Slashdot Mirror
Paypal Advises Users To Stop Using Safari
eldavojohn writes "Over concerns for lack of an anti-phishing mechanism for Safari, Paypal is telling its Mac users to use another browser. An author from Ars Technica reveals that he has been using Camino and has fallen victim to a Paypal related phishing scam via e-mail so this story must hit home for him. 'Currently the Apple browser does not alert users to sites that could be phishing for your info, and it lacks support for Extended Validation. PayPal is, of course, a popular site among phishers in their neverending search for personal information, user IDs, and passwords. While it's not entirely fair singling out Safari (other Mac browsers like Camino also lack this support), it is perhaps at least a helpful reminder of the threat.'"
Tell Safari users to stop using PayPal...
The society for a thought-free internet welcomes you.
An author from Ars Technica reveals that he has been using Camino and has fallen victim to a Paypal related phishing scam via e-mail so this story must hit home for him.
Yes, blame the browser. It's certainly not because he's an idiot.
Safari could lose one of its two users. Opera may have a chance to double its user share, though.
Microsoft advises Windows users to stop using internet explorer, due to lack of security.
01110000 01010111 01101110 00110011 01100100
So wait.... you shouldn't use a (decently) secure browser such as Safari that is partly open-source, while you should use a browser that is fully proprietary (though with anti-phishing) and has a track record of being insecure? Not to mention how easy it is to keylog most Windows systems have already? Honestly, I think that making sure your browser is secure is much more important then making sure your info isn't going to an incorrect site.
There is no "disagree" moderation, and troll, flamebait and overrated are not valid substitutes
Just change your DNS to OpenDNS and you are covered. OpenDNS monitors Phising sites and will not let you resolve to it. You don't need to sign up just use their nameservers at 208.67.222.222 and 208.67.220.220. It's free. If you sign up you get some additional cool features like blocking selected domain types Like Pron if that's not your thing.
Help fight continental drift.
IE over Safari? Really? I can understand wanting a good free browser like Firefox on OSX but IE? Do they even have IE 7 for OSX yet? The article Ars points to says that this is driven by IE7 users not quiting PayPal. The fishing stuff is pure speculation and not even Microsoft thinks IE7 fishing protection is effective:
Rather than percieved security, I think the reason they see more IE7 users still logging in is because IE7 users are the kind of sheep that move along when prodded. They are using Windows, right? Like sheep to the slaughter, every day.
I've got a paypal account. I don't use it much because I don't use Ebay much. I would never use an emailed link to visit the site because it's just as easy to find the right page through Paypal itself. If they make it hard, they don't deserve my business.
Look, if you're not checking what's in the URL of your browser, or are in the habit of clicking on links in email blindly, you get the phishing you deserve. The best protection mechanism in any browser against phishing is your eyes, looking at the address bar.
snark: And Safari users are advised to stop using PayPal.
Laughter is the Spackle of the Soul.
The kinds of people who fall for phishing scams aren't likely to pay attention to what PayPal advises them to do.
So why not cut the middleman and just advise them to not fall for phishing scams -- that is, to always verify https://www.paypal.com/ in the URL?
Don't thank God, thank a doctor!
Apparently Safari 3 was supposed to have anti-phishing technology when it was released alongside Leopard but it got cut. Perhaps this will push Apple to complete it for the next (hopefully soon) release of Safari.
Ars technica just dropped in my book. The writer couldn't pay enough attention to avoid a phishing scam?? Wonder how much attention he gives to his reviews and news items...
It's called the address bar. It's very easy to use, just type where you want to go and press return. Before entering sensitive information into a browser window check the address bar and make sure you are where you think you are. I know your mom and my mom might not fully understand the address bar, but I think it would be easier for them to learn about it than installing a new browser.
Win a signed Stephen Carpenter ESP Guitar from the Deftones: http://def-tag.com/?r=0008781
The Yahoo article has more information and reasoning. I link to it, quote it and give an alternate explanation here. Basically, Paypal is losing customers of all browsers but least of all from IE7 users. I think this is because IE7 users are sheep not people sharp enough to have noticed a new tool.
But I really hate the mac commercials where they talk all that crap. "I guess that mac's aren't way more secure than pc's." But then again it's all about how stupid the user is, it's doesn't have that much to do about the system at all.
http://www.fightidentitytheft.com/paypal_scam.html
mine was similar, only it claimed they were doing a fraud investigation about fraudulent use to my account.
they use the images and everything it looks exactly like a paypal e-mail, only the hyper link when you hover over it says a different website than in the email message. (they're doing a simple html trick, which is always the first thing i look for)
I've seen them do the same thing with say, yahoo mail login sites, etc. one of my less savvy friends got her IM name stolen for use sending IM spam.
safari is bass acwards to not show the real url on a tool bar! i couldn't live a day without that feature.
https://www.gnu.org/philosophy/free-sw.html
those too ignorant to leave URL's in emails ALONE
the headline could have also just said "Paypal tells idiots to stop clicking on paypal emails"
but that would potentially stop the 1 in 1000000 clicks that are legit and paypal would not want that transaction to not happen, so it's message to us is to stop using Safari.
isn't anything going on worth reporting? this is filler...
Well, if there's group of users that has been told repeatedly that their computer is safe from viruses, that it "just works," and that they don't need to be concerned with computer threats of any kind...it's Apple users. Sitting in their offices, wearing their turtlenecks and sipping their lattes, the only thing about phishing they've heard about is that it happens to other people. Uglier people. They're not used to having to defend themselves, not like Windows users. Windows users have a battle-scarred paranoia...they've seen worms that can rewrite their BIOS, steal their credit cards, and kidnap their firstborn. Their 50 yard stares have been earned by fixing their mom's computer for the eighth time this month, and damnit if they're going to lose another computer to some Ethiopian scammer...not after the last time. Their nightmares are the stuff of Steven King novels, the earlier stuff with lovecraftian clowns and superplagues that are the start of apocalyptic battles between good and evil. Their best days on the internet involve life and death struggles against the next pop-up, because it might be their last. Ironically, Mac users have never had to live with the terror that clicking on that "win a free iPod" might just cause their computer to explode, spamming their grandmother with anal tranny porn on its way out. Maybe it's time they should... ...wait, what the hell was I talking about?
Infoworld still has the original article, but I can understand wanting to pull a story like that.
PEBKAC.
... okay, lets try it this way. would a person with a IQ above room temp; in Celsius? ... Is there anyone who would not fall for that?
Yes Safari could do better, but lighting does not strike twice. Apple did good by going to OS10, but don't think they will do a lot more.
The user has to tell the different from bad sites and the real site.
If a girl called you saying they are from your bank asking for the numbers on your Bank card would you give it to her?
Has Yahoo moved to Server 2007 or something? Weird.
All Paypal did was have a faq containing a list of anti-phishing features & browsers that support those features.
They don't recommend against Safari, they just recommend browsers that support anti-phishing features.
No doubt when Apple gets around to adding these features (pity Safari's not OSS, or it could be added easily by third parties), PayPal will add them to the list.
There are shills on slashdot. Apparently, I'm one of them.
I'm very happy for you, that you've never made a single careless mistake in your life. However, please do try to have a little mercy on those of us who are merely human, especially when we're honest enough to admit it.
Microsoft stopped making (and supporting) IE for Mac in 2003. See for yourself.
I can't seem to find this "advice" anywhere on their page...(using safari (win) of course)
Anyone care to lend a link?
No kitty, this is my pot pie!
ummm...doesn't paypal's parent company eBay advise users not to click on links in email? And that they should manually type in the address (www.ebay.com) then go about their business? (eBay's security tip about email)
Step 1: Assume that any e-mail you get is a phishing attempt.
Step 2: There's no step 2. There's no step 2!
It's not exactly rocket science.
I bought the $5 keyfob for paypal and ebay, (plus it works on my verisign openid provider) and this phishing problem is no longer an issue for me.
They can get my paypal username and password, but they still need the electronic key that only *I* have. I suggest anyone who actually uses paypal get one of these, they are trivial to use and paypal is selling them incredibly cheaply.
I read the script, and I think it would help my character's motivation if he was on fire. -Bender
PayPal & eBay, with a one-two punch, get you coming and going. With all their delicious revenue, the best they can do to proect their users is to attempt to shuck the blame on the little guy. That is information technology genius. Forget spending thousands on security analysis... they keep your private info safe with a single finger.
The Admin and the Engineer
For a minute there I thought this was about Safari
Nevermind...
It takes an idiot to do cool things - that's why it's cool!
Actually, we love this kind of stuff.
Modding Trolls +1 inciteful since 1999
He said it was late and he was tired. However, he also said this, Which seems to mean he was using the same password on multiple sites. This is a very bad idea, especially when on of the sites involves money.
This is proved by the fact that the OP got his post modded flambait. This fact is in direct conflict with Windows users who also hate Microsoft just as much but realize that the software is always written for the OS with the market share and so use it in spite of their hatred.
What does the lack of anti-phishing features on Camino have to do with Apple or safari?
Either that's a typo or someone needs to pay a little more attention to who makes what browser
I'm with those who think this is simply avoided by NEVER clicking on a link in an email.
Paypal will NEVER require you to click on a link in an email. All ebay functions can be accessed from my.ebay.com. My bank specifically states 'we will never send you links in an email, ALWAYS type in our website address yourself'.
Follow that advice and you have no problems. PERIOD.
If you think the email is legit, log into the site you type in yourself and see if there is an alert. Or ring them yourself. (On a side note I once had a credit card company ring ME and refuse to say who they were until I confirmed who I was by giving my DOB. I rang them back on the proper number and went off at them.)
Case closed yadda yadda.
Safari uses WebKit from KDE. Camino uses Gecko from Firefox. They're two entirely different browsers with two entirely different engines. Apples and oranges. And since Camino uses the same engine as FireFox, how is FireFox any better at protecting users from phishing scams. And since FireFox is available for Linux and Windows, as well as OS X, wouldn't there be problems on those OSs as well. I really don't see where this is a Mac problem, Safari problem, or anything other than a User problem.
It's a very dark ride.
Anti-phishing is a front and feature, NOT part of the rendering code. Camino and Safari are the two leading browsers on the Mac.
I woudl imagine Kmelion (the Wintel equivalent of Camino - a gecko-based lightweight browser) has no anti-phishing either.
My opinion is that anti-phishing is like anti-virus... a bunch of hacks tracking often-phished sites. It's best to learn to be non-phishable.
I do applaud Paypal for sticking to their guns about never sending deep links to accounts in emails. I wish other companies like Microsoft would do the same. I used to hammer in to my users that smart companies would never send deep links like that, so if they got mail from Microsoft or anyone else that asked them to download something or enter a password "on faith" it was a fraud (either a virus or phishing), but lo and behold Microsoft started doing it. *sigh*
I largely agree with you, but too many companies who SHOULD know better have started sending deep links to accounts.
If a guy shows up at your front door and says he's a police officer, do you take his word for it and let him in or ask to see some ID? Do you know what a real police badge looks like?
Me, I don't let anyone in to my house unless I called 'em, even if they're the police. People need to learn to do the same thing with email.
And, unfortunately. companies from Microsoft on down are training them differently.
I have my doubts about this whole story. I question Barrett's motives. For the simple reason that the only way to find out that Paypal doesn't like Safari is to read the InfoWorld article and his quote. If you login to Paypal using Safari... nothing. Not a peep. No mail in your inbox, either. Seems to me that if Paypal really felt strongly about Safari they'd do a little more than that. But they don't. All we have is Barrett's quote. Which makes me wonder he's really after. And to me, the most plausible thing, is that as an EV early adopter, he's evangelizing how great EV is. Or maybe he has MSFT stock. Dunno. At any rate, if the user isn't looking at the URL bar in the first place, I don't know what difference it would make if it was green or not.
And don't even get me started on how effective I think the whole "keep a list of the bad guys" approach is.
that's Read the F...ing URL
There. That's better.
Thanks! It took barely any amount of work and effort, but I have not made one stupid careless mistake in my life!
Wait, shoot... there goes that streak...
I actually responded to your post.Shlt!
Nope. Didn't take long for several posts to start calling IE7 uses sheep. So ironic that it is funny as hell.
Even better are all the posts blaming the users (an Apple fanboy tradition) if they get phished, yet it's Microsoft's fault in the next thread over when it comes to getting owned on Windows.
I'd advise Safari users to stop using Paypal.
Safari has no anti-phising measures built into it. CSO of Paypal is cautioning users to be more careful as a result. For those of us that RTFA, there was no mention that users should "stop" using the browser. Thank you Slashdot editors.
Just provide a Petname toolbar. All the anti-phishing you'll ever need, and it doesn't submit your URLs or browsing info to third-party servers, like the Google toolbar and Microsoft's "anti-phishing" extensions do (a technique which will ultimately prove ineffectual IMO).
Higher Logics: where programming meets science.
So I just gotta say - WTF - http://news.netcraft.com/archives/2008/02/27/extended_validation_certificates_and_xss_considered_harmful.html - EV and XSS considered harmful - so what does PayPal say to that? That even though they are using EV that we should ignore that?
Face it. As many others have said, if you go to http://www.paypal.emptymyaccount.com/ you're a moron.
Disclaimer - last used Apple product was a beige toaster.
Thank goodness I have a browser that doesn't have to phone home and track what I do in the name of "protecting" me.
Don't click on stuff in emails...
Animoog.org
Unless, of course, you TURN OFF PERMISSION FOR JAVASCRIPT TO MODIFY THE STATUS BAR, like virtually every browser allows. It's not rocket science, you know - it's even prohibited by default in some browsers, including IE7.
Hiding a useful feature because of a the risk of a potentially dangerous misconfiguration makes absolutely NO sense!
There's no place I could be, since I've found Serenity...
Whiney Mac Fanboy goes head to head with a Mac Fanboy who is currently whining!
You know, there is a difference between trolling and pointing out the flaws in your reasoning. Just saying.
We had a miss-configured router in our network who would broadcast only DNS DHCP settings. The funny thing is we found it only because people couldn't surf the web due to wrong DNS servers. Now imagine what could be done with malicious intents.
Love many, trust a few, do harm to none.
Fortunately, I realised what had happened within a few minutes, immediately changed my Paypal password and cancel my bank card. I also reported the site to Paypal where it was taken down within an hour. As a result, I've not had any problems between then and now.
Yes, it's all about attention, I agree - but it just takes a lapse in concentration to fall for one of these scams.
Oh, and before it happened to me, I, like you, was mouthing off on Slashdot about how it could never happen to me also...
Gentoo Linux - another day, another USE flag.
Paypal hasn't been Safari friendly for a while. I once was using paypal "buy it now" links on a website. After a few months, I got emails from a user asking how to buy the product because there was no link. Apparently Safari doesn't show the "buy now" image because it's in a form. I guess Safari doesn't support that feature, but I would think Paypal would do something about it.
cmd-w closes a window on a mac. Much better than alt-f4 on windows. Also, having the menubar permanently stuck to the top of the screen makes hitting menus much easier on the mac due to Fitts law. Overall macs FTW!
Since neither blacklists nor EV certs have any real effect on security, there doesn't seem to be any great reason for Safari to rush towards implementing them. Blacklists don't work because the phishers move far faster than any blacklist can track them, and EV certs don't work because they're just a reheat of standard certs, which don't work either (EV certs exist so CAs can charge more for "premium" services). Both are fashion statements, not security measures. Looks like Paypal has fallen for the fashion.
but no amount of software is going to prevent someone from either just clicking yes no matter what, or not giving two left handed damns about learning to NOT get phished, or prevent natural stupidity from taking its course. internet based finance rule number 1: if you get an email from them, delete it, close the browser, then open it again and TYPE the address in. NEVER use a emailed link to login. one simple rule, will save you every time unless the actual site has been compromised.
I've decided to Diversify my Holdings. I've divided my cash between my left and right pockets, instead of all in one.
The best defense against phishing attacks is to be informed, and suspicious. Sites such as PayPal and eBay ( I have had numerous phishing emails that claimed to be from these two sites) clearly state that they will not ever ask for your information via an email. Do not click on a link in an email. Period. EVER! Report suspicious emails...ALWAYS! Also, never open email attachments...EVER! No matter who it is from, or what it claims to be, DON"T OPEN IT! Delete all email attachments ASAP!
In an effort to conform with internet communication standards, please note that the above comment is 100% biased opinion
Simple instruction: They get an email about Paypal, don't click on the link in the email, go to the safe bookmark for Paypal and log in. Everything fine? Then it was a phish.
I've tried using eBay's new payment system (that talks to Paypal) as well as going into Paypal to pay for an eBay item (by talking to eBay) and neither of them works on a PowerPC 5 iMac. This only started failing within the last month -- presumably when they rolled out their new "payment system" -- it worked just fine before then. It just hangs at the final step where you confirm the payment. I doubt that it's traffic-related since I can pop over to an XP laptop and do it with no problems.
I'm thinking that this is just eBay/Paypal's way of hiding the problem with their payment system by telling you not to use the browsers that their system now fails on. I've only tried this once on Firefox on the iMac and it also failed, but that was only once -- not working with Safari has failed many times. Does anybody have any insight into the internals of eBay/Paypal's new payment system that can shed some light on this? Maybe they're locked into I386 machines and only new Macs will work or they're locked into Windows?
They don't recommend against Safari, they just recommend browsers that support anti-phishing features.
Sounds basically like the current batch of browsers. I believe IE7 and FF3 supports this, but what other browsers do?
At the same time which anti-phishing techniques work best for you?
My bank recently added a new feature whereby you specify your bank code and then they show you an image you preselected in the past and ask you a question that you specified the answer to. If you are satisfied with the identity, then you specify your password.
Jumpstart the tartan drive.
A significant amount of the phishing email that I get seems to have IP addresses rather than domain names. I use OpenDNS, but it's not going to do squat about that.
fencepost
just a little off
I'm not about to say that Apple shouldn't add features to help block phishing scams, but it seems to me that many users who make an educated choice about what browser to use also are aware of phishing scams and don't click links in email (aside from surfing drunk). I mean, to understand why paypal is asking you to switch browsers and to feel that you actually ought to do it implies some understanding of why you are doing it, which in turn means that you probably don't need to switch browsers in the first place. Maybe not, maybe tons of firefox users are saved every day by this, but personally I've never come close to clicking a paypal (or any other important login) link in an email so for me I'll stick with Safari.
What happened with all of the predictions from Google fanboys that Google Checkout was going to destroy Paypal by now? :p
-- "I never gave these stories much credence." - HAL 9000
If someone falls for an email phishing scam in this day and age then they deserve to lose their money. Maybe then they'll just get off the network completely so that the easy targets get fewer and fewer and the rest of us can go about our everyday internet business without needing to worry about this crap. Stop using Safari? That's like saying to stop using your nose because you might smell something bad. God damn over-reactionaries and tech retards - yeah Mary, I said retards - mucking everything up for the rest of us normal people who just want to surf for porn and buy cool toys online in peace.
I don't click on url's in e-mail. When I want to go to the bank or Paypal, I either type in the URL or click a bookmark I know is good. Now, if some bad guy got in and screwed around with my DNS, would a phishing detector even detect it?
Given that, they still should put a phishing detector in Safari, with a warning that only your common sense is the ultimate protection, and once phishers start figuring out what these things are detecting, they'll find a way to sneak under that too.
If you claim EV is a platform neutral standard, not a MSFT/IE thing, get a expensive account from developer.apple.com , download latest webkit sources from webkit.org , download XCode and start coding "Webkit EV.xcodeproj". Next, start "Safari Antiphishing.xcodeproj"
I don't want to pay for your MSFT gang expenses, fantasy $5000 certificates while buying next version of OS X.
I will message to Skype/WinCE Gang about never shipping Symbian S60 Skype later. What kind of a mess, horrible gang scheme did eBay buy while buying those 2 companies?
Also can Mozilla foundation tell how many actual users downloaded their non working EV Certificate extension compared to others?
Face it. As many others have said, if you go to http://www.paypal.emptymyaccount.com/ you're a moron.
Disclaimer - last used Apple product was a beige toaster. A better one, Opera found horrible implementations of EV while trying to support it. Guess what? Paypal included too.
http://my.opera.com/yngve/blog/2007/06/19/it-aint-ev-til-its-ev-all-ev
It was wrongly implemented at Paypal. I wonder when will Paypal say "Stop using Opera" and get a $500M lawsuit, just like the one forced MS IE to get Acid 2
There was even a Slashdot story on a research paper showing image-factor security can be gamed by crooks.
Why not just check the address bar for domain spelling + the presence of the lock symbol? Https is the verification method that works.
If a person knows they should check domain spelling and the lock symbol in the address bar, and they are too lazy to do that... then I'd say they deserve whatever befalls them as a result.
The problem is that few techies are interested in teaching/reminding people about Https and how to use it: Most seem not to understand it, and so point people toward 'solutions' where someone else decides the 'good/bad' status of websites for them.