Slashdot Mirror
PayPal Security Flaw Allows Identity Theft
miller60 writes "Phishing scammers are actively exploiting a security flaw in the PayPal web site to steal credit card numbers belonging to PayPal users. The scam tricks users into accessing a URL hosted on the genuine PayPal site, which presents a valid 256-bit SSL certificate confirming that the site belongs to PayPal. However, some of the content on the page has been modified by the fraudsters via a cross-site scripting technique, and victims are redirected to a spoof site that requests their account details."
What most people don't realize is this, if your card number is stolen and someone uses it.. you aren't liable for the charge.
Unless a merchant has proof that you made the transaction on your credit card, you can always refute any charge on your credit card statement and you wont have to pay it.
MABASPLOOM!
... Oh my God! How will the masses be able to buy gold for Wold of Warcraft? Something has to be done... GonzoTech
"Snatching defeat from the mouth of victory on a daily basis."
When the victim visits the page, they are presented with a message that has been 'injected' onto the genuine PayPal site that says, "Your account is currently disabled because we think it has been accessed by a third party. You will now be redirected to Resolution Center." After a short pause, the victim is then redirected to an external server, which presents a fake PayPal Member log-In page. At this crucial point, the victim may be off guard, as the paypal.com domain name and SSL certificate he saw previously are likely to make him realise he has visited the genuine PayPal web site - and why would he expect PayPal to redirect him to a fraudulent web site?
What will they think of next? I must say, I get more PayPal phishing emails than for anything else. With the profusion of them, and PayPal's constant warnings that they would never ask for such information, it's still amazing how many people will fall for this, especially as the spoofs get more slick and sophisticated.
GetOuttaMySpace - The Anti-Social Network
"by tricking users into accessing a URL hosted on the genuine PayPal web site" How are hackers injecting this code into a legitimate paypal website?? Don't you have to modify the source code on the paypal servers themselves?
Bored?
Of course, if you've been silly enough to use a debit card, you're out the money for six months or however long it takes until the bank gets around to deciding that you didn't really spend the money. Happened to Tom Tomorrow.
Laws do not persuade just because they threaten. --Seneca
You're right; it's not identity theft, it's identity fraud. Which, guess what, has its victims.
Is this some sort of natural outgrowth of MP3 downloading and software piracy? What are we going to pretend is "victimless" next?
Laws do not persuade just because they threaten. --Seneca
You have to understand.... in this society, in this day and age, people DO define (identify) themselves by the things they own, the money they have in their bank account, and their credit rating. Sad, really.
It really grinds my gears when industry lobbyists and shills use inflammatory rhetoric to exaggerate the impact of mundane, victimless crimes.
It's a semantic point and one not even worth making. If you think that there are no victims when people's identities are assumed by others for nefarious purposes, then it has clearly never happened to you. I'd be curious to see how you felt when you had to spend countless hours of your life in aggrevation trying (perhaps futilely) to restore your credit and repair the possible damage to your reputation when some asshat overseas assumes your identity to purchase $100,000 worth of electronics and registers a kiddie-porn site in your name. These things do happen and are not at all uncommon.
In short, using the word 'theft' to describe copyright infringement is misleading, but using the word 'theft' to describe those things that are deprived to the victims of identity theft is perfectly acceptable. In the latter case there are often very real victims with very real things that are deprived them.
This extremely detailed and thorough (~3 paragraphs long) article does sound like PayPal has a problem to take care of, but the flaw described doesn't remove the burden of stupidity from the phishing equation.
... sorry, I just live in a college town where the newspapers report bank fraud once a month because some stupid student fell for the 23 emails they received about suspicious activity concerning their bank account. Annoying.
Anybody can make a website look like another website, so it's up to a user to think. Get an email that doesn't make any sense? Think very hard about everything that it leads you to. PayPal asks for your ATM PIN? Who the fuck does that? Nobody. My bank doesn't even know what my PIN is.
The server currently running the scam is hosted in Korea
North? South?
As I post this, 6 out of 8 top level posts have a '?' in the subject,
now 7 out of 9.
try { do() || do_not(); } catch (JediException err) { yoda(err); }
I agree the terminology uses terms popularized by media and designed to frighten the general public; but these crimes are hardly mundane or victimless.
I almost lost the house my wife and I were buying due to so-called "identity theft". How? One part stupidity on my part (using a linked check-card/bank account to make online purchases), on part large MasterCard database hack.
Thousands and thousands of dollars of Google AdWords purchased on my card; draining my bank account completely, and into the negative even with overdraught protection. When that money goes missing days before you have to cut a certified check to the bank for your final closing costs the results are anything but mundane.
That's just a stolen credit card; you can have your financial situation ruined for months if someone starts opening up lines of credit in your name (unbeknownst to you).
Yes, you aren't liable for credit theft; but getting your money back isn't always quick process (unless your bank/card offers 24-hour turnaround on fraud)
But when someone uses your identity and opens lines of credit, with a fraudulent signature, and your SSN and other personal information; that's an even more painful process to sort out with the credit agencies (Equifax, et. al)
Just a bit of nit-picking.
Actually, it's a hell of a lot closer the theft than copyright infringement.
....) , the fraudster has impinged upon my ability to use it freely.
By using my identity (and credit and
General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
I don't know how this is a surprise to anyone "cross-site scripting techniques" are so common now there writing magazine articles about them go look at the last 2600 and you will find out how to do it and that you can start with myspace.com.
TheADDkid.com
"Is this some sort of natural outgrowth of MP3 downloading and software piracy? What are we going to pretend is "victimless" next?"
AFAIK, at least one psychopath has already argued that raping children is a victimless crime. It should be pretty hard to beat that, but I have no doubt that someone will try to.
Anyway, it's nothing new. The software pirates certainly didn't start it, they just found a niche where it's easier to convince someone that since a copy of the original was made, nothing had really been lost. But, as you can see, it doesn't prevent people from claiming the exact same when some demonstrable harm _did_ get done. (E.g., money from someone's account aren't duplicated, they actually disappear from person A to enter the possession of person B.)
And honestly seeing some of the arguments made, I can't help notice a common theme of handwaving someone else's loss, time, suffering, even pain, as unimportant and not enough to make anyone a victim or to make the act a crime. In effect, the gross disregard for other people. It's beyond individualism, and outright in the realm of sociopathy.
A polar bear is a cartesian bear after a coordinate transform.
Never follow a link in an email.
It may be convenient, but in the vast majority of cases I've found that I can navigate from the main page if I know what I'm looking for. You can do basically everything from paypal.com without following the link that takes you directly to a specific page.
This shouldn't really be a problem. It only occurs if you click on a link in the e-mail. If you ignore the link in the e-mail, go to PayPal through a bookmark of your own and proceed from there, the phisher can't inject any code. End of problem. And if what the e-mail's asking for is legitimate, you'll be able to do anything you need to do directly through PayPal without needing to use any links in the e-mail.
First rule: never trust the identity of the other party if you didn't initiate the contact yourself. When someone calls you on the phone claiming to be your bank you don't trust them, you hang up and call your bank's customer-service number yourself. When someone sends you an e-mail claiming a link will take you to PayPal you don't trust that, you fire up your browser and use your own bookmark to hit PayPal.
You are right that 'identity theft' is a misleading and incorrect term. However, most people will just tell you 'I could care less.'
However, you are wrong that it is a victimless crime.
For example, if I use your Slashdot username to post troll comments under your name, it will negatively affect your karma, and not mine. Same thing applies with other forms of using someone else's identity, except instead of karma, think 'credit history', 'bank account' or 'criminal record'.
I'll probably be modded down for this...
- PayPal will always include your full name in any e-mail correspondence, not "Dear PayPal Member/User/etc."
- PayPal tells never to click on a link to log in to their site. They say always type the url: https://www.paypal.com/
Additionally, you should report all spoof e-mails to spoof@paypal.com. Hopefully PayPal will be able to track these online criminals down with the help of users.Taking guns away from the 99% gives the 1% 100% of the power.
http://www.cgisecurity.com/articles/xss-faq.shtml
Believe me, if I started murdering people, there would be none of you left.
One day I woke up and started getting hundreds of collection calls. All my credit cards were deactivated. My bank account was frozen. Phone turned off.
I literally could not use my identity. It was like a DOS attack. I couldn't perform any financial transactions, it was a complete nightmare.
For years it was impossible to get credit.
I wish someone had infringed my identity, leaving me with my original one completely intact. But no...
Man, you really need that seminar!
I've been working on this for years now...decades actually....but now I'm totally protected from people stealing my identity and ruining my credit. Here's how I did it:
I've personally destroyed my credit so badly over the years that if someone were to steal my identity, the joke would be on them! Hell, it may actually even help my credit.
Oh sure, people laughed at me over the years...but who's laughing now?!! Ok....so they're still laughing at me...but that's beside the point.
"Leo Fender was in a 'state of grace' when he designed the Stratocaster." -- Paul Reed Smith
I used to have a brokerage debit card. It withdrew funds from my money market account. It was an insane risk to use that card. It would have been a jackpot if thieves got that number. And my financial life would have been in ruins for months.
Since the bubble burst, I don't have to worry about having a lot of money in a money market account.
I also believe that children that don't learn to swim by the age of 4 should drown. Forget that the ARTICLE THAT THIS DISCUSSION IS BASED ON has nothing to do with children drowning, those dirty little swimless fuckers need to drown.
Wow.
You are one seriously hard headed, self important fucker.
I thought that cats like you pretty much faded away with the end of the cocaine drenched 80's.
Want to point out how I'm not making any sense? Tough. You're a bone head. My point stands.
So it's what, identity copyright infringment?
They're there affecting their effect.
A few weeks ago, I would have agreed with you. More recently, I've been doing some research and found that only rarely are there obvious 'tells' like asking for a PIN.
You see, in addition to making it look exactly like the vendor's site, they now no longer ask for anything unusual. You click on the link, and are presented with the standard, expected login page. You log in, and everything works just like normal. What really happens is that you log into their server, they capture your information, and redirect the login to the actual vendor. You never receive a hint that you were duped until the charges start showing up.
These days, a suspicious URL in your browser is often the only clue you'll get -- and if you don't have the latest patches for the popular browsers, the URL can be disguised.
This isn't to say that there is no stupidity factor. People still fall for the old style phishing scams like you described, or "validate your credit card numer" scams with startling regularity. Most people fail to realize that a simple precaution can make you essentially immune to phishing attempts (like disabling HTML in emails).
However, the newest round of phishing is a lot more sophisticated, and a lot more convincing. As it becomes more prevalent, expect mass stupidity to be less of a factor in its success.
I got took for a paycheck's worth, with no high tech used or needed.
Someone hand copied all the info on my car, front and back, when it was used at a restaurant.
I called the bank (Fleet, often considered big and difficult), they looked at everything that happened, I told them which ones were bogus, their fraud department confirmed the details of the transactions (location, times, names - these people were dumb enough to charge at Woolworths overseas, and paid bills for Progressive insurance, ATT and Verizon cells and Cablevision - all eminently traceable).
They reversed the charges, and said they were still subject to verification, and since they were all as I presented them. I got it all back and kept it. Most of the money was back after the next overnight, the rest was back after two overnights.
"Win treats sysadmins better than users. Mac treats users better than sysadmins. Linux treats everyone like sysadmins."
by sending the full headers and links to spoof@paypal.com
-- Tigger warning: This post may contain tiggers! --
There is no reason for them to make the home page https - they probably serve millions of visits to this page daily, why serve all the people who just want to read about Paypal or check the help section using SSL and waste processing power?
The login form submits using POST over SSL - the action of the form is using an https target. Your browser therefore sends all your details securely:
<form method="post" name="login_form" action="https://www.paypal.com/
In other words, it's no wonder they haven't fixed it - nothing is broken.
It's important to educate oneself about basic security. Don't click a link in any email that refers to PayPal. As a matter of fact, there are few reasons to click links in any emails.
Just as important, seriously, educate others. Don't mumble "Darwin" or "figure it out yourself" when you can help someone else protect themselves or educate themselves about security threats.
Always report PayPal phish attempts to spam@paypal.com.
There's an excellent set of resources about phishing in general - and you can report phishing attempts at: antiphishing.org.
Not to be repetitive, but the best way to make a difference (in this case) is to help others and help yourself with education.
A Passionate Independent Musician
I meant to say spoof@paypal.com.
Sorry, I must have been hit with the stupid stick today.
A Passionate Independent Musician
in their attempt to break into the on-line payments business?
I recently (re)opened an account to buy a pinball machine on eBay (Stern Stars, a cool old machine), but it is only tied to my credit card. I'm very familiar (through personal experience) with PayPal's inability to handle fraud (the reason I closed my original, bank-linked account) and their lose-lose-win schemes (on a contested purchase, the buyer loses their money, the seller loses the item, and PayPal gets the big win by keeping any contested funds). I would probably have closed the account again, but my wife wanted to purchase some baby periphenalia from a home-based business that only accepts checks or PayPal. I'm thinking this article is areminder to close my PayPal account.
Frankly, I will be very, very happy once Google's tool is available and I have a viable on-line payments alternative to PayPal.
Interested in a Flash-based MAME front end? Visit mame.danzbb.com
...why it is that whenever I log into PayPal, the number of PayPal-phishing e-mails suddenly increases over the next few minutes? It's as if something is monitoring traffic destined for PayPal (a compromised router, perhaps?) and is automatically triggering phishing e-mails to the originating IP.
Has anyone else seen this?
This is not new. Legitimate sites are hacked more often than anyone cares to admit, and end up hosting fraudulent pages that indeed link to an outside page, often with the domain in the web bar masked. Everyone should know by now to go directly to a page, and those who chose to ignore this should either be banned from the internet as their falling for these scams encourages crooks, or else they deserve what they get.
Something else not knew is domain masking, which I am sure you all know about.
*sigh* When your ID is stolen, as mine was the "good old-fashioned way" when I was 18 (25 now), it sets you up for years of frustration, thousands you can't recoup, and makes you wonder why the hell people aren't more vigilant about protecting their identity. Once it's lost, you've got no hope, and dozens of police reports are no longer enough to get a new social to get your life back on track. Finding another ding on your report, another credit card in your name, a speeding ticket in a state you've never been to...it all becomes just something you accept, though no less frustrating. And these is no end in sight, not until people wise up and uard themselves to discourage people from even trying. And even that won't be enough.
It's a girl!
Well, a first for me... they got me.Iopened a new paypal account on Monday, and by Wednesday, my credit card was being fleeced. Worst of all, there is no way these guys get caught based on the following actions by the involved entities: Paypal: Classic, I contacted Paypal on Wednesday, "we have had no security problems.... Don't reply to phishing scams." (no shit sherlock, i just figured I was safe entering information directly into your website using SSL). When elevated up the customer support retard chain, I was then lectured on phishing scams (damn these people are bright), and told to contact my local authorities. Unreal... my local authorities... I wonder how many local reports are taken nationally due to these wankers. Follow up today (Friday), "you should contact our security" [by filling out our webform that warns you incessently about phishing scams and that tells you after you fill out the form that they will get back to you in about 10 days... nice]. Mastercard: I contacted my credit card company, they cancelled the card but will not investigate until I fill out an affidavit, "which will take about 14 days to arrive." Kmart: I contacted Kmart, being one of the companies that put through charges to my credit card. "We cannot give you any information without your purchase number" (unreal, my credit card is used for illicit purchases, and I cannot find out where they are shipping the goods). They were nice though, and suggested I fax information to them if I wanted to speak to a security person, and they also suggested I have my local police contact them. Frederick's of Hollywood: Another company that put charges on my card- "We don't have a security department, call your credit card company." Will someone please shoot that g-string wearing cow. Local Police - I filled out an online complaint on Wednesday with the financial fraud division of my local police department. Still haven't heard a thing. I went the extra mile and filed a complaint with the FBI's Internet Crime Complaint Center: Classic moment in law enforcement... after filling out the extensive affidavit, I received a generated email that read in part, "The IC3 receives thousands of complaints each month and does not have the resources to respond to inquiries regarding the status of complaints. It is the IC3's intention to review all complaints and refer them to law enforcement and regulatory agencies having jurisdiction. Ultimately, investigation and prosecution are at the discretion of the receiving agencies." [in other words, we really don't do anything, best of luck old chap]. I wish the crew working this scam the best, they are truly disgusting, but ingenious. As for the entities above, the next time I hear a news report where they are whining about credit card fraud costing consumers and businesses millions, I'll just chuckle at how pathetic the reaction was to my inquiries. They really don't care. Finally, some have posted that it won't cost me anything.... they are wrong. Some credit cards require the user to pay the first $50 of such fraud. And what about the people who just don't catch the credit card fraudulent uses. If you do not challenge the charge within 90 days, in most cases, you own the debt. Finally, by having my credit card cancelled for fraudulent purposes, I am the lucky recipient of a fraud alert on my credit statements with the credit reporting agencies for at least the next thirty days (I think 60). This means that I am barred from gaining any instant credit during this time period. Several years ago I had fraud on another credit card (authorities believed that the info was lifted from the card while I was on vacation when I paid for something at a restaurant). I cancelled the card, but a couple weeks later there I was buying $2,000 worth of lumber at home depot for a home project. The clerk says to me, hey if you open up a home depot card, I can discount your purchase by 10%. Hey, I don't need a home depot card, but 200 bucks is nothing to sneeze at. After filling out the form, I was reject