Slashdot Mirror

← Back to Stories (view on slashdot.org)

PayPal Security Flaw Allows Identity Theft

Posted by ryuzaki0 on from the watch-your-back dept.

miller60 writes "Phishing scammers are actively exploiting a security flaw in the PayPal web site to steal credit card numbers belonging to PayPal users. The scam tricks users into accessing a URL hosted on the genuine PayPal site, which presents a valid 256-bit SSL certificate confirming that the site belongs to PayPal. However, some of the content on the page has been modified by the fraudsters via a cross-site scripting technique, and victims are redirected to a spoof site that requests their account details."

9 of 212 comments (clear)

  1. Trickery and Buggery by Billosaur · · Score: 4, Insightful

    When the victim visits the page, they are presented with a message that has been 'injected' onto the genuine PayPal site that says, "Your account is currently disabled because we think it has been accessed by a third party. You will now be redirected to Resolution Center." After a short pause, the victim is then redirected to an external server, which presents a fake PayPal Member log-In page. At this crucial point, the victim may be off guard, as the paypal.com domain name and SSL certificate he saw previously are likely to make him realise he has visited the genuine PayPal web site - and why would he expect PayPal to redirect him to a fraudulent web site?

    What will they think of next? I must say, I get more PayPal phishing emails than for anything else. With the profusion of them, and PayPal's constant warnings that they would never ask for such information, it's still amazing how many people will fall for this, especially as the spoofs get more slick and sophisticated.

    --
    GetOuttaMySpace - The Anti-Social Network
  2. Re:No signature = No liability by Mick+Ohrberg · · Score: 5, Insightful

    It's still a hassle and a violation of privacy.

    --

    Quidquid latine dictum sit, altum sonatur.

  3. Re:No signature = No liability by HardCase · · Score: 4, Insightful

    Absolutely true, but, like everything else, there ain't no such thing as a free lunch. We all end up paying for it because reversed transactions are a cost of doing business that all merchants must calculate into their retail prices. If nothing else, it ought to cause people to be more aware of just what they're clicking on when they get an email.

    -h-

  4. Re:Identity "Theft"? by kenthorvath · · Score: 4, Insightful

    It really grinds my gears when industry lobbyists and shills use inflammatory rhetoric to exaggerate the impact of mundane, victimless crimes.

    It's a semantic point and one not even worth making. If you think that there are no victims when people's identities are assumed by others for nefarious purposes, then it has clearly never happened to you. I'd be curious to see how you felt when you had to spend countless hours of your life in aggrevation trying (perhaps futilely) to restore your credit and repair the possible damage to your reputation when some asshat overseas assumes your identity to purchase $100,000 worth of electronics and registers a kiddie-porn site in your name. These things do happen and are not at all uncommon.

    In short, using the word 'theft' to describe copyright infringement is misleading, but using the word 'theft' to describe those things that are deprived to the victims of identity theft is perfectly acceptable. In the latter case there are often very real victims with very real things that are deprived them.

  5. Stupidity still necessary by Draconnery · · Score: 4, Insightful

    This extremely detailed and thorough (~3 paragraphs long) article does sound like PayPal has a problem to take care of, but the flaw described doesn't remove the burden of stupidity from the phishing equation.

    Anybody can make a website look like another website, so it's up to a user to think. Get an email that doesn't make any sense? Think very hard about everything that it leads you to. PayPal asks for your ATM PIN? Who the fuck does that? Nobody. My bank doesn't even know what my PIN is. ... sorry, I just live in a college town where the newspapers report bank fraud once a month because some stupid student fell for the 23 emails they received about suspicious activity concerning their bank account. Annoying.

  6. Suprise? by theaddkid.com · · Score: 3, Insightful

    I don't know how this is a surprise to anyone "cross-site scripting techniques" are so common now there writing magazine articles about them go look at the last 2600 and you will find out how to do it and that you can start with myspace.com.

    --
    TheADDkid.com
  7. Shouldn't be a problem by Todd+Knarr · · Score: 4, Insightful

    This shouldn't really be a problem. It only occurs if you click on a link in the e-mail. If you ignore the link in the e-mail, go to PayPal through a bookmark of your own and proceed from there, the phisher can't inject any code. End of problem. And if what the e-mail's asking for is legitimate, you'll be able to do anything you need to do directly through PayPal without needing to use any links in the e-mail.

    First rule: never trust the identity of the other party if you didn't initiate the contact yourself. When someone calls you on the phone claiming to be your bank you don't trust them, you hang up and call your bank's customer-service number yourself. When someone sends you an e-mail claiming a link will take you to PayPal you don't trust that, you fire up your browser and use your own bookmark to hit PayPal.

  8. Re:No signature = No liability by Golias · · Score: 3, Insightful

    I think you're forgetting the fact that PayPal also stores checking account information, which is far, far more difficult to get money back from in the event of identity theft.

    Which is one of several reasons why linking your bank accounts directly to PayPal is a terrible idea, no matter how much they like to push it on you.

    If you use PayPal at all, only link it to a credit card which you've kept at a low limit. PayPal has long shown themselves far too irresponsible to be trusted with any of your real money.

    --

    Information wants to be anthropomorphized.

  9. Re:No signature = No liability by fallen1 · · Score: 4, Insightful

    This is the reason I have an account set up with my bank that states it is specifically for PayPal. Period. The only money I keep in the account is enough to cover 4 to 6 months of banking charges (like $5/month) so even if someone were to try and steal the money in that account, I'm out $20 to $30 or so AND I am immediately alerted to the fact that account has been breached.

    At this point I immediately shut down the checking account, check with my bank to see if anyone has called and tried to change account information or get more info on accounts, apply for my money back based on fraud/identity theft, log in to PayPal (_if_ I can) and change passwords (if I cannot log in to PayPal then I try and contact PayPal to have that account shut down), set up a new checking account for PayPal only, and finally - if needed - start a new PayPal account.

    With a special checking account for PayPal only, and it designated as such, that makes it much easier to prove fraud/identity theft since I have NO checks for the account, NO check card for the account, NO online banking for the account, NO way to access the account other than through PayPal or by walking into or calling the bank. Sure it costs $5 per month but if you really need/want to do transactions through PayPal it is the safest way. Also, if PayPal gets a wild hair up their ass and decides to freeze your account for some reason (someone accuses you of fraud, whatever) then the only thing they tie up is that same small amount of money in an easily closed account.

    --

    Dream as if you'll live forever.
    Live as if you'll die tomorrow.
    ~Anonymous~