Slashdot Mirror

← Back to Stories (view on slashdot.org)

Paypal Advises Users To Stop Using Safari

Posted by Zonk on from the watch-where-you-click dept.

eldavojohn writes "Over concerns for lack of an anti-phishing mechanism for Safari, Paypal is telling its Mac users to use another browser. An author from Ars Technica reveals that he has been using Camino and has fallen victim to a Paypal related phishing scam via e-mail so this story must hit home for him. 'Currently the Apple browser does not alert users to sites that could be phishing for your info, and it lacks support for Extended Validation. PayPal is, of course, a popular site among phishers in their neverending search for personal information, user IDs, and passwords. While it's not entirely fair singling out Safari (other Mac browsers like Camino also lack this support), it is perhaps at least a helpful reminder of the threat.'"

38 of 362 comments (clear)

  1. Maybe Apple should... by gillbates · · Score: 4, Insightful

    Tell Safari users to stop using PayPal...

    --
    The society for a thought-free internet welcomes you.
    1. Re:Maybe Apple should... by Jeremiah+Cornelius · · Score: 5, Insightful

      C'mon.

      Apple is deficient here - no doubt about it. If you want Mom & Pop to click "pay now", you don't expect 'em to be able to parse "http://www.barclays.validation.co.uk". You don't have to be an "idiot" to fall for this - just outside your area of expertise.

      I have replaced Safari with FireFox on every friend and family mac I get my hands on. Re-theme it, copy and paste the icon resource, and they don't notice the change!

      Except for the missing ads - thanks to Ad Block+

      --
      "Flyin' in just a sweet place,
      Never been known to fail..."
    2. Re:Maybe Apple should... by MacDork · · Score: 5, Insightful

      C'mon.

      Apple is deficient here - no doubt about it.

      Deficient eh? I use Omniweb. Same issues I'm sure, but I'm comfortable with it. I have something I feel is far more secure than a colored URL bar and Extended Validation box that begs for attention... I have an encrypted system wide keychain that is not going to have a username/password for paypa|.com. I might not catch that pipe as a lower case L... I my not catch a cyrillic character that looks just like an 'a' in there, but my keychain aware browser certainly will. It won't have a password for that domain, and that will instantly alert me to the fact that something is fishy. Proceed to open a new window and manually enter the address as a test... I rely on my keychain so much, I generally don't know the password for most websites I use, so I therefore cannot be suckered into revealing it. I'm sure Safari can be configured the same way.

      Instead of railing on Apple for not adopting the technologically deficient solution of other browser makers, perhaps they should instead focus on what is IMHO a superior approach to security... No dice on Windows Safari, sure, but on the Mac I have no fear of phishers.

    3. Re:Maybe Apple should... by Anonymous Coward · · Score: 1, Insightful

      I tried using Firefox 3 beta 3, and after 2 painful weeks, I switched back to Safari. If you're going to make it look like a Mac application, it should behave like a Mac application.

      After I tried to drag the FF3b3 window by its draggable-looking status bar for about the 3 billionth time, I gave up and went back to Safari.

      Giving Firefox (with the new Mac theme) to a Safari-using friend is a good way to get your (now former) friend to insist you unbreak his Mac, and then leave him the hell alone.

    4. Re:Maybe Apple should... by Anonymous Coward · · Score: 4, Insightful

      What theme do you recommend as the most "mac-like" and minimalist in screen real estate?
      Please - that's like asking for "the most Windows-like and stylish".

      Minimalist use of screen real estate is not a Mac virtue: Apple's principle is that screen real estate should be used well, not minimally. That's why they've made a big deal out of having bigger icons than Windows, for example, even though that means the Dock takes up about three times as much screen real estate as Windows' taskbar. Big icons = easier to hit = more efficient for the user. You aren't wasting that space, you're trading it for your time. And I assure you, unless you flip burgers or something then your time is valuable enough that you can certainly justify buying a bigger screen if you really need more working space.

      (Incidentally, I do rather wonder why, with modern Macs all having wide-aspect monitors, the default Dock position is still along the bottom of the screen, and why windows still have their toolbars along the top rather than down the side, but those are whole other cans of worms...)
    5. Re:Maybe Apple should... by er3s · · Score: 1, Insightful

      Lol,

      It's not fair to single out Safari, why not? Apple singles out Microsoft whenever they get the chance. It sucks when your flaws are in the spot light eh? Suck it up buttercup. Maybe if Steve spent less time pulling devs from other teams to work on the iPhone, Safari might have a phishing filter. The iPhone, still not 3G and it's almost 2 year, nor a Canadian version, tisk tisk. Man, i guess you needed those 18 bucks a month from AT&T customers to make up for all that R&D.

    6. Re:Maybe Apple should... by Anonymous Coward · · Score: 3, Insightful

      So why is closing a Mac window harder than threading a needle? And with the close button so small, why do standard dialogs generally lack an "OK" or "Close" button, with the expectation that we use those itty-bitty buttons way up in the corner?


      Why does Microsoft Windows have such big titlebars and buttons on all windows? Why does it always have these unnecessary 'ok' 'close' buttons everywhere? Why doesn't it have fast, easy keyboard shortcuts for most tasks?

      Actually, the huge, hunking graphics in Windows is as good enough reason as any to avoid it.
    7. Re:Maybe Apple should... by catwh0re · · Score: 2, Insightful
      While I agree that anti-phishing features would be a plus for Safari.(go download an extention like you do for any other browser) I think the problem should be addressed on the Paypal end. After all their website, links to ebay and methods are severly lacking as is it - even when you aren't diverted to a phishing scam there are a whole list of reasons not to use paypal.

    8. Re:Maybe Apple should... by dwater · · Score: 1, Insightful

      I've been using the same version of FF for a while now too. I can drag it's window around w/o any problem. Did I misunderstand your complaint?

      I 'never' use Safari, and don't consider my Mac 'broken' (any more than it usually is).

      --
      Max.
    9. Re:Maybe Apple should... by fangorious · · Score: 2, Insightful

      I would complain about you breaking keychain integration, most people I know hate when someone does crap like that, and they just stop asking for your help because they're afraid you'll just break something else.

    10. Re:Maybe Apple should... by MightyYar · · Score: 2, Insightful

      I wouldn't trust it on my laptop, either. If someone is sitting on your home computer, you've got bigger problems than the password to your eBay account.

      But if I did have it on my laptop, I'd sure as hell change my passwords the first chance I get.

      --
      W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
    11. Re:Maybe Apple should... by Jarjarthejedi · · Score: 2, Insightful

      "I wouldn't trust it on my laptop, either."

      "But if I did have it on my laptop, I'd sure as hell change my passwords the first chance I get."

      This seems like a bit of an illogical statement, along the lines of calling to cancel a lost credit card. You seem to be making the claim that a laptop with those saved credentials can be lost, which is a good enough reason to not make use of it, and yet people have been losing and canceling credit cards for years, a laptop is much easier to notice missing than a piece of plastic, and the problem wouldn't be hard at all to fix.

      Personally I commit my passwords to memory and let my computer auto-fill them, the auto-fill for convenience (and because the chances of me losing my laptop, my primary computer which is pretty much on my person at all times and has a high strength login password among other security measures are slim to none) and the memory so that I can get into them without my computer, whether it be to change them or simply to get to them from another computer.

      --
      There are two kinds of fool One says 'This is old therefore good' Another says 'This is new therefore better'- Dean Ing
    12. Re:Maybe Apple should... by vertigoCiel · · Score: 2, Insightful

      Firefox 3 even seems to use the Aqua style widgets. Seems being the operative word.
    13. Re:Maybe Apple should... by iamacat · · Score: 2, Insightful

      Why, you want your Linux browser to sport Windows XP title bar, ignore -display directive, omit support for .tar.gz files, require Ctrl-C/Ctrl-V for copy and paste and ignore middle mouse click...?

    14. Re:Maybe Apple should... by NotAgent86 · · Score: 2, Insightful

      So which windows version came before the mac?

    15. Re:Maybe Apple should... by theurge14 · · Score: 3, Insightful

      Minimalist use of screen real estate is not a Mac virtue:

      Big icons is your only example of this? On the contrary:

      * The 'Maximize' button will only open the app window as large as the content inside of it requires, it will not fill the screen.
      * One menu bar along the top for all open windows ensures no screen space is wasted with repeated displays of a menu bar.
      * Mac OS X automatically resizes dialog boxes to accommodate the content inside of them.
      * Dialog boxes that open off the edge of the screen will be automatically moved back into the screen along with the rest of the app, and when closed the OS will shift the app back where it was before you opened the dialog box.
      * Most apps do not have a 'background' window as to allow interaction with the desktop while the app is open. One common example is Photoshop.

      Most Windows users I observe maximize all their open apps to completely cover the desktop and use the Start bar as a full-screen task-switcher. In other words, a multi-tasking MS-DOS.

  2. scapegoat by Anonymous Coward · · Score: 0, Insightful

    An author from Ars Technica reveals that he has been using Camino and has fallen victim to a Paypal related phishing scam via e-mail so this story must hit home for him.

    Yes, blame the browser. It's certainly not because he's an idiot.

  3. IE by webmaster404 · · Score: 2, Insightful

    So wait.... you shouldn't use a (decently) secure browser such as Safari that is partly open-source, while you should use a browser that is fully proprietary (though with anti-phishing) and has a track record of being insecure? Not to mention how easy it is to keylog most Windows systems have already? Honestly, I think that making sure your browser is secure is much more important then making sure your info isn't going to an incorrect site.

    --
    There is no "disagree" moderation, and troll, flamebait and overrated are not valid substitutes
    1. Re:IE by Loconut1389 · · Score: 2, Insightful

      Good point- the types of people who would install/use another browser, probably already do check.

    2. Re:IE by teh+moges · · Score: 2, Insightful

      This used to be a valid point, but Safari ships with OSX and a lot of users get Firefox installed by their tech-savvy friends. Still, there is a very simple way of getting around these problems:
      1) No financial institution should ever ask for your email address. Ever. Not as a required field, not as an optional field. The person signing up should be informed that they are deliberately not being asked for this information either.
      2) The exception to this: Reminders. These are setup WHILE logged in to the site, and the email address is stored in relation to the reminder, not the account profile (so it will be indirectly linked, but a helpdesk person won't see it when troubleshooting account information).
      3) All reminder emails are plain text only, with a clear message informing the user not to trust this email or any other email and to log in to the website by typing the address into a browser only.

      Like was said above, people don't need to be stupid, they just need to be out of their expertise. I'm not a security expert, but through my knowledge of computers, I know when I get sent a phishing email, I know how to surf safely. You can't expect everyone to be the same though. This is just a case of needing to inform the users, and to keep reminding them.
      * The method shown above is not foolproof, in the case of DNS attacks, or websites with similar names (user types in address, typos, and is sent to another site).

  4. here phishie phishie by themushroom · · Score: 3, Insightful

    Look, if you're not checking what's in the URL of your browser, or are in the habit of clicking on links in email blindly, you get the phishing you deserve. The best protection mechanism in any browser against phishing is your eyes, looking at the address bar.

    snark: And Safari users are advised to stop using PayPal.

    --
    Laughter is the Spackle of the Soul.
    1. Re:here phishie phishie by Niten · · Score: 4, Insightful

      Look, if you're not checking what's in the URL of your browser, or are in the habit of clicking on links in email blindly, you get the phishing you deserve.

      I'm all for exercising personal responsibility, but I'd never argue that anybody 'deserves' to fall victim to a phishing scam.

      The fact of the matter is that there are some people (my grandparents, for example) who like to use the Web, but who are perhaps just a little bit senile and might one day fall for this sort of thing. If even an Ars Technica writer can fall for it, how can we expect an 80+ year-old to constantly exercise due vigilance?

      I'm actually quite OK with this PayPal advisory: the kind of people who will act upon it -- computing amateurs, basically -- probably should be using a browser that raises a big fat red flag when it hits a known scam site, and I'd recommend that such people use Firefox, Opera, or even IE 7 rather than Safari. The rest of us, those who are clueful enough to know how to protect themselves, aren't really the ones that PayPal is addressing here.

    2. Re:here phishie phishie by VirusEqualsVeryYes · · Score: 1, Insightful

      Look, if you're not checking what's in the URL of your browser, or are in the habit of clicking on links in email blindly, you get the phishing you deserve.
      You're an ass.

      If you are not in the habit of checking all open ports and immediately downloading updates, would you deserve the theft of your ID private information and loss of data that could ensue?

      If you are in the habit of leaving your doors unlocked, would you deserve the devastating destruction and theft that could ensue?

      If you are in the habit of not getting your brakes checked, would you deserve the highway pileup that could ensue?

      If you are not in the habit of meticulously checking your condoms for poked holes, would you deserve the unwanted baby and life-ruining court battles that could ensue?

      As they say, the loudest critics are usually the worst offenders. I'm sure a few scenarios could knock some perspective into your thick skull.
  5. Phishing protection? Really? by SanityInAnarchy · · Score: 4, Insightful

    The kinds of people who fall for phishing scams aren't likely to pay attention to what PayPal advises them to do.

    So why not cut the middleman and just advise them to not fall for phishing scams -- that is, to always verify https://www.paypal.com/ in the URL?

    --
    Don't thank God, thank a doctor!
  6. Browsers cannot help by wardk · · Score: 2, Insightful

    those too ignorant to leave URL's in emails ALONE

    the headline could have also just said "Paypal tells idiots to stop clicking on paypal emails"

    but that would potentially stop the 1 in 1000000 clicks that are legit and paypal would not want that transaction to not happen, so it's message to us is to stop using Safari.

    isn't anything going on worth reporting? this is filler...

  7. Oh, stop whining. by Whiney+Mac+Fanboy · · Score: 5, Insightful

    All Paypal did was have a faq containing a list of anti-phishing features & browsers that support those features.

    They don't recommend against Safari, they just recommend browsers that support anti-phishing features.

    No doubt when Apple gets around to adding these features (pity Safari's not OSS, or it could be added easily by third parties), PayPal will add them to the list.

    --
    There are shills on slashdot. Apparently, I'm one of them.
  8. Re:How good Ars Technica writers at tech and revie by Niten · · Score: 5, Insightful

    I'm very happy for you, that you've never made a single careless mistake in your life. However, please do try to have a little mercy on those of us who are merely human, especially when we're honest enough to admit it.

  9. Re:OpenDNS to the rescue by karmatic · · Score: 4, Insightful

    OpenDNS monitors Phising sites and will not let you resolve to it.
    That's assuming, of course, that it's using a unique DNS name. For pages hosted on SourceForge, Geocities, etc. it won't do anything at all, and may provide a false sense of security.

    Furthermore, it's really easy to create phishing pages that will only show their contents to humans, and not spiders.

  10. Use IE? One problem... by Myrkridian42 · · Score: 4, Insightful
    There is *NO* Internet Explorer for Mac!

    Microsoft stopped making (and supporting) IE for Mac in 2003. See for yourself.

  11. Re:How good Ars Technica writers at tech and revie by Dachannien · · Score: 2, Insightful

    Step 1: Assume that any e-mail you get is a phishing attempt.
    Step 2: There's no step 2. There's no step 2!

    It's not exactly rocket science.

  12. Re:Every browser has and anti-phishing mechanism by mikael_j · · Score: 3, Insightful

    But DNS cache poisoning isn't really a browser issue, is it? (although I suppose a browser exploit could be used to pollute the local DNS cache on a user's machine)

    /Mikael

    --
    Greylisting is to SMTP as NAT is to IPv4
  13. Re:How good Ars Technica writers at tech and revie by Anonymous Coward · · Score: 1, Insightful
    Ars technica just dropped in my book. The writer couldn't pay enough attention to avoid a phishing scam?? Wonder how much attention he gives to his reviews and news items...

    He said it was late and he was tired. However, he also said this,

    At least I was lucky enough to realize I screwed up and was able to change my login information on that, and other sites, right away.
    Which seems to mean he was using the same password on multiple sites. This is a very bad idea, especially when on of the sites involves money.
  14. Re:i've gotten those scam e-mails before... by Gewalt · · Score: 2, Insightful

    You mean the status bar, and safari hides that by default because it can be erronously updated with javascript. In other words, if you're relying on the status bar, you're your own worst enemy.

    --
    Modding Trolls +1 inciteful since 1999
  15. Re:This has huge ramifications by urcreepyneighbor · · Score: 2, Insightful

    While Opera may not have the market share of Firefox, it does run a helluva lot better than IE / Firefox / Safari on lower-end and older hardware.

    --
    "The fight for freedom has only just begun." - Geert Wilders
  16. Re:OpenDNS to the rescue by Peaker · · Score: 2, Insightful

    Furthermore, it's really easy to create phishing pages that will only show their contents to humans, and not spiders. Isn't it equally easy to create spiders that look like humans?

    Does there phishing information originate from a spider, anyhow?
  17. Questionable Motives by sofla · · Score: 4, Insightful

    I have my doubts about this whole story. I question Barrett's motives. For the simple reason that the only way to find out that Paypal doesn't like Safari is to read the InfoWorld article and his quote. If you login to Paypal using Safari... nothing. Not a peep. No mail in your inbox, either. Seems to me that if Paypal really felt strongly about Safari they'd do a little more than that. But they don't. All we have is Barrett's quote. Which makes me wonder he's really after. And to me, the most plausible thing, is that as an EV early adopter, he's evangelizing how great EV is. Or maybe he has MSFT stock. Dunno. At any rate, if the user isn't looking at the URL bar in the first place, I don't know what difference it would make if it was green or not.

    And don't even get me started on how effective I think the whole "keep a list of the bad guys" approach is.

  18. Re:In other news... by TheSkyIsPurple · · Score: 2, Insightful

    USB storage autoruns, notices it's not on internet... install something that hooks into IE, whose core is used in basic System functions.
    Now it's snarfed your bank info from some notepad you keep.

    USB Key gets into an internet connected machine someday, its autorun notices that there's an internet connection, so it uploads what it found.

  19. Re:How good Ars Technica writers at tech and revie by pandrijeczko · · Score: 4, Insightful
    I've been into computers for 25-odd years, I'm Linux and Windows certified, I program in shell, Perl & C & I work as a security consultant...

    ...and 3 months ago even I fell for a Paypal phishing scam where I handed over my username, password and account details.

    Fortunately, I realised what had happened within a few minutes, immediately changed my Paypal password and cancel my bank card. I also reported the site to Paypal where it was taken down within an hour. As a result, I've not had any problems between then and now.

    Yes, it's all about attention, I agree - but it just takes a lapse in concentration to fall for one of these scams.

    Oh, and before it happened to me, I, like you, was mouthing off on Slashdot about how it could never happen to me also...

    --
    Gentoo Linux - another day, another USE flag.