PayPal Security Flaw Allows Identity Theft

miller60 writes "Phishing scammers are actively exploiting a security flaw in the PayPal web site to steal credit card numbers belonging to PayPal users. The scam tricks users into accessing a URL hosted on the genuine PayPal site, which presents a valid 256-bit SSL certificate confirming that the site belongs to PayPal. However, some of the content on the page has been modified by the fraudsters via a cross-site scripting technique, and victims are redirected to a spoof site that requests their account details."

No signature = No liability

[neoform]

What most people don't realize is this, if your card number is stolen and someone uses it.. you aren't liable for the charge.

Unless a merchant has proof that you made the transaction on your credit card, you can always refute any charge on your credit card statement and you wont have to pay it.

Re:No signature = No liability

[goodcow]

I think you're forgetting the fact that PayPal also stores checking account information, which is far, far more difficult to get money back from in the event of identity theft.

Re:No signature = No liability

[telchine]

What some people don't realise is that a lot of the credit card companies will put layer upon layer of beurocracy in front of you to try and stop you claiming. Recovering stolen funds can be very time consuming.

On top of that, you have to have cards re-issued and any recurring payments set up on them have to be re-established with the new card.

For a lot of people, the fear of having their credit card details stolen is not about losing their money but the considerable amount of hasstle involved in getting things back in order after the event.

Re:No signature = No liability

[rdavis542]

This is a great point, checking accounts are different beasts alltogether. I setup a completely seperate checking account at a different bank from my personal one for Paypal transactions only. It works because, yes it has the potential of being hacked, but they aren't privy to access my other primary accounts which pays my mortgage. If a customer has a rather large transaction I always do money orders.

Re:No signature = No liability

[neoform]

Which is pretty much why i stay away from Paypal like the plague.

Paypal is trying to be a bank without having ANY of the federal regulations set forth to banks. You have no insurrance on any of the money in your paypal account, which could be 'fozen' at any time. It's a total wonder to me why anyone trusts paypal enough to give them their banking information..

Re:No signature = No liability

[schon]

I believe they are regulated as a bank just like a brick and mortar bank.

You believe incorrectly.

Unless it's a debit card.

[Grendel+Drago]

Of course, if you've been silly enough to use a debit card, you're out the money for six months or however long it takes until the bank gets around to deciding that you didn't really spend the money. Happened to Tom Tomorrow.

Re:Identity "Theft"?

[llamalicious]

I agree the terminology uses terms popularized by media and designed to frighten the general public; but these crimes are hardly mundane or victimless.

I almost lost the house my wife and I were buying due to so-called "identity theft". How? One part stupidity on my part (using a linked check-card/bank account to make online purchases), on part large MasterCard database hack.

Thousands and thousands of dollars of Google AdWords purchased on my card; draining my bank account completely, and into the negative even with overdraught protection. When that money goes missing days before you have to cut a certified check to the bank for your final closing costs the results are anything but mundane.

That's just a stolen credit card; you can have your financial situation ruined for months if someone starts opening up lines of credit in your name (unbeknownst to you).

Yes, you aren't liable for credit theft; but getting your money back isn't always quick process (unless your bank/card offers 24-hour turnaround on fraud)
But when someone uses your identity and opens lines of credit, with a fraudulent signature, and your SSN and other personal information; that's an even more painful process to sort out with the credit agencies (Equifax, et. al)

Just a bit of nit-picking.

Re:how??

[shawn443]

http://www.acunetix.com/websitesecurity/cross-site -scripting.htm a good example of how.

I've got a fix

[Dixie_Flatline]

Never follow a link in an email.

It may be convenient, but in the vast majority of cases I've found that I can navigate from the main page if I know what I'm looking for. You can do basically everything from paypal.com without following the link that takes you directly to a specific page.

A few things about PayPal

[XxtraLarGe]

I don't know how people fall for these scams. PayPal tells you exactly how to avoid them:

• PayPal will always include your full name in any e-mail correspondence, not "Dear PayPal Member/User/etc."
• PayPal tells never to click on a link to log in to their site. They say always type the url: https://www.paypal.com/

Additionally, you should report all spoof e-mails to spoof@paypal.com. Hopefully PayPal will be able to track these online criminals down with the help of users.

The Cross Site Scripting FAQ

[mrkitty]

http://www.cgisecurity.com/articles/xss-faq.shtml

Re:how??

[ifoxtrot]

To answer your question, in short the attack doesn't work if you visit http://paypal.com/ manually.

What an attacker can do is craft a URL that *is* to paypal.com but contains the injected material (i.e. script) inside the URL. In short the paypal.com servers suffer from a vulnerability which allows the execution of this material (passed as an argument in the URL) -- and thus executes the script on the victim's browser. Because of this, the SSL connection is correct, but it appears that paypal is telling you that you need to go to another website to change your credentials.

You still have to get someone to click on the crafted URL for this to work though (hence why phishers are doing this, they're sending emails, or whatever.) so it's not going to work for people who don't click on the URL in phishing emails.

What I'm wondering is why someone would click on a link in a scam and then worry that the SSL certificate is genuine! Someone who knows enough to check the certificate is probably clever enough to ignore phishing scams...

Re:Identity "Theft"?

[LunaticTippy]

Speaking as someone who has suffered from fraud, you are wrong.

One day I woke up and started getting hundreds of collection calls. All my credit cards were deactivated. My bank account was frozen. Phone turned off.

I literally could not use my identity. It was like a DOS attack. I couldn't perform any financial transactions, it was a complete nightmare.

For years it was impossible to get credit.

I wish someone had infringed my identity, leaving me with my original one completely intact. But no...

Re:That's fine

Sorry, but you're wrong. If you look at the source code you'll see that the login form is submitted to a secure url (via https). You can have secure forms on an unsecure page.

Minor hassle, 48 hours. Done.

[jpellino]

I got took for a paycheck's worth, with no high tech used or needed.
Someone hand copied all the info on my car, front and back, when it was used at a restaurant.
I called the bank (Fleet, often considered big and difficult), they looked at everything that happened, I told them which ones were bogus, their fraud department confirmed the details of the transactions (location, times, names - these people were dumb enough to charge at Woolworths overseas, and paid bills for Progressive insurance, ATT and Verizon cells and Cablevision - all eminently traceable).
They reversed the charges, and said they were still subject to verification, and since they were all as I presented them. I got it all back and kept it. Most of the money was back after the next overnight, the rest was back after two overnights.

Re:Minor hassle, 48 hours. Done.

[Dare+nMc]

>I called the bank ... I told them which ones were bogus
I dropped all my cards except those that allow online disputes for this. (for me) much easier to click the transactions, hit dispute, and forget about it until they call me Instead of 10 minutes on hold, then giving all my account details, mothers name, SSN digits... over a insecure link (any phone line, but especially my cordless phone at home, cell eats minutes) to get them to chat. Unfortunatly the only cards I have found were Discover and AMEX that allow this, anyone know of a no fee visa/mastercard that allows this?

The worst was my Sears MasterCard, do not get one of them. you gotta call, then snail mail back a signed thing that they must recieve within 2 weeks of you finding the fraud (5 days to get the form, 5 days to return, = 4 days to fill out.) Also stated policy of almost all visa's is you can only dispute charges in your homestate only... apperently un-enforceable, or un-enforced anyway, but then why have that hanging out their.

Remember, you can report such fraud email

[WillAffleckUW]

by sending the full headers and links to spoof@paypal.com

It doesn't need to be

[a16]

There is no reason for them to make the home page https - they probably serve millions of visits to this page daily, why serve all the people who just want to read about Paypal or check the help section using SSL and waste processing power?

The login form submits using POST over SSL - the action of the form is using an https target. Your browser therefore sends all your details securely:

<form method="post" name="login_form" action="https://www.paypal.com/

In other words, it's no wonder they haven't fixed it - nothing is broken.