PayPal Security Flaw Allows Identity Theft

miller60 writes "Phishing scammers are actively exploiting a security flaw in the PayPal web site to steal credit card numbers belonging to PayPal users. The scam tricks users into accessing a URL hosted on the genuine PayPal site, which presents a valid 256-bit SSL certificate confirming that the site belongs to PayPal. However, some of the content on the page has been modified by the fraudsters via a cross-site scripting technique, and victims are redirected to a spoof site that requests their account details."

No signature = No liability

[neoform]

What most people don't realize is this, if your card number is stolen and someone uses it.. you aren't liable for the charge.

Unless a merchant has proof that you made the transaction on your credit card, you can always refute any charge on your credit card statement and you wont have to pay it.

Re:No signature = No liability

[goodcow]

I think you're forgetting the fact that PayPal also stores checking account information, which is far, far more difficult to get money back from in the event of identity theft.

Unless it's a debit card.

[Grendel+Drago]

Of course, if you've been silly enough to use a debit card, you're out the money for six months or however long it takes until the bank gets around to deciding that you didn't really spend the money. Happened to Tom Tomorrow.

Re:Identity "Theft"?

[llamalicious]

I agree the terminology uses terms popularized by media and designed to frighten the general public; but these crimes are hardly mundane or victimless.

I almost lost the house my wife and I were buying due to so-called "identity theft". How? One part stupidity on my part (using a linked check-card/bank account to make online purchases), on part large MasterCard database hack.

Thousands and thousands of dollars of Google AdWords purchased on my card; draining my bank account completely, and into the negative even with overdraught protection. When that money goes missing days before you have to cut a certified check to the bank for your final closing costs the results are anything but mundane.

That's just a stolen credit card; you can have your financial situation ruined for months if someone starts opening up lines of credit in your name (unbeknownst to you).

Yes, you aren't liable for credit theft; but getting your money back isn't always quick process (unless your bank/card offers 24-hour turnaround on fraud)
But when someone uses your identity and opens lines of credit, with a fraudulent signature, and your SSN and other personal information; that's an even more painful process to sort out with the credit agencies (Equifax, et. al)

Just a bit of nit-picking.

Re:how??

[shawn443]

http://www.acunetix.com/websitesecurity/cross-site -scripting.htm a good example of how.

I've got a fix

[Dixie_Flatline]

Never follow a link in an email.

It may be convenient, but in the vast majority of cases I've found that I can navigate from the main page if I know what I'm looking for. You can do basically everything from paypal.com without following the link that takes you directly to a specific page.

A few things about PayPal

[XxtraLarGe]

I don't know how people fall for these scams. PayPal tells you exactly how to avoid them:

• PayPal will always include your full name in any e-mail correspondence, not "Dear PayPal Member/User/etc."
• PayPal tells never to click on a link to log in to their site. They say always type the url: https://www.paypal.com/

Additionally, you should report all spoof e-mails to spoof@paypal.com. Hopefully PayPal will be able to track these online criminals down with the help of users.

The Cross Site Scripting FAQ

[mrkitty]

http://www.cgisecurity.com/articles/xss-faq.shtml

Re:how??

[ifoxtrot]

To answer your question, in short the attack doesn't work if you visit http://paypal.com/ manually.

What an attacker can do is craft a URL that *is* to paypal.com but contains the injected material (i.e. script) inside the URL. In short the paypal.com servers suffer from a vulnerability which allows the execution of this material (passed as an argument in the URL) -- and thus executes the script on the victim's browser. Because of this, the SSL connection is correct, but it appears that paypal is telling you that you need to go to another website to change your credentials.

You still have to get someone to click on the crafted URL for this to work though (hence why phishers are doing this, they're sending emails, or whatever.) so it's not going to work for people who don't click on the URL in phishing emails.

What I'm wondering is why someone would click on a link in a scam and then worry that the SSL certificate is genuine! Someone who knows enough to check the certificate is probably clever enough to ignore phishing scams...

Remember, you can report such fraud email

[WillAffleckUW]

by sending the full headers and links to spoof@paypal.com

It doesn't need to be

[a16]

There is no reason for them to make the home page https - they probably serve millions of visits to this page daily, why serve all the people who just want to read about Paypal or check the help section using SSL and waste processing power?

The login form submits using POST over SSL - the action of the form is using an https target. Your browser therefore sends all your details securely:

<form method="post" name="login_form" action="https://www.paypal.com/

In other words, it's no wonder they haven't fixed it - nothing is broken.