PayPal Security Flaw Allows Identity Theft

miller60 writes "Phishing scammers are actively exploiting a security flaw in the PayPal web site to steal credit card numbers belonging to PayPal users. The scam tricks users into accessing a URL hosted on the genuine PayPal site, which presents a valid 256-bit SSL certificate confirming that the site belongs to PayPal. However, some of the content on the page has been modified by the fraudsters via a cross-site scripting technique, and victims are redirected to a spoof site that requests their account details."

Re:No signature = No liability

[Mick+Ohrberg]

It's still a hassle and a violation of privacy.

Re:No signature = No liability

[goodcow]

I think you're forgetting the fact that PayPal also stores checking account information, which is far, far more difficult to get money back from in the event of identity theft.

Re:how??

[shawn443]

http://www.acunetix.com/websitesecurity/cross-site -scripting.htm a good example of how.

I've got a fix

[Dixie_Flatline]

Never follow a link in an email.

It may be convenient, but in the vast majority of cases I've found that I can navigate from the main page if I know what I'm looking for. You can do basically everything from paypal.com without following the link that takes you directly to a specific page.

The Cross Site Scripting FAQ

[mrkitty]

http://www.cgisecurity.com/articles/xss-faq.shtml

I'm protected from all identity theft for life....

[sgant]

I've been working on this for years now...decades actually....but now I'm totally protected from people stealing my identity and ruining my credit. Here's how I did it:

I've personally destroyed my credit so badly over the years that if someone were to steal my identity, the joke would be on them! Hell, it may actually even help my credit.

Oh sure, people laughed at me over the years...but who's laughing now?!! Ok....so they're still laughing at me...but that's beside the point.