Slashdot Mirror
PayPal Security Flaw Allows Identity Theft
miller60 writes "Phishing scammers are actively exploiting a security flaw in the PayPal web site to steal credit card numbers belonging to PayPal users. The scam tricks users into accessing a URL hosted on the genuine PayPal site, which presents a valid 256-bit SSL certificate confirming that the site belongs to PayPal. However, some of the content on the page has been modified by the fraudsters via a cross-site scripting technique, and victims are redirected to a spoof site that requests their account details."
What most people don't realize is this, if your card number is stolen and someone uses it.. you aren't liable for the charge.
Unless a merchant has proof that you made the transaction on your credit card, you can always refute any charge on your credit card statement and you wont have to pay it.
MABASPLOOM!
... Oh my God! How will the masses be able to buy gold for Wold of Warcraft? Something has to be done... GonzoTech
"Snatching defeat from the mouth of victory on a daily basis."
When the victim visits the page, they are presented with a message that has been 'injected' onto the genuine PayPal site that says, "Your account is currently disabled because we think it has been accessed by a third party. You will now be redirected to Resolution Center." After a short pause, the victim is then redirected to an external server, which presents a fake PayPal Member log-In page. At this crucial point, the victim may be off guard, as the paypal.com domain name and SSL certificate he saw previously are likely to make him realise he has visited the genuine PayPal web site - and why would he expect PayPal to redirect him to a fraudulent web site?
What will they think of next? I must say, I get more PayPal phishing emails than for anything else. With the profusion of them, and PayPal's constant warnings that they would never ask for such information, it's still amazing how many people will fall for this, especially as the spoofs get more slick and sophisticated.
GetOuttaMySpace - The Anti-Social Network
"by tricking users into accessing a URL hosted on the genuine PayPal web site" How are hackers injecting this code into a legitimate paypal website?? Don't you have to modify the source code on the paypal servers themselves?
Bored?
Yep. Right up there with copyright "theft". (It's not "theft", anymore than it's "murder".)
Illegal, sure. Immoral, why not. Unethical, I guess.
Of course, if you've been silly enough to use a debit card, you're out the money for six months or however long it takes until the bank gets around to deciding that you didn't really spend the money. Happened to Tom Tomorrow.
Laws do not persuade just because they threaten. --Seneca
Interesting points... I don't think "Identity Infringement" has that same scary ring to it though.
You're right; it's not identity theft, it's identity fraud. Which, guess what, has its victims.
Is this some sort of natural outgrowth of MP3 downloading and software piracy? What are we going to pretend is "victimless" next?
Laws do not persuade just because they threaten. --Seneca
You have to understand.... in this society, in this day and age, people DO define (identify) themselves by the things they own, the money they have in their bank account, and their credit rating. Sad, really.
Not only did you not RTFM, you didn't even read the fucking summary... it was a valid PayPal site with elements from a different site that recorded what you did on the legit site.
today is spelling optional day.
It really grinds my gears when industry lobbyists and shills use inflammatory rhetoric to exaggerate the impact of mundane, victimless crimes.
It's a semantic point and one not even worth making. If you think that there are no victims when people's identities are assumed by others for nefarious purposes, then it has clearly never happened to you. I'd be curious to see how you felt when you had to spend countless hours of your life in aggrevation trying (perhaps futilely) to restore your credit and repair the possible damage to your reputation when some asshat overseas assumes your identity to purchase $100,000 worth of electronics and registers a kiddie-porn site in your name. These things do happen and are not at all uncommon.
In short, using the word 'theft' to describe copyright infringement is misleading, but using the word 'theft' to describe those things that are deprived to the victims of identity theft is perfectly acceptable. In the latter case there are often very real victims with very real things that are deprived them.
'Identify Theft' is not a victimless crime (you've obviously never had your identity stolen).
They didn't forge it. They used cross-site scripting to inject malicious code into the real Paypal page - in other words there is a vulnerability in the scripting used that takes information probably encoded in the URL and displays it on the page as the Netcraft write-up shows. This is then used to redirect the unsuspecting user to the fake page.
This extremely detailed and thorough (~3 paragraphs long) article does sound like PayPal has a problem to take care of, but the flaw described doesn't remove the burden of stupidity from the phishing equation.
... sorry, I just live in a college town where the newspapers report bank fraud once a month because some stupid student fell for the 23 emails they received about suspicious activity concerning their bank account. Annoying.
Anybody can make a website look like another website, so it's up to a user to think. Get an email that doesn't make any sense? Think very hard about everything that it leads you to. PayPal asks for your ATM PIN? Who the fuck does that? Nobody. My bank doesn't even know what my PIN is.
The server currently running the scam is hosted in Korea
North? South?
As I post this, 6 out of 8 top level posts have a '?' in the subject,
now 7 out of 9.
try { do() || do_not(); } catch (JediException err) { yoda(err); }
First a little definition for you:
victim |?vikt?m| noun a person harmed, injured, or killed as a result of a crime, accident, or other event or action.
a person who is tricked or duped : the victim of a hoax. a living creature killed as a religious sacrifice.
It would seem these folks are most definately victims even if you don't consider having to clean your credit record up, dispute charges, and the general headache of canceling cards and waiting for new ones a "harm".
Just because something is stolen doesn't require tht the person no longer has access to it. A number isn't some physical thing to be stolen and never returned to the world. . . "I'm sorry but all mathematics have halted, '2' was stolen years ago and no one ever caught the perpetrator". But don't be an idiot by somehow making a direct correlation between physical theft and the theft of a unique sequence of numbers allowing access to certain private information. Identity theft is the same concept, someone has stolen the necessary information to pretend to be someoen they are not.
I agree the terminology uses terms popularized by media and designed to frighten the general public; but these crimes are hardly mundane or victimless.
I almost lost the house my wife and I were buying due to so-called "identity theft". How? One part stupidity on my part (using a linked check-card/bank account to make online purchases), on part large MasterCard database hack.
Thousands and thousands of dollars of Google AdWords purchased on my card; draining my bank account completely, and into the negative even with overdraught protection. When that money goes missing days before you have to cut a certified check to the bank for your final closing costs the results are anything but mundane.
That's just a stolen credit card; you can have your financial situation ruined for months if someone starts opening up lines of credit in your name (unbeknownst to you).
Yes, you aren't liable for credit theft; but getting your money back isn't always quick process (unless your bank/card offers 24-hour turnaround on fraud)
But when someone uses your identity and opens lines of credit, with a fraudulent signature, and your SSN and other personal information; that's an even more painful process to sort out with the credit agencies (Equifax, et. al)
Just a bit of nit-picking.
You are correct. My identity has never been physically taken from me without (or with, for that matter) my consent.
(and 2 down-mods on a single post constitutes "excessive bad posting"? What kind of fascists are running this site?)
"Ask not what your country can do for you." --John F. Kennedy
Actually, it's a hell of a lot closer the theft than copyright infringement.
....) , the fraudster has impinged upon my ability to use it freely.
By using my identity (and credit and
General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
I don't know how this is a surprise to anyone "cross-site scripting techniques" are so common now there writing magazine articles about them go look at the last 2600 and you will find out how to do it and that you can start with myspace.com.
TheADDkid.com
"Is this some sort of natural outgrowth of MP3 downloading and software piracy? What are we going to pretend is "victimless" next?"
AFAIK, at least one psychopath has already argued that raping children is a victimless crime. It should be pretty hard to beat that, but I have no doubt that someone will try to.
Anyway, it's nothing new. The software pirates certainly didn't start it, they just found a niche where it's easier to convince someone that since a copy of the original was made, nothing had really been lost. But, as you can see, it doesn't prevent people from claiming the exact same when some demonstrable harm _did_ get done. (E.g., money from someone's account aren't duplicated, they actually disappear from person A to enter the possession of person B.)
And honestly seeing some of the arguments made, I can't help notice a common theme of handwaving someone else's loss, time, suffering, even pain, as unimportant and not enough to make anyone a victim or to make the act a crime. In effect, the gross disregard for other people. It's beyond individualism, and outright in the realm of sociopathy.
A polar bear is a cartesian bear after a coordinate transform.
Sorry, but if you are dumb enough to still fall for the "Update your account" email then you deserve to have your identity stolen.
This just in! 3 out of 4 people make up 75% of the population.
lrn2lol
That post was obviously made in jest as a poke at all the people that say downloading music is/isn't stealing.
Never follow a link in an email.
It may be convenient, but in the vast majority of cases I've found that I can navigate from the main page if I know what I'm looking for. You can do basically everything from paypal.com without following the link that takes you directly to a specific page.
I rarely use paypal, checked my bank statement one day, and realized 2k was missing from my bank courtesy of paypal. I have never clicked on a paypal email, and so the only explaination I could think of is either gross incompetance at paypal, or a keylogger was on my system (which was doubtful). Of course, I run all the major spyware/adware/virus/rootkit detectors and nothing (and yes, I do have a firewall, do not use wireless on this computer, and have a good password).
So, no more paypal for me. Of course I eventually got my money back, but it was a major hassle. For now on I am creating accounts using temp credit card numbers.
This shouldn't really be a problem. It only occurs if you click on a link in the e-mail. If you ignore the link in the e-mail, go to PayPal through a bookmark of your own and proceed from there, the phisher can't inject any code. End of problem. And if what the e-mail's asking for is legitimate, you'll be able to do anything you need to do directly through PayPal without needing to use any links in the e-mail.
First rule: never trust the identity of the other party if you didn't initiate the contact yourself. When someone calls you on the phone claiming to be your bank you don't trust them, you hang up and call your bank's customer-service number yourself. When someone sends you an e-mail claiming a link will take you to PayPal you don't trust that, you fire up your browser and use your own bookmark to hit PayPal.
You are right that 'identity theft' is a misleading and incorrect term. However, most people will just tell you 'I could care less.'
However, you are wrong that it is a victimless crime.
For example, if I use your Slashdot username to post troll comments under your name, it will negatively affect your karma, and not mine. Same thing applies with other forms of using someone else's identity, except instead of karma, think 'credit history', 'bank account' or 'criminal record'.
I'll probably be modded down for this...
- PayPal will always include your full name in any e-mail correspondence, not "Dear PayPal Member/User/etc."
- PayPal tells never to click on a link to log in to their site. They say always type the url: https://www.paypal.com/
Additionally, you should report all spoof e-mails to spoof@paypal.com. Hopefully PayPal will be able to track these online criminals down with the help of users.Taking guns away from the 99% gives the 1% 100% of the power.
Oh, they still have an identity. Just not the one they had when they went to sleep. You see, I have an identity, as far as financial institutions are concerned, which can walk in, get a loan with a good rate, and walk out. Someone steals my identity, walks in, gets a good rate on a loan, never repays it... I wake up, I no longer have that identity. I was stolen. Pull your head out of your ass.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
I might not identify myself by my money in my bank account or my credit rating, but I'd be pissed if it disappeared.
That's money I worked hard for, money that I set aside for an emergency, in case of job loss or accident.
While a credit rating is an artificial number, it is also a reflection of my financial history. I do pay bills on time, I am responsible with seeking credit. Through my actions, I can build up a good credit history, and when I need to go to get a loan, that credit history reports that I'm a low risk borrower. Identity theft is a form of libel. By stealing and abusing someone else's credit, the theft is (in effect) writing "don't lend to Mr. Smith, he has no intention of paying back his loans".
As for the things I own, if I lose them, it isn't the end of the world. But the stuff I own is stuff I paid for, and a fair chunk of my net worth in material goods is for work-related items: Vehicles, computer, books. These goods help me earn money. In effect, they are an investment. The rest is stuff I traded time (money) for so that I may enjoy them and live an easier life. That TV in the corner might be 4 hours worth of work, that table in the other room might be 15 hours worth of work. That dishwasher is 30 hours of my life. I'm not complaining about the work I've traded for those possessions because that's my decision. However, when some lazy thief takes away those goods, I will complain. If they want a TV, they can learn valuable skills and join the workforce like the rest of us.
Just my $.02
http://www.cgisecurity.com/articles/xss-faq.shtml
Believe me, if I started murdering people, there would be none of you left.
And don't forget that even once your own life and credit are restored... someone is out money.
Whether that is the vendor who sold an item or service and had the payment cancelled, or the bank that ate the loss: real money went into the hands of the thief and real money left the hands of someone else.
We all pay the cost of this: even if your Visa has never been stolen, merchants will pay higher fees to banks, banks will give less money to shareholders, and consumers will, as always just pay higher rates and prices and eat the loss.
A crime that injures a million people only marginally is still not a victimless crime.... especially when that crime is executed a million times a year. "Marginally" starts getting noticable.
"It's a semantic point and one not even worth making."
Heh. Actually, I think he's pointing out Slashdot hypocrisy. From the responses he's gotten, I think he was rather clever about it. (I nearly replied and put my foot in my mouth.)
"I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)
Um where in the article did it say it was another email scam? Oh wait it didn't It has nothing to do with email it has to do with "They are presented with a message that has been 'injected' onto the genuine PayPal site" "via a cross-site scripting technique." It has nothing to do with email. RTFA
TheADDkid.com
One day I woke up and started getting hundreds of collection calls. All my credit cards were deactivated. My bank account was frozen. Phone turned off.
I literally could not use my identity. It was like a DOS attack. I couldn't perform any financial transactions, it was a complete nightmare.
For years it was impossible to get credit.
I wish someone had infringed my identity, leaving me with my original one completely intact. But no...
Man, you really need that seminar!
I've been working on this for years now...decades actually....but now I'm totally protected from people stealing my identity and ruining my credit. Here's how I did it:
I've personally destroyed my credit so badly over the years that if someone were to steal my identity, the joke would be on them! Hell, it may actually even help my credit.
Oh sure, people laughed at me over the years...but who's laughing now?!! Ok....so they're still laughing at me...but that's beside the point.
"Leo Fender was in a 'state of grace' when he designed the Stratocaster." -- Paul Reed Smith
I hardly ever use it and PayPal is too big a target with too poor security, and almost nonexistent procedures for recovery after fraud.
I don't define myself by the money I have in the bank, but my landlord certainly does. The categorical definitions he applies to me are "tenant" and "recently evicted former tenant". So lets not pretend that the after effects of fraud are purely cosmetic.
Athletic Scholarships to universities make as much sense as academic scholarships to sports teams.
MO take 6 months to clear, are trivial to forge, and impossible to verify ahead of time. They bite even worse than Western Union for buyers.
When you commit copy-theft against a song, it makes the artistic owner of that song sad, and you can hear the sadness in their songs. Studies show that you can also hear the sadness in the original copy. The song didn't actually change of course, but it sounds sadder, because of all the crimes committed against it.
So copythieving does affect your ability to listen to songs.
- RIAA Anti Theft Squad
I'll probably be modded down for this...
I used to have a brokerage debit card. It withdrew funds from my money market account. It was an insane risk to use that card. It would have been a jackpot if thieves got that number. And my financial life would have been in ruins for months.
Since the bubble burst, I don't have to worry about having a lot of money in a money market account.
Paypal's main site (http://www.paypal.com) does *NOT* do a permanent redirect to https://www.paypal.com, so if you hit www.paypal.com you give your paypal login and password in the clear. I've emailed them several times on this and have finally given up, as they don't bother to respond.
So if you can get inbetween Paypal and your target, you don't even need to fool anybody.
Uh, maybe I did read it, but still don't understand, and in typical fashion, got dogpiled by a bunch of self proclaimed experts. Typical
https://www.accountkiller.com/removal-requested
So it's what, identity copyright infringment?
They're there affecting their effect.
The exploit uses the concept of cross-site scripting (XSS, not CSS). XSS can work in some interesting ways to trick users. It's certainly more sophisticated than your typical "www.somerandomsite.com/ebay/login.cgi" phishing schemes you see.
You can read some more about XSS.
A few weeks ago, I would have agreed with you. More recently, I've been doing some research and found that only rarely are there obvious 'tells' like asking for a PIN.
You see, in addition to making it look exactly like the vendor's site, they now no longer ask for anything unusual. You click on the link, and are presented with the standard, expected login page. You log in, and everything works just like normal. What really happens is that you log into their server, they capture your information, and redirect the login to the actual vendor. You never receive a hint that you were duped until the charges start showing up.
These days, a suspicious URL in your browser is often the only clue you'll get -- and if you don't have the latest patches for the popular browsers, the URL can be disguised.
This isn't to say that there is no stupidity factor. People still fall for the old style phishing scams like you described, or "validate your credit card numer" scams with startling regularity. Most people fail to realize that a simple precaution can make you essentially immune to phishing attempts (like disabling HTML in emails).
However, the newest round of phishing is a lot more sophisticated, and a lot more convincing. As it becomes more prevalent, expect mass stupidity to be less of a factor in its success.
Never. If it's important, you can go to PayPal's website manually, through a different tab or browser window, and check for yourself.
tasks(723) drafts(105) languages(484) examples(29106)
Holy crap identity theft is NOT a victimless crime. Last summer I received a notice in the mail that a warrant had been issued for my arrest because I failed to pay for a ticket that I supposedly received in a city I've never been to! The ticket was for speeding and get this: failure to show an ID. Whoever impersonated me knew my name and DOB and the sad thing is that the police in TX do not take a picture or fingerprint when ticketing people w/o an ID - they just take their word for it (as opposed to Florida where I believe they take a fingerprint).
... and yes I have tried to get the police to find whoever is behind this but they are totally uninterested.
Well, that wasn't the end of it. I have received *3* more such tickets each of which have taken me countless hours to get dismissed (driving to the court house, pleading not guilty, seeing a prosecutor). I have written my representative, Brian McCall, and he does seem to give a shit that the system is broken and simply said he regrets my troubles. I have asked DPS to put a warning on my DL to no avail. I am actually considering legally changing my name as I really don't know what else I can do to prevent this from occurring again. It's totally frustrating to know that it will probably happen again and that the authorities are unable to prevent it.
If the email doesn't give you instructions on how to NAVIGATE to a section of their webpage then don't follow the link. No matter how smart we all think we are, we can be tricked. The best thing to do is always start from the company's main page, then browse from there. That way if anything happens, you can blame it on their site.
That's what I tell my wife, who gets lots of phishing emails, and it seems to work. It doesn't matter if your bank says they're going to shutdown your account, if they can't take the time to call you personally, have you call them personally, have you visit personally, or tell you how to navigate to a portion of their site then it isn't that important.
I tell people the same thing with scam emails that purport to be from the police/FBI/etc. I figure if the authorities really need to get a hold of me they can to do it in person.
Faith is a willingness to accept something w/o complete proof and to act on it. Reason allows you to correct that faith.
Okay, your use of the word "victimless" leaves me in no doubt that you're trolling (or you have a fantastically understated sense of humour) but for anyone that might think otherwise:
Using the right sequence of moves, it's possible to start with a small number of stolen documents and work up until you have a passport, drivers license and birth certificate in someone else's name, and you've cancelled or destroyed the originals. At that point you really have stolen their (legal) identity. Officials are now more likely to believe your story than theirs. Of course your victim still has his identity in the philosophical sense, but since everybody uses documents as proxies for that, as far as the state is concerned you really have stolen his identity.
That said, you're right when you say this isn't identity theft. It's fraud. If you were *really* clever you might be able to use it as a basis for identity theft, but I doubt it. It doesn't give the fraudster access to any physical identity documents.
One day I woke up and started getting hundreds of collection calls... Phone turned off.
At least those calls weren't annoying.
To have a right to do a thing is not at all the same as to be right in doing it
it's a feature.
Seriously, it is. Look it up. It's unfortunate that the programmers down at PayPal don't have enough wisdom, foresight, and intuition to see that it could be used in such a way.
inject.
I got took for a paycheck's worth, with no high tech used or needed.
Someone hand copied all the info on my car, front and back, when it was used at a restaurant.
I called the bank (Fleet, often considered big and difficult), they looked at everything that happened, I told them which ones were bogus, their fraud department confirmed the details of the transactions (location, times, names - these people were dumb enough to charge at Woolworths overseas, and paid bills for Progressive insurance, ATT and Verizon cells and Cablevision - all eminently traceable).
They reversed the charges, and said they were still subject to verification, and since they were all as I presented them. I got it all back and kept it. Most of the money was back after the next overnight, the rest was back after two overnights.
"Win treats sysadmins better than users. Mac treats users better than sysadmins. Linux treats everyone like sysadmins."
..if the user is saavy enough to know about SSL certificates and URL's you'd think he'd be smart enough NOT to click a link sent to him via email.
by sending the full headers and links to spoof@paypal.com
-- Tigger warning: This post may contain tiggers! --
You need to STFU. Obviously, you just have never *been* a victim of it. I have had an entire year of my life terrorized by some jackass in England. The banks, credit reporting Bureaus and card issuers couldn't have given less of a shit. Even though in my case, it was entirely and collectively their fault. The credit industry and Paypal's insecurity creates real, seriously injured VICTIMS all of the time.
There is no reason for them to make the home page https - they probably serve millions of visits to this page daily, why serve all the people who just want to read about Paypal or check the help section using SSL and waste processing power?
The login form submits using POST over SSL - the action of the form is using an https target. Your browser therefore sends all your details securely:
<form method="post" name="login_form" action="https://www.paypal.com/
In other words, it's no wonder they haven't fixed it - nothing is broken.
when i hear "identity theft" i pretty much see it as someone having their financial identity stolen or ruined, yes you still technically have it, but after someone's ruined your credit rating, it is useless until you can get all the bad stuff done to it out :)
as for it being a victimless crime, go ahead and post all your personal information, if you think there are no victims from identity theft than you wouldn't mind if it happened to you
I think you missed the ironic intent of his post. But then, they don't say "thick as thieves" for nothing.
And now, a PSA from David Lynch.
It's important to educate oneself about basic security. Don't click a link in any email that refers to PayPal. As a matter of fact, there are few reasons to click links in any emails.
Just as important, seriously, educate others. Don't mumble "Darwin" or "figure it out yourself" when you can help someone else protect themselves or educate themselves about security threats.
Always report PayPal phish attempts to spam@paypal.com.
There's an excellent set of resources about phishing in general - and you can report phishing attempts at: antiphishing.org.
Not to be repetitive, but the best way to make a difference (in this case) is to help others and help yourself with education.
A Passionate Independent Musician
I meant to say spoof@paypal.com.
Sorry, I must have been hit with the stupid stick today.
A Passionate Independent Musician
If you get a message from any orginization you deal with online, your bank, eBay, even your free webmail account do NOT click on the link. Go to their site and log in as you normally do. Why? Well because if they need something, the site will let you know as soon as you log in. There's no possibility for any kind of redirection attack since you actually went to the site properly.
in their attempt to break into the on-line payments business?
I recently (re)opened an account to buy a pinball machine on eBay (Stern Stars, a cool old machine), but it is only tied to my credit card. I'm very familiar (through personal experience) with PayPal's inability to handle fraud (the reason I closed my original, bank-linked account) and their lose-lose-win schemes (on a contested purchase, the buyer loses their money, the seller loses the item, and PayPal gets the big win by keeping any contested funds). I would probably have closed the account again, but my wife wanted to purchase some baby periphenalia from a home-based business that only accepts checks or PayPal. I'm thinking this article is areminder to close my PayPal account.
Frankly, I will be very, very happy once Google's tool is available and I have a viable on-line payments alternative to PayPal.
Interested in a Flash-based MAME front end? Visit mame.danzbb.com
There's nothing like the feeling of NOT getting a credit card bill once a month, except not having a car payment to make, or a mortgage payment to make either. (I 'lucked out' despite having MS.)
:-)
I have ONE credit card left and that gets used judiciously. Its also a pay by phone type deal with security identification.
I have no credit rating because I don't WANT any (and I can afford NOT to have any.
You wouldn't believe the number of CapitalOne offers that I've put through the shredder over the years.
When I was young, broke but promissing, I could have used the credit. But I didn't have any.
Now that I'm an old fart, I'm stumbling over piles of credit card and 'mortgage renewal' offers.
Well they can all go fuck themselves.
MSBPodcast.com The opinions expressed here are my own. If you don't like 'em... Think up your own stuff.
an 'upgrade'?
What the heck is wrong with you?
MSBPodcast.com The opinions expressed here are my own. If you don't like 'em... Think up your own stuff.
"Identity Theft" isn't too far off the mark semantically, but I prefer the term Identity (or Reputation) Fraud which, to my mind, seems more precise.
Schwab
Editor, A1-AAA AmeriCaptions
The thing that made me most angry was the pure crap they bought. 8 cellphones? $500 at hot topic?
Man, you really need that seminar!
It displays the actual content of the link as a pop-up.
I then copy the link into a browser window but not the URL portion. I usually have NW-tools.com up on my browser and use that to check the origin of the message.
I do that with all the phony 'meds' spam I get too.
People have to be really STOOP-ID to click on a link on an email.
I don't even do that with mail purporting to be from people I know.
MSBPodcast.com The opinions expressed here are my own. If you don't like 'em... Think up your own stuff.
I agree about stupidity still being necessary; the headline made it sound like PayPal itself had been hacked & compromised without user interaction. This belongs in the Phish bucket.
Sure, a site can adopt practics to make itself more resistant to cross site scripting, frame injection, etc., but this isn't anything new, and for the forseeable future, there will continue to be browser flaws that the targeted site can do nothing about.
A preponderance of users will always be stupid. I don't see this kind of thing going away unless someone develops an ultra-hardened alternative browser, and it then became ubiquitous, i.e. a large majority of people never access sites with high-value PII any other way.
At a minimum, a browser for this purpose would have to be single instance, no tabs, no background windows, non-invokable from externally clicked hyperlinks, and resistant to programmatic instantiation. It would have to encrypt all cached data, and only submit requests to domains that were explicitly pre-authorized by the user -- with an IP check on the associated netblock & whois info at the time of the request.
For obvious reasons, this couldn't be a general-purpose browser. But financial services providers might stand to gain from a collaborative effort to commission such a browser & then *strongly* encourage (read: coerce) users into adopting it for sites with high-value private information.
Pi Ran Out
OK, I am stupid. If the "hackers" can present a legit SSL certificate, what good is it? The whole point (at least my dumb ass thought) of an SSL certificate was to provide assurance that you are dealing with a legit vender. I thought the exact domain name was encoded with the URL so that an SSL certificate could not be used with a bogus URL? Is it just that these hackers used a valid sub-page off PayPal's website?
Bottom line, what does one do to prevent this as a web host and what does one look for (aside from the obvious be weary of the website asking you about your personal info) to know its a scam?
The Netcraft anti-phishing Toolbar already protects PayPal users by blocking access to this site. IE and firefox users can download the toolbar as an extension to the browser and install it.
http://toolbar.netcraft.com/
l'Homme n'est Rien l'Oeuvre Tout: Gustave Flaubert to George Sand
Be careful using a Temp. Credit Card Numbers. Some of them aren't temporary at all, just "sticky". For instance, Discover Card's number generator's numbers are good until the expiration date at the first vendor that uses it. So it's not much good for protecting your paypal account if someone steals it from paypal and uses it in another paypal account.
I guess Netcraft has confirmed then, that PayPal is dying.
Next expect scammers to use Skype to phone you for your password, PayPal to empty your bank account, and eBay to sell the goods they steal from you. eBay is offering crooks one stop shopping to rip you off.
Oh You POS
http://slashdot.org/comments.pl?sid=188468&cid=155 35469
...
Wanna fight ? Bend over, stick your head up your ass, and fight for air.
"(you've obviously never had your identity stolen)."
Heh, actually he has! In fact, that is not really him.
...why it is that whenever I log into PayPal, the number of PayPal-phishing e-mails suddenly increases over the next few minutes? It's as if something is monitoring traffic destined for PayPal (a compromised router, perhaps?) and is automatically triggering phishing e-mails to the originating IP.
Has anyone else seen this?
--Rob
Towards the Singularity.
Even though this was 8 years ago, I still get the occasional reminder. Earlier this year I started getting calls from a creditor regarding Qwest wireless accounts, which I've already "straightened out" numerous times. Oh well. At least I can't declare bankruptcy easily anymore thanks to our vigilant legislature. Maybe they'll have time now to protect consumers.
Man, you really need that seminar!
--Rob
Towards the Singularity.
If I see anything notifying me of an account issue, if it looks like it could be legit, I go directly to the site by typing in the URL.
If there is a real account issue, and it's a company worth doing business with, I'll be able to find out how to resolve it without clicking on any external links to get there.
Now, if they have a way to crack into PayPals website and insert the dangerous link... thats a problem
Maybe both.
"No fear. No envy. No meanness." Liam Clancy
Old joke:
... wait for it ...
Someone stole all my credit cards but I've decided not to report it yet.
So far the thief is spending less than my wife.
They get the script injection by clicking on a malformed URL.
What would be the best way to get a whole assload of malformed URLs out?
Maybe email spams? Wow, what convoluted logic.
Mod parent (-1, Needs His Ritalin)
Even Wells Fargo and Yahoo have stopped doing this. They used to host http to https form login, but stopped because that's obviously not secure enough due to the lack of site certificate verification, and that "transit" step where somebody could have injected something.
I personally don't like the feeling that it could have been sniffed over the wire, although technically it shouldn't be possible with a POST to https.
What? Are they sending out excel spreadsheets to their users?
----- I have bad karma for a reason! -----
This is not new. Legitimate sites are hacked more often than anyone cares to admit, and end up hosting fraudulent pages that indeed link to an outside page, often with the domain in the web bar masked. Everyone should know by now to go directly to a page, and those who chose to ignore this should either be banned from the internet as their falling for these scams encourages crooks, or else they deserve what they get.
Something else not knew is domain masking, which I am sure you all know about.
*sigh* When your ID is stolen, as mine was the "good old-fashioned way" when I was 18 (25 now), it sets you up for years of frustration, thousands you can't recoup, and makes you wonder why the hell people aren't more vigilant about protecting their identity. Once it's lost, you've got no hope, and dozens of police reports are no longer enough to get a new social to get your life back on track. Finding another ding on your report, another credit card in your name, a speeding ticket in a state you've never been to...it all becomes just something you accept, though no less frustrating. And these is no end in sight, not until people wise up and uard themselves to discourage people from even trying. And even that won't be enough.
It's a girl!
Top 11 Signs You're a Victim of Identify Theft
Why can't people understand this!?!?!
There is NO identity theft. It is all identity FRAUD. F-R-A-U-D!
It's the same copyright theft vs copyright infringment argument.
Geeze people are retarded.
Libertas in infinitum
Please don't tell me I have to reset my password and re-enter all my credit card information for the fourth time this month!
Right, but my point is that during the dispute process, they have your money. In at least one case (linked to in the original comment), that process took a considerable amount of time. Had it been a credit card, Tom Tomorrow would not have been essentially making a loan of that money to the fraudster.
Laws do not persuade just because they threaten. --Seneca
I suppose a psychopath will say lots of wacky things, but do you know which one this was?
Laws do not persuade just because they threaten. --Seneca
Well, a first for me... they got me.Iopened a new paypal account on Monday, and by Wednesday, my credit card was being fleeced. Worst of all, there is no way these guys get caught based on the following actions by the involved entities: Paypal: Classic, I contacted Paypal on Wednesday, "we have had no security problems.... Don't reply to phishing scams." (no shit sherlock, i just figured I was safe entering information directly into your website using SSL). When elevated up the customer support retard chain, I was then lectured on phishing scams (damn these people are bright), and told to contact my local authorities. Unreal... my local authorities... I wonder how many local reports are taken nationally due to these wankers. Follow up today (Friday), "you should contact our security" [by filling out our webform that warns you incessently about phishing scams and that tells you after you fill out the form that they will get back to you in about 10 days... nice]. Mastercard: I contacted my credit card company, they cancelled the card but will not investigate until I fill out an affidavit, "which will take about 14 days to arrive." Kmart: I contacted Kmart, being one of the companies that put through charges to my credit card. "We cannot give you any information without your purchase number" (unreal, my credit card is used for illicit purchases, and I cannot find out where they are shipping the goods). They were nice though, and suggested I fax information to them if I wanted to speak to a security person, and they also suggested I have my local police contact them. Frederick's of Hollywood: Another company that put charges on my card- "We don't have a security department, call your credit card company." Will someone please shoot that g-string wearing cow. Local Police - I filled out an online complaint on Wednesday with the financial fraud division of my local police department. Still haven't heard a thing. I went the extra mile and filed a complaint with the FBI's Internet Crime Complaint Center: Classic moment in law enforcement... after filling out the extensive affidavit, I received a generated email that read in part, "The IC3 receives thousands of complaints each month and does not have the resources to respond to inquiries regarding the status of complaints. It is the IC3's intention to review all complaints and refer them to law enforcement and regulatory agencies having jurisdiction. Ultimately, investigation and prosecution are at the discretion of the receiving agencies." [in other words, we really don't do anything, best of luck old chap]. I wish the crew working this scam the best, they are truly disgusting, but ingenious. As for the entities above, the next time I hear a news report where they are whining about credit card fraud costing consumers and businesses millions, I'll just chuckle at how pathetic the reaction was to my inquiries. They really don't care. Finally, some have posted that it won't cost me anything.... they are wrong. Some credit cards require the user to pay the first $50 of such fraud. And what about the people who just don't catch the credit card fraudulent uses. If you do not challenge the charge within 90 days, in most cases, you own the debt. Finally, by having my credit card cancelled for fraudulent purposes, I am the lucky recipient of a fraud alert on my credit statements with the credit reporting agencies for at least the next thirty days (I think 60). This means that I am barred from gaining any instant credit during this time period. Several years ago I had fraud on another credit card (authorities believed that the info was lifted from the card while I was on vacation when I paid for something at a restaurant). I cancelled the card, but a couple weeks later there I was buying $2,000 worth of lumber at home depot for a home project. The clerk says to me, hey if you open up a home depot card, I can discount your purchase by 10%. Hey, I don't need a home depot card, but 200 bucks is nothing to sneeze at. After filling out the form, I was reject
I got a reply from Paypal's security today, basically a form note telling me the horrors of phishing and noting that "the email was not sent by paypal." I sort of wonder if they realize they have this security problem. These people kill me.
From the article:
"... are subsequently presented with another page which requests them to enter further details to remove limits on the access of their account. Information requested includes social security number, credit card number, expiration date, card verification number and ATM PIN."
Now who in their right mind would ever enter their SSN or especially ATM PIN into such a web based form? The only place I have ever been asked to use my ATM PIN online is my banks login, and I whined and cried to the bank about that. The bank now has a password feature that does not use the ATM PIN which I feel much better with. My main problems with using the ATM PIN as a IP transmitted login password were A: It made my account less secure if my PIN was stolen via a store spycam or similar non IP "over the shoulder" type exploit. B: The PIN length the bank used (4 char) was too short for a decently secure transmitted password. C: Simple separation of risk. D: The only way I could change my PIN and thus IP login was via a bank visit and physical note to a cashier. My bank now allows for an 8-16 character login password that I can change over IP.
Other notes on these issues. I recently backed out of a credit report service signup form because I was uncomfortable with the information they wanted. These credit reporting agency's and the information they want make me nervous. I have used one of the big three a couple of times before and guess I will probably just stick with the expensive services they offer. I ALWAYS do my banking with a single session of Firefox or Mozilla, clear the cache and kill the session when I am done, then start a new instance BEFORE I browse anything else. Of course this is pretty much not possible with Paypal and eBay. However I typically only use the eBay provided "Pay Now" button in "My eBay" instead of one provided by a vendor, even if I have to use their checkout service to process my shipping address and such.
It is unfortunate that it does seem to require more than just "a little common sense" to use such online services safely. The be any kind of safe one it seems one needs to be almost pathologically paranoid. The silver lining is at least I guess that part of my sometimes warped psyche finally might work for my benefit.
Matthew
My bank has switched to using website messages due to the fact of the spamming emails I love the ones I get for chase when I have never had an account with chase
Well the smart thing then would be to have an account that doesn't allow overdraft. For all the banks I've dealt with it's an option. In many it's a privilege (e.g. people with bad credit cannot get an overdraft account, as it is a form of credit itself).
Plenty of people I know don't have an overdraft account. Attempt to go $0.01 above what they're holding as a balance and the transaction is rejected.
Some people will never learn:& mode=classic
http://ars.userfriendly.org/cartoons/?id=20030823