact same service, sans the paypal fees. If you have a bank account and online banking, your bank (at least in most parts of the world) offers this. You may need to dig around their web site a bit, or ask your customer service rep how to set it up, but it works.

All Paypal did was have a faq containing a list of anti-phishing features & browsers that support those features.

They don't recommend against Safari, they just recommend browsers that support anti-phishing features.

No doubt when Apple gets around to adding these features (pity Safari's not OSS, or it could be added easily by third parties), PayPal will add them to the list.

The kinds of people who fall for phishing scams aren't likely to pay attention to what PayPal advises them to do.

So why not cut the middleman and just advise them to not fall for phishing scams -- that is, to always verify https://www.paypal.com/ in the URL?

My ideal solution would be to have crypto built in to the card like the $5 Paypal security fobs. BTW, they work at paypal, eBay, and for Verisign's openID offering. Sweet!

PKI doesn't even solve the right problem a good chunk of the time. How many sites have a link on a non-secured page that refers to some third party order processing firm? A man-in-the-middle can tweak the received non-secured page to point to a different "secured" web server and the customer is none the wiser. PKI provides decent assurance when you type in a "https:" URL and very little when you click on a link, which is why PayPal inter alia warn you to type in the URL.

Not that any candidate would have the balls to say something like that but if they did, I'd get online and make a donation once I got up off the floor I was rolling and laughing on.

Well, feel free to write me in (I'm Constitutionally qualified, as a native born citizen over 35), and send those donations donation to tms@infamous.net via PayPal... :-)

What you describe is a vulnerability of the rather new, cheap domain-certificates. Instead of verifying whatever entity requested it and issuing accordingly, these certificates will be given out happily to anybody with the matching domain.
The classic flavour of certificates were issued only to verified companies and people. Check, for example, PayPal vs. a cheapskate ISP's web interface. Any good browser will display "PayPal Inc. (US)" or "*.ngz-server.de (DE)" in the status or address bar. With the former, a quick glance allows me to clearly identify that I am, indeed, talking to a company called PayPal, incorporated in the U.S. The latter doesn't tell me more than looking at the address bar would. Typosquatting becomes as easy as it is for domain names (some $10 of extra cost required). Creating a typosquat company, OTOH, is much more difficult, takes way longer, usually requires participation of at least one lawyer.

Unfortunately both IE6 (I don't have IE7 here, anybody care to check that?) and Firefox 2 go great lengths to hide this crucial information from their users. (Firefox turns the web into green meadows with BUNNIES and makes browsing veryvery SECURE!) Also, over 80% (according to a recent study to which I can't seem to find TFS; will get back if I do) of users will get fooled by padlock icons within the page they're visiting, ignoring indicators in the browser chrome.

This assumes that your users are savvy enough to understand that SSL does not prove the identity of the third party. For example, it would be possible to make an SSL gateway which proxies the traffic between both endpoints. This would have the effect of producing an SSL certificate error on the client(because they're not signed by a trusted CA), but with the average Joe just getting an error(to which they would presumably click accept/allow) and seeing that:

• They typed https://www.paypal.com/ in their browser, didn't click a link
• There's the little lock icon and it says paypal

They would probably enter their info in it anyway. This approach can also work anywhere public computers are used, with the added bonus that the computer could have the fake root CA approved, thus presenting no SSL certificate error at all.

There are ongoing research projects for mutual authentication(ie. you know that you're sending your data to a non-fake website and the bank knows that they're getting data from you and not a third party pretending to be you), such as ones involving Elliptic Curve Cryptography(ECC) over HTTP.

If you want to buy this "FOB", which is functionally identical to RSA's SecureID token, you can purchase it from PayPal, that calls it "Security Key" for an introductory flat $5, no shipping, or from VeriSign, that calls it "VIP Security Token" for $30 plus $6 shipping.

Paypal has been offering tokens for a while now (for $5). And they work with Verisign's Personal Identity Provider service.

So for $5 you can get a little "football" of a token that will work as an OpenID login for any site that supports open ID.

Also, there is one 'higher class' authentication layer implemented already, mentioned on episode 107 of security now podcast http://www.grc.com/securitynow.htm :

Verisign has an OpenID implementation, https://pip.verisignlabs.com/, with a plugin for firefox that makes it easy to manage signing into sites.

Verisign's implementation is already behind the paypal and ebay security fobs, and if you get a pip account, you can buy one and use it for secure authentication everywhere. They cost $30 from verisign, but only $5 from paypal: http://paypal.com/securitykey

Sounds a lot like paypal.

1. The seller's web site directs the buyer to a third-party payment processor such as PayPal, WorldPay, Amazon, or Google. Seller gives the seller's identity, a summary of the order, and an amount to the payment processor, and redirects the buyer to the payment processor.
2. The buyer authenticates to the payment processor, commonly using a password over TLS.
3. The buyer inspects the seller's identity claims, the order summary, and the amount, and approves the payment.
4. The payment processor deducts the amount from the buyer's account, adds it to the seller's account, notifies the seller of the order number and the amount paid, and presents a receipt to the buyer.
5. Buyer is redirected to the seller's web site.

So what you're saying is that if you provide a fake certificate, HTTPS is insecure.

What I'm saying is that what the other poster said isn't "horse****". If you jack into my ethernet hub, and it turns out that my ethernet hub is connected to a firewall like this, I can read your HTTPS traffic, if not most of your encrypted traffic. SSH is only protected because it keeps a list of known fingerprints and alerts you if something changed. If you get a completely different certificate for https://www.paypal.com/ tomorrow, as long as the browser can confirm that it was signed by someone it was configured to trust (for instance Microsoft, or AT&T), it won't even bat an eye.

Maybe the other guy was confused, or just confusing, but everything that he said is fully possible.

Dear Sir/Madam,

The quick brown fox has typed a red carpet introduction full of cheery bright frogs.

Legal Notice: By reading the above sentence, you have violated the international trademark/copyright law terms of this email agreement. Any forwarding/reproduction of this email will result in a copyright infringement upon the originator of this email. Please remit payment of $2,500 USD to prevent litigation to Paypal ID: carpetFrog

At least Seakip18 has the right idea. I think the sensationalist headline of "ebay hacked" is total BS. It's probably nothing more than the result of phishing. People are that gullible. 1. PLEASE for the love of GOD don't respond to suspicious emails spoofers' emails are looking more and more official and have fewer spelling errors than ever 2. DON'T click on any links from PayPal or eBay emails. Just type the site into your browser! https://www.paypal.com/ Let's be safe people!

It would be nice if someone bought some for a change. There's a few videos I've made for various albums, and, to stay on topic, mny remix of "me i'm not" that I wrote using the multi-track sources Trent released for his new album (which I think, personally, is his best work in years).

Of course, no one has really ever stolen my music, since I tend to give it away, following the 'try before you buy' approach that is preached around here. I just think that you can't steal what I give away, but sometimes it's nice to get something back to continue along with all the work that I've done over the years to make my albums, writing and artwork.

Of course, one can alway just make a donation or buy some merchandise if they want to support the cause as well. I've been on this site for years and follow it's practices well...unfortunately it doesn't seem to pay, or not at least yet.

I hear most my work is quite good, maybe you might think so too.

The paypal shopping cart has a feature to allow you to specify shipping on a per-item basis. This feature was also broken on the same day. The very example on their website

https://www.paypal.com/us/cgi-bin/webscr?cmd=_pdn_ cart_overrides_outside

Does not work, and adds the item with the default shipping.

I called to complain and got the typical run around, they send me to the example on that page, I'm like that's the example I'm using, oh can you please hold. What am I going to hold for. Well I need to check your website. What is the address of my website? Long pause. Can you please give your website address. Well why were you about to put me on hold if you didn't know my website name. Sir, if you would please just give me your website address then I can assist you further. Yeah right, you suck. Sir if you are going to use that type of language I am going to have to put you on... discontinue the call. Wait did you just almost say that you were going to put me hold if I used abusive language? Is that your company policy.



obligatory sucks link

http://www.paypalsucks.com/

https://www.paypal.com/cgi-bin/webscr?cmd=p/ir/lic enses-outside

Even in the financial services industry, there's disagreement over what a "bank" is. Consider

• PayPal. Probably ought to be regulated as a bank, but is not.
• Western Union, a regulated money transfer service.
• ETrade Etrade is a brokerage house, but owns a bank on the side. Both operate under the "etrade.com" domain.
• Bank of America is a major bank which owns a brokerage house on the side, the reverse of ETrade.
• L. F Rothschild. Once one of the old-line banking houses of Europe, after about three mergers and breakups, they do offer financial services to the public, but they're not regulated as a bank.
• UBS Financial Services. In the US, they're a brokerage house, but in Switzerland, they're the Union Bank of Switzerland.
• Provident Credit Union A credit union performs the basic functions of a bank; it takes deposits and makes loans. But it's not a bank.
• Provident Funding, which sells mortgages, but doesn't take deposits. They're the tenth biggest lender in the US, but not a bank.
• Mellon Financial Corporation. They own banks, but are not, themselves, a bank.
• Stanbic Bank of Nigeria Are they real?

OK, who gets to be in ".bank"?

You only need an email address (or phone number) to send paypal money. And here you go: mxhaard@magic.fr

Paypal link: Send money - Enter email or phone

-- Note: It's on his website as well: http://mxhaard.free.fr/apropos.html

Hell, even Paypal offers a secureID for less than $10
https://www.paypal.com/cgi-bin/webscr?cmd=xpt/cps/ securitycenter/general/PPSecurityKey-outside

No, the problem is things like Phishing scams and XSS vulnerabilities and stupid users who can't tell the difference between http://www.paypal.com/ and http://www.paypal.com.scammer.cn/ or who rea and follow emails from people they've never even heard of to claim their $500 gift certificate to Cracker Barrel or something equally ridiculous.

The problem with bank sites and such isn't that the sites themselves get hacked - seriously, when's the last time Wachovia or Capital One's website itself was hacked and your account info stoplen from the site itself?

No, the problem is things like Phishing scams and XSS vulnerabilities and stupid users who can't tell the difference between http://www.paypal.com/ and http://www.paypal.com.scammer.cn/ or who rea and follow emails from people they've never even heard of to claim their $500 gift certificate to Cracker Barrel or something equally ridiculous.

a .SAFE TLD won't make the sites any more safe, and will make them less safe, because people who don't know better will just assume that, because it's a .safe domain, it MUST be safe, otherwise it wouldn't be a .safe site, so they just go on entering all their private personal data into some bogus site.

.SAFE won't make things more safe, it will make them less, because <SPACEBALLS> Evil will always win, because Good is Dumb </SPACEBALLS>.

Perhaps, but your average spoofer isn't going to show that URL in the link; it would probably look more like http://security.paypal.com/ and the average user isn't going to be aware that the source URL for that link is not the same as what's being displayed.

Goofy.

The answer is simple. End-to-end encryption of _everything_.

One wonders how the Chinese government would respond to that.

• your hosts file for
• your DNS server
• the myspace.com domain name
• or otherwise already control your computer

Fuckit.

Self sign your own certs.

If google and paypal can't get it right why should anybody else care?

all people should care about is it's encrypted. Do you REALLY believe CA's check who you are?

A previous posting regarding cert keys hit the nail on the head.

paypal's acceptable use policy lays out only one scenario for receiving donations:

http://www.paypal.com/cgi-bin/webscr?cmd=p/gen/ua/ use/index_frame-outside&ed=nonprofit

"To ensure compliance with state, federal and international laws, all charities and non-profit organizations that utilize PayPal to accept donations are required to receive authorization from PayPal before conducting such business. PayPal requires proof of tax exempt status or registration with applicable country specific regulatory bodies and takes certain due diligence measures to assure the legitimacy of the organization.

If you or your organization requires Charity or Non-Profit approval, please send your contact information, the URL address of your website, a brief organization summary and proof of your tax exempt or registration status to compliance@paypal.com."

there isn't another scenario listed for "receiving donations other than as a charity or non-profit". everything else is about goods or services. so, while perhaps noble, accepting donations when you are not officially a charity or non-profit lands you outside of their acceptable use policy.

In the meantime Paypal gets a nice fat interest on those funds.

Is the 5.03% per year their money market fund (Barclays International) pays "nice fat interest"?

Umm, you've been able to order a real plastic Mastercard debit card that deducts from your paypal account for some time now. You even get 1% cash back on all purchases. https://www.paypal.com/us/cgi-bin/webscr?cmd=xpt/c ps/general/PayPalDebitCardLP&channel=1&promo=761

Paypal has had that feature working with any browser, without installing any BHOs (or whatever the IE only software is they require now), and without having to be invited to the beta. Just go to https://www.paypal.com/cgi-bin/webscr?cmd=p/shop/v debit/

This feature has been around for years and years.

Apparently, the difference between this and the old Virtual Debit Card is that the new one provides a CVV2 number (the security code on the back). I've been using the old system online for a while and I've never had a problem with websites needing a security code (I think entering 000 makes it work?)

From their QA about the virtual debit card:

Q: What are the system requirements for PayPal Virtual Debit Card?

A: PayPal Virtual Debit Card is compatible with Microsoft Internet Explorer 5.01 or later. Other system requirements include:

Operating System: Windows 98, ME, 2000, NT, or XP
CPU: 133 MHz or higher
Memory: 128 MB RAM
Hard Disk: 2 MB space available
Internet Connection: 56K modem (Broadband recommended for optimal performance)
Web Browser: IE 5.01 or later

Need I say more?

I just want to say thank you publicly, you run a service that has helped out many folks, myself included.
And a reminder, EveryDNS.net runs on donations.
EveryDNS Donations

Thank you again.

ps: Wow, slashdot uid 18.

Looks like they last changed their dispute policy on Nov 2, 2006. I think it used to just be a page that said "FOAD, sucker".

Paypal is indeed a financial institution, but it is not a Bank.

https://www.paypal.com/cgi-bin/webscr?cmd=p/ir/lic enses-outside ..

Although your account in paypal is not FDIC insured, certain types of transactions through paypal are (as required by law) FDIC insured (up to $100,000)

Well, I just sent you a nickel through PayPal, and you now owe them 20c, so that's perfectly understandable ;-)

I blogged this recently:

1. The simplest (but most insecure) way to sell a track online is to simply edit the PayPal "Thank You" page on the site to include a link to the track. Basically what will happen is when someone buys something from your website, they click the "add to cart" button which takes them to the PayPal shopping cart where they fill in their billing information and buy. Once the transaction is complete, PayPal sends the customer back to a "thank you" page on their server. So, by changing that page to include a link to the track they can download it. (Now, I'm not sure how this would work if they bought a tee shirt or something else. - maybe they'd just get the mp3 for free in that case?) Anyway, the issue with this is that they can copy the link to that thank you page and give it to their friends who can then go to that page and download it all they want. (Probably not a huge deal at this level, but they may lose sales.)
   
   
2. So, there seems to be other people out there who want to do the same thing and there are several services that help out by simplifying and securing this process by providing an easy way to restrict the downloading of the track to only those who purchased it through PayPal. (The two listed below simply work with your existing PayPal account.) It looks like it would be pretty cheap to use either of these setups. (Actually they both offer either 1 week or 1 month free which might be enough time in my friend's case!)
   
   These two services allow you to upload the digital files you wish to sell to their server and enter you PayPal account information. They'll then accept the "Buy" button links from your website and pass them off to PayPal's standard interface for payment. PayPal then returns to their site for the "Thank You" page and a secure, limited time download URL is provided to the purchaser.
   

• EJunkie (Pricing)
• PayLoadz and PayLoadz Express (Pricing)
  
  Simple, straightforward and to the point!
  

You may be victim of software counterfeiting. This copy of Windows is not genuine and is not elegible to receive the full range of upgrades and product support from Microsoft.

Click Get Genuine now to get more information and resolve this issue.

[ Get Genuine ] [ Resolve Later ]

the only difference is that CC companies are regulated

In the UK, PayPal *are* regulated. The Financial Services Authority takes a dim view of electronic money institutions operating outwith their regulatory purview.

If it walks like a duck, the FSA (rightly) wants to regulate it like a duck.

Any self-respecting company now days has an 800 number for you to call. Paypal HAS an 800 number printed on their webpage somewhere

No, they don't. PayPal's customer service number is in area code 402. Please don't make statements without verifying them first.

Anyone with half a brain would go "A long distance number? what kind of BS is this?"

I guess that means you have half a brain, then.

What I find funny about this is that it's spoofs supposedly sent by a company notoriously hard to contact by phone. Anyone who has ever tried to contact Paypal about anything would know this. (Of course, the average user doesn't, which is probably what they count on).

It is trivially easy to contact PayPal by phone. I had a harder time reaching Sony than I did PayPal.

The first google hit for phone number site:paypal.com leads to a help page with a link. That link points to a second help page with the phone number and hours of operation printed clear as day. Typing phone number in PayPal's help system leads to the exact same page. When you contact them, the wait is usually less than three minutes. The phone operators open with a first name and a company ID code, and the system immediately forwards you to an automated quality survey after about one in three calls you make.

Every paypal page has a block of links at the bottom. In the dead center of that block, there is a link that says "contact us." If you click that, you are taken to this page, which has three headers: help by email, help by phone and merchant support. If you then hit "help by phone," you are taken to this page, where one of their half-dozen free support lines is printed clear as day.

If you're actually so dumb that you can't find this information on your own, here's a helping hand: 1 (402) 935-2050 . That line is open 18 hours a day (14 on the weekends.)

The only people who have trouble contacting PayPal are the dunces who hear it's hard and never try. Generally, they're the same dolts who announce to SlashDot how difficult something is that they've never tried, immediately after making some smarmy comment about how other people didn't try. If you really struggle too hard to use a simple help system, you need to get the hell off of your high horse talking about how lazy and ill informed other people are, and maybe just go to the mirror store.

Maybe in ten years you'll realize you were talking about yourself the whole time.

What I find funny about this is that it's spoofs supposedly sent by a company notoriously hard to contact by phone. Anyone who has ever tried to contact Paypal about anything would know this. (Of course, the average user doesn't, which is probably what they count on).

It is trivially easy to contact PayPal by phone. I had a harder time reaching Sony than I did PayPal.

The first google hit for phone number site:paypal.com leads to a help page with a link. That link points to a second help page with the phone number and hours of operation printed clear as day. Typing phone number in PayPal's help system leads to the exact same page. When you contact them, the wait is usually less than three minutes. The phone operators open with a first name and a company ID code, and the system immediately forwards you to an automated quality survey after about one in three calls you make.

Every paypal page has a block of links at the bottom. In the dead center of that block, there is a link that says "contact us." If you click that, you are taken to this page, which has three headers: help by email, help by phone and merchant support. If you then hit "help by phone," you are taken to this page, where one of their half-dozen free support lines is printed clear as day.

If you're actually so dumb that you can't find this information on your own, here's a helping hand: 1 (402) 935-2050 . That line is open 18 hours a day (14 on the weekends.)

The only people who have trouble contacting PayPal are the dunces who hear it's hard and never try. Generally, they're the same dolts who announce to SlashDot how difficult something is that they've never tried, immediately after making some smarmy comment about how other people didn't try. If you really struggle too hard to use a simple help system, you need to get the hell off of your high horse talking about how lazy and ill informed other people are, and maybe just go to the mirror store.

Maybe in ten years you'll realize you were talking about yourself the whole time.