Slashdot Mirror

← Back to Stories (view on slashdot.org)

PayPal Security Flaw Allows Identity Theft

Posted by ryuzaki0 on from the watch-your-back dept.

miller60 writes "Phishing scammers are actively exploiting a security flaw in the PayPal web site to steal credit card numbers belonging to PayPal users. The scam tricks users into accessing a URL hosted on the genuine PayPal site, which presents a valid 256-bit SSL certificate confirming that the site belongs to PayPal. However, some of the content on the page has been modified by the fraudsters via a cross-site scripting technique, and victims are redirected to a spoof site that requests their account details."

20 of 212 comments (clear)

  1. No signature = No liability by neoform · · Score: 4, Informative

    What most people don't realize is this, if your card number is stolen and someone uses it.. you aren't liable for the charge.

    Unless a merchant has proof that you made the transaction on your credit card, you can always refute any charge on your credit card statement and you wont have to pay it.

    --
    MABASPLOOM!
    1. Re:No signature = No liability by Mick+Ohrberg · · Score: 5, Insightful

      It's still a hassle and a violation of privacy.

      --

      Quidquid latine dictum sit, altum sonatur.

    2. Re:No signature = No liability by goodcow · · Score: 5, Informative

      I think you're forgetting the fact that PayPal also stores checking account information, which is far, far more difficult to get money back from in the event of identity theft.

    3. Re:No signature = No liability by HardCase · · Score: 4, Insightful

      Absolutely true, but, like everything else, there ain't no such thing as a free lunch. We all end up paying for it because reversed transactions are a cost of doing business that all merchants must calculate into their retail prices. If nothing else, it ought to cause people to be more aware of just what they're clicking on when they get an email.

      -h-

    4. Re:No signature = No liability by fallen1 · · Score: 4, Insightful

      This is the reason I have an account set up with my bank that states it is specifically for PayPal. Period. The only money I keep in the account is enough to cover 4 to 6 months of banking charges (like $5/month) so even if someone were to try and steal the money in that account, I'm out $20 to $30 or so AND I am immediately alerted to the fact that account has been breached.

      At this point I immediately shut down the checking account, check with my bank to see if anyone has called and tried to change account information or get more info on accounts, apply for my money back based on fraud/identity theft, log in to PayPal (_if_ I can) and change passwords (if I cannot log in to PayPal then I try and contact PayPal to have that account shut down), set up a new checking account for PayPal only, and finally - if needed - start a new PayPal account.

      With a special checking account for PayPal only, and it designated as such, that makes it much easier to prove fraud/identity theft since I have NO checks for the account, NO check card for the account, NO online banking for the account, NO way to access the account other than through PayPal or by walking into or calling the bank. Sure it costs $5 per month but if you really need/want to do transactions through PayPal it is the safest way. Also, if PayPal gets a wild hair up their ass and decides to freeze your account for some reason (someone accuses you of fraud, whatever) then the only thing they tie up is that same small amount of money in an easily closed account.

      --

      Dream as if you'll live forever.
      Live as if you'll die tomorrow.
      ~Anonymous~

  2. Trickery and Buggery by Billosaur · · Score: 4, Insightful

    When the victim visits the page, they are presented with a message that has been 'injected' onto the genuine PayPal site that says, "Your account is currently disabled because we think it has been accessed by a third party. You will now be redirected to Resolution Center." After a short pause, the victim is then redirected to an external server, which presents a fake PayPal Member log-In page. At this crucial point, the victim may be off guard, as the paypal.com domain name and SSL certificate he saw previously are likely to make him realise he has visited the genuine PayPal web site - and why would he expect PayPal to redirect him to a fraudulent web site?

    What will they think of next? I must say, I get more PayPal phishing emails than for anything else. With the profusion of them, and PayPal's constant warnings that they would never ask for such information, it's still amazing how many people will fall for this, especially as the spoofs get more slick and sophisticated.

    --
    GetOuttaMySpace - The Anti-Social Network
  3. Unless it's a debit card. by Grendel+Drago · · Score: 4, Informative

    Of course, if you've been silly enough to use a debit card, you're out the money for six months or however long it takes until the bank gets around to deciding that you didn't really spend the money. Happened to Tom Tomorrow.

    --
    Laws do not persuade just because they threaten. --Seneca
  4. Re:Identity "Theft"? by kenthorvath · · Score: 4, Insightful

    It really grinds my gears when industry lobbyists and shills use inflammatory rhetoric to exaggerate the impact of mundane, victimless crimes.

    It's a semantic point and one not even worth making. If you think that there are no victims when people's identities are assumed by others for nefarious purposes, then it has clearly never happened to you. I'd be curious to see how you felt when you had to spend countless hours of your life in aggrevation trying (perhaps futilely) to restore your credit and repair the possible damage to your reputation when some asshat overseas assumes your identity to purchase $100,000 worth of electronics and registers a kiddie-porn site in your name. These things do happen and are not at all uncommon.

    In short, using the word 'theft' to describe copyright infringement is misleading, but using the word 'theft' to describe those things that are deprived to the victims of identity theft is perfectly acceptable. In the latter case there are often very real victims with very real things that are deprived them.

  5. Stupidity still necessary by Draconnery · · Score: 4, Insightful

    This extremely detailed and thorough (~3 paragraphs long) article does sound like PayPal has a problem to take care of, but the flaw described doesn't remove the burden of stupidity from the phishing equation.

    Anybody can make a website look like another website, so it's up to a user to think. Get an email that doesn't make any sense? Think very hard about everything that it leads you to. PayPal asks for your ATM PIN? Who the fuck does that? Nobody. My bank doesn't even know what my PIN is. ... sorry, I just live in a college town where the newspapers report bank fraud once a month because some stupid student fell for the 23 emails they received about suspicious activity concerning their bank account. Annoying.

  6. Which Korea? by ch-chuck · · Score: 4, Funny

    The server currently running the scam is hosted in Korea

    North? South?

    As I post this, 6 out of 8 top level posts have a '?' in the subject,
    now 7 out of 9.

    --
    try { do() || do_not(); } catch (JediException err) { yoda(err); }
  7. Re:Identity "Theft"? by llamalicious · · Score: 4, Informative

    I agree the terminology uses terms popularized by media and designed to frighten the general public; but these crimes are hardly mundane or victimless.

    I almost lost the house my wife and I were buying due to so-called "identity theft". How? One part stupidity on my part (using a linked check-card/bank account to make online purchases), on part large MasterCard database hack.

    Thousands and thousands of dollars of Google AdWords purchased on my card; draining my bank account completely, and into the negative even with overdraught protection. When that money goes missing days before you have to cut a certified check to the bank for your final closing costs the results are anything but mundane.

    That's just a stolen credit card; you can have your financial situation ruined for months if someone starts opening up lines of credit in your name (unbeknownst to you).

    Yes, you aren't liable for credit theft; but getting your money back isn't always quick process (unless your bank/card offers 24-hour turnaround on fraud)
    But when someone uses your identity and opens lines of credit, with a fraudulent signature, and your SSN and other personal information; that's an even more painful process to sort out with the credit agencies (Equifax, et. al)

    Just a bit of nit-picking.

  8. Re:how?? by shawn443 · · Score: 5, Informative

    http://www.acunetix.com/websitesecurity/cross-site -scripting.htm a good example of how.

  9. I've got a fix by Dixie_Flatline · · Score: 5, Informative

    Never follow a link in an email.

    It may be convenient, but in the vast majority of cases I've found that I can navigate from the main page if I know what I'm looking for. You can do basically everything from paypal.com without following the link that takes you directly to a specific page.

  10. Shouldn't be a problem by Todd+Knarr · · Score: 4, Insightful

    This shouldn't really be a problem. It only occurs if you click on a link in the e-mail. If you ignore the link in the e-mail, go to PayPal through a bookmark of your own and proceed from there, the phisher can't inject any code. End of problem. And if what the e-mail's asking for is legitimate, you'll be able to do anything you need to do directly through PayPal without needing to use any links in the e-mail.

    First rule: never trust the identity of the other party if you didn't initiate the contact yourself. When someone calls you on the phone claiming to be your bank you don't trust them, you hang up and call your bank's customer-service number yourself. When someone sends you an e-mail claiming a link will take you to PayPal you don't trust that, you fire up your browser and use your own bookmark to hit PayPal.

  11. A few things about PayPal by XxtraLarGe · · Score: 4, Informative
    I don't know how people fall for these scams. PayPal tells you exactly how to avoid them:
    • PayPal will always include your full name in any e-mail correspondence, not "Dear PayPal Member/User/etc."
    • PayPal tells never to click on a link to log in to their site. They say always type the url: https://www.paypal.com/
    Additionally, you should report all spoof e-mails to spoof@paypal.com. Hopefully PayPal will be able to track these online criminals down with the help of users.
    --
    Taking guns away from the 99% gives the 1% 100% of the power.
  12. The Cross Site Scripting FAQ by mrkitty · · Score: 5, Informative


    http://www.cgisecurity.com/articles/xss-faq.shtml

    --
    Believe me, if I started murdering people, there would be none of you left.
  13. Re:how?? by ifoxtrot · · Score: 4, Informative

    To answer your question, in short the attack doesn't work if you visit http://paypal.com/ manually.

    What an attacker can do is craft a URL that *is* to paypal.com but contains the injected material (i.e. script) inside the URL. In short the paypal.com servers suffer from a vulnerability which allows the execution of this material (passed as an argument in the URL) -- and thus executes the script on the victim's browser. Because of this, the SSL connection is correct, but it appears that paypal is telling you that you need to go to another website to change your credentials.

    You still have to get someone to click on the crafted URL for this to work though (hence why phishers are doing this, they're sending emails, or whatever.) so it's not going to work for people who don't click on the URL in phishing emails.

    What I'm wondering is why someone would click on a link in a scam and then worry that the SSL certificate is genuine! Someone who knows enough to check the certificate is probably clever enough to ignore phishing scams...

  14. I'm protected from all identity theft for life.... by sgant · · Score: 5, Funny

    I've been working on this for years now...decades actually....but now I'm totally protected from people stealing my identity and ruining my credit. Here's how I did it:

    I've personally destroyed my credit so badly over the years that if someone were to steal my identity, the joke would be on them! Hell, it may actually even help my credit.

    Oh sure, people laughed at me over the years...but who's laughing now?!! Ok....so they're still laughing at me...but that's beside the point.

    --

    "Leo Fender was in a 'state of grace' when he designed the Stratocaster." -- Paul Reed Smith
  15. Remember, you can report such fraud email by WillAffleckUW · · Score: 4, Informative

    by sending the full headers and links to spoof@paypal.com

    --
    -- Tigger warning: This post may contain tiggers! --
  16. It doesn't need to be by a16 · · Score: 4, Informative

    There is no reason for them to make the home page https - they probably serve millions of visits to this page daily, why serve all the people who just want to read about Paypal or check the help section using SSL and waste processing power?

    The login form submits using POST over SSL - the action of the form is using an https target. Your browser therefore sends all your details securely:

    <form method="post" name="login_form" action="https://www.paypal.com/

    In other words, it's no wonder they haven't fixed it - nothing is broken.