Slashdot Mirror
PayPal Plans To Ban Unsafe Browsers
Alternative Details brings news that PayPal is developing a plan to stop users from accessing its financial services if they aren't using browsers with anti-phishing protection. PayPal is recommending the use of blacklists, anti-fraud warning pages, and EV SSL certificates. Browsers without anti-phishing features will be considered "unsafe." It seems likely Safari will be included in this category given PayPal's warning about the Apple browser last month.
"'At PayPal, we are in the process of reimplementing controls which will first warn our customers when logging in to PayPal of those browsers that we consider unsafe. Later, we plan on blocking customers from accessing the site from the most unsafe--usually the oldest--browsers,' he declared. Barrett only mentioned old, out-of-support versions of Microsoft's Internet Explorer among this group of 'unsafe browsers,' but it's clear his warning extends to Apple's Safari browser, which offers no anti-phishing protection and does not support the use of EV SSL certificates."
Instead of having to force PayPal users to use only specific browsers, they educate the consumers on safe browsing habits and not blindly clicking on "OMG SEND ME UR CC NUMBER AND BANK DETAILS LOLOL".
Dear PayPal User:
After much consideration, we've determined that your browser is safe again! Please log in at http://127.0.0.1/some/unsafe/address/.
PayPal apologizes deeply for the inconvenience.
I don't like to blame the victim but who clicks a link in an email? Really. Any site that makes it hard for me to get things done from their front page does not deserve my business, so I'll never follow the phish. The reason people still fall for this stuff is because copyright warriors and other IPtards make browsers and sites more complex than they need to be.
If Iceweasel and Konqueror are not on their "safe" list, I won't be able to use them even if I want to. Either the EWeek author or PayPal is clearly clueless because they used the words "safe" and "IE" in the same sentence, so their elimination of safe OS would not be a surprise. The world won't really be safe until insecure OS and the spam they generate are eliminated. Even then there will be a stuff that trickles through.
Friends don't help friends install M$ junk.
While probably rather nasty and nanny-statish of them to do so, I can't help but think that this will force at least some people using certain archaic standards-non-complaint browsers to use better ones, or at least heavily-patched copies of IE 6 (although, since Microsoft is big on IE 7, they might skip that entirely.) Who knows, it might improve standards compliance a little bit—at least as far as transparent PNGs are concerned. (Obviously, this does not count Safari.)
Goodness me, that's just not right. The internet should partly stay a case of survival of the fittest. Gosh, in some way, it might be our next evolutionary platform to weed out the poor badly adjusted humans from propagating into the future? I can just see it now... (Angry womans voice) "What? You lost your bank account because you used a poor browser to access Paypal? That's the last straw! I am leaving you for another man - one that is more aware of internet security!"
Moved to http://soylentnews.org/. You are invited to join us too!
Rob Malda has barely made any effort to fully describe the process of selecting Slashdot moderators. What little information that has been supplied is an outright lie. The story of Malda's moderation system is far more insidious than merely separating wheat from chaff.
Last night, as I leaned over to give my Natalie Portman poster a tender kiss goodnight, I was psychically cast into a hypnotic trance. While entranced, my spirit guides delivered unto me the tale of the Slashdot moderators. Prepare to have your faith in Mr. Malda and moderation shaken to the core.
Difficult as it is to believe, Rob Malda was an outcast teenager. He did well in some of his classes, but was terrible with English. As is so often the tragic case today, his teachers passed him anyway, just to get rid of him. Since Malda had no real life, he spent much of his time on the computer (of course), and watching the public-access cable channel. It was there that Malda heard of the mysterious Mongolian Monks.
Malda was watching his favorite talk show, "Elizabeth Claire Prophet." The guests that night were a group of monks based in Mongolia. The monks described how they had been travelling to China to trade some of their cute teen daughters for Natalie Portman memorabilia. The monks had travelled no more than three days when they noticed a brilliant light in the daytime sky. The light grew larger. And larger. And larger. Soon the sky was completely hidden, from horizon to horizon, by a giant metallic disk.
The monks were taken aboard the craft and placed under some sort of alien mind-control. There, they were given the deepest possible insights into the nature of man, the universe and God. A week later, the alien beings returned the monks to the Earth and vanished forever.
The monks considered the area holy ground and constructed a new temple there, not bothering to return to their old monastery. They took their daughters as wives and began their own commune of worship, based on the teachings of the aliens. The monks practiced meditations which unleashed powerful spiritual forces within them. As the wives bore children, the community grew.
Malda was intrigued by the spiritual insights received by the monks and excited by the idea of incestuous pleasures. Unfortunately, the monks had no internet connection and so Malda could not email them. Without hesitation, Malda booked a flight and left for Mongolia. The plane ride was long and tiring, but his curiosity kept him driven.
After a month of searching, Malda finally located the commune. Initially, he, kept a safe distance, for fear of rejection. He studied the monks from afar. Malda had heard stories of the monks' bizarre meditations, which gave them extraordinary powers. Malda was somewhat skeptical of these stories at first, until he saw the truth first-hand.
In the week that Malda studied the monks, he witnessed the breaking of every natural law. He was astonished as he watched the monks levitate, create pockets of lush weather within the commune and communicated with spirit forces. Malda grew more and more excited and he devised a plan for meeting them.
Malda knew the monks would respect him if he could display his own "magical" powers. He was determined to win their confidence, and he had with him all of the necessary tools. He approached the commune confidently. The monks greeted him with skepticism at the gate. Malda took a deep breath and began his show.
Using an AIBO, a can of Jolt Cola and an inflatable sex doll, Malda shocked the monks with his display of magical powers. The monks accepted him into the commune. Malda's head was shaved and he was given a robe and a room. The monks warned Malda to stay away from their daughters-wives.
The monks methodically taught malda the word of the great messengers. He learned eagerly at first, but soon grew bored with his life in the commune. Malda's life was further stressed when his blow-up doll suffered a puncture-wound and became useless. A few days later, his AIBO's power dried up. With no pet and no woman, Malda slowly
Banks should have been doing this since they introduced internet banking. Now the onus is on you and if you loose all your money because there was no requirement to use a safe browser it's your own fault. Seems like banks don't understand the concept of "users".
Safari for Mac:
Preferences > Advanced > "Show Develop Menu in Menu Bar"
Develop > User Agent > Firefox 2.0.0.12
Suck it > Paypal
Not sure what to make of it at this point, but the gut feeling says this will be an excuse to be anticompetitive.
Job? I don't have time to get a job! Who will sit around and bitch about being broke and unemployed then?
I guess I'm missing what's supposed to be so scandalous about this. I've seen plenty of government and financial institution websites do the same thing with blocking old versions of browsers or certain browsers they deem unsafe. Why is it that when Paypal does it that it's some big todo?
Why don't you trust me not to be an idiot instead of requiring that I use a different browser due to the fact that other users of my browser are idiots?
Philip Sandifer's academic website
Dear PayPal User,
Due to recent security upgrades, you may no longer be able to log in. In order to give all our customers the highest level of protection against fraud and identity theft, we are requiring that you have up-to-date security measures on your computer.
Please install the enclosed program [malware.exe] to upgrade the security of your computer to ensure that you can continue to access your PayPal account.
Thank you,
- Scams R. Us
Paypal is hyping Extended Validation certificates after Netcraft posts articles like this:
Extended Validation certificates and XSS considered harmful
Curious if nothing else.
Work bio at MMWD
Windows is not to blame for the phishing problem, PEOPLE are. Phishing has been around a lot longer than Windows and Internet Explorer, it was just a lot lower-tech and could not be perpetrated quite as fast.
A cat can't teach a dog to bark.
Who are they to decide what is and isn't safe? They're not a bank, so I don't think they necessarily have any liability if one of their customers loses money, correct? Please correct me if I am mistaken.
Is this even legal? Seriously. If someone has money in PayPal, and if that same someone happens to be using a browser that is deemed "unsafe" and is sequentially banned, isn't that like PayPal holding the money hostage? What happens to those who refuse to "upgrade" in order to access their account?
Maybe instead of doing stupid stuff like this, which breeds a false sense of security among some less-smart users of PayPal, they should think of new and innovative ways to prevent unauthorized access to accounts. (I don't care to list my ideas right now.)
Is Lynx still considered unsafe? Have they fixed that graphics display hole yet? That was reported, like, 20 years ago.
SYSOP ('sih-sop) n.: the guy laughing at your typing.
How about the other way around? Have safe browsers ban PayPal!
Paypal warning against internet fraud seems a lot like Michael Jackson speaking against child exploitation. The company has a history of making money just disappear. "You must use a secure browser so that we may have unregulated access to your banking account. Otherwise, somebody might be able to stop us."
And yet, Ebay still sends email to users regarding important matters despite the security risks that poses - ie. how can a user know the email is real, it's not encrypted, etc.
Instead of banning browsers, Ebay should address the bigger security issue of Ebay sending email to users - instead Ebay should only send notices simply saying one has new messages in their Ebay message center, and require the user to actually visit Ebay to view the message contents - not fool-proof, but would substantially reduce the effectiveness of email spoofs.
Ron
Wow, PayPal has figured out #2!
1) Declare a browser as "unsafe"
2) ???^H^H^H^H^H^H
2) Block the browser from your popular site
3) Profit! --> Approach the company that makes the browser... "we'll declare it safe... for a price".
"To make a mistake is only human; to persist in a mistake is idiotic." Cicero
What if you're on an older OS (e.x. Windows 2000) and you don't have access to a browser that supports EV SSL?
This sounds like eBay trying to get too controlling of PayPal users. I have a feeling that "security" might mandate a browser plugin in the future to verify that you are viewing the real paypal site (coincidentally, it automatically fills out transaction information if PayPal is the payment method)....
If you want to try a new conspiracy on for size, maybe this is also a chance to try to push the use of EV SSL certificates.
I have attended several of the webinars and read a number of the white papers on EV SSL certificates, and I am not completely sold on the usefulness.
Sure, thorough validation of a requester's right to purchase an SSL certificate is a good idea. That should be done already for any SSL purchase, but it is and will not be done because it makes the process too difficult, time consuming, and expensive. Well, too expensive for GoDaddy to sell a $20 certificate and thoroughly validate it, but for the $350+ Verisign certificates? Please...
More to the point, older browser showed a lock icon which indicated the site was secure. With the ease of SSL certificate purchases that quickly became less important because even phishing sites can have valid certificates. The EV SLL scheme is to put up a BIG GREEN BAR with the issued company's name in it. Why not just do that anyway? Those notification bars that come up when a pop-up is blocked, or an ActiveX control wants to install, or a file wants to download; how about use that to show critical information in the certificate, like the CN?
Sure, the URL says www.paypal.com, but the certificate CN says "www.phishingurinfoz.ru".
But then, I suppose a little Java and no protection of that particular window element could lead to a phalse display.
Can we ban Paypal for unsafe money exchange?
Netcraft is dead. Paypal confirms it. And E-bay swapped it for some military hardware.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Now the scammers/phishers just need to do the same thing. And voila!
Write your own Choose Your Own Adventure. http://www.freegameengines.org/gamebook-engine/
So you just want to ignore the whole botnet thing that's creates the opportunity to screw up? That's a bad idea because everyone makes mistakes. Some make fewer than others but everyone will fail given enough chances. This also points out the futility of Paypal's ill advised action. The platform is insecure so their little green bandaid is not going to fix anything.
Pay Pal does not really have or they have chosen not to publish what browsers are "safe" based on actual fraud. Safari and other blocked browsers would not be at the top of that list, but any version of IE would and let's face it, IE 7 users are pushovers likely to get screwed. Windows itself is unsafe with anyuser, so the whole thing is just stupid.
http://slashdot.org/comments.pl?sid=216934&cid=17629948
...but the head of the International Phishers Guild says that all of their sites will continue to work with any browser you want. Spokesman Anome Smith says "We will not be following Paypal's lead on this. Popular phishing sites like www.payypal.com, www.paypa1.com, and 192.168.178.287/paypal will all continue to work with any browser you please. "
This is stupid and pointless.
The problem isn't "unsafe browsers". Phishing is social engineering, not hacking. The problem is unsafe users.
Give a stupid user a safe browser and a semi-sophisticated phish and they'll cough up that login.
Give a smart user a IE 5.0 and they'll never get busted.
If paypal really wanted to increase user safety they'd do it with user education.
Tell users to very carefully navigate to the correct site, make a bookmark, and then never go to the site any other way again.
Question everything
What next, users have to pass an IQ test to get on the Internet? That way all of the stupid people who click on email links from phishing scams before looking at the message to see if it is fake or not, will forever see "Error ID10T: User is not smart enough to use the Internet. Request denied!"
Remember, Slashdot does not have a -1 disagree moderation, and no, troll, flamebait, and overrated are not substitutes.
eBay and PayPal have demonstrated that they no longer deserve my business.
And the reason people purchase products from large companies is so that they could offload some of the "hassle" or responsibility to the company that is hiring qualified professionals to analyze and develop the product they wish to sell.
If me as a regular user (Pretend at the moment I'm not writing this from my linux laptop) wanted to trade my personal time to assume the responsibility of learning cutting edge counter phishing procedures, then I fail to see the purpose of paying for the service.
From the above statement, we could look at the underling problem here.
We as geeks know how to avoid these problems on the internet and whatnot, because it is our every day life. However don't expect a singer, entertainer, pilot, lawyer or mechanic.
If we could afford to, we will not change our own automobile's engine oil, even if we knew how to. So why should we expect mechanics, lawyers and any non geek to stay on top of CERT/Slashdot and all other form of security concerns when all they want to do is use it for basic communications and features?
Its the whole idea of specialization. People specialize in various trades, and sell services to each other.
In conclusion: When a regular user choose to pay $xxx.00 for a Windows license instead of learning how to install and use Linux for free. Its a time and hassle investment that they're making, and not really a religious preference.
-Alex. http://bit.ly/1iVPtfA
Paypal not letting you in?
Have no fear.. with paypalproxy.com you can use any browser to access your account.
--
So long and thanks for all the phish.
Yes. Go to http://turbotax.intuit.com/freedom and pretend you want to file your taxes there. Understandably, you need to enable cookies/javascript. But then what happens? "Your browser is not up to date" it says. "Please install Firefox 1.07, IE 6, or Netscape 8 on Windows, or some other stuff for Mac."
Wow...please install these out-of-date or defunct browsers. So I contacted tech-support to let them know their page was broken, and they actually took the time to *link to the firefox 1.0.7* page, which says it's the most up-to-date version of firefox. When you click the download link, it takes you to mozilla.com where you can download firefox 2. *facepalm*
So after a bit of googling, I found the user agent for firefox 2 on windows (firefox 3's windows user agent *still* wouldn't work) and plugged that into the User Agent Switcher extension. TurboTax worked like a charm after that! All I had to do was lie and say that I was using Firefox 2 on windows instead of firefox 3 on ubuntu.
More information here and here.
The twitter monologues. Click on my homepage and be amazed.
Obviously IQ tests are not required to use the Internet, nor have children, nor drive, etc.
I received the following at the bottom of a message from PayPal confirming a funds transfer:
"PROTECT YOUR PASSWORD
NEVER give your password to anyone, including PayPal employees. Protect yourself against fraudulent websites by opening a new web browser (e.g. Internet Explorer or Netscape) and typing in the PayPal URL every time you log in to your account."
MOAR!
I am really confused... let's see. Before Windows had "Internet Access" there was OS/2 which beat them out the door with it. Once Windows got Internet access (and before Internet Explorer), there was NetCom, various other dialups and AOL... NetCom and the dialups being one of the few that brought users onto the 'Net...
Then came Netscape (etc)...
...at which time, the Internet was so in it's infancy that phishing (by the definition on Wikipedia and elsewhere) did not exist or barely existed at all. There were less mechanisms for the more complex methods available today, and some mechanisms that existed both then and now (such as email) were in states that did not allow such things at that time.
Then MS bought Internet Explorer... then they eventually included it in Windows.
No matter how you look at it, Windows and Internet Explorer ARE the cause of phishing being as prevalent as it is.
One can blame it on the holes and lack of security in the platform or various versions of Internet Explorer...
Or one can blame it on the fact that it was due to Internet Explorer being integrated in Windows that the popularity of the Internet grew (of course, since Netscape owned the browser market at this time, that wouldnt be true)
Or one can blame it on the fact that the Internet is so popular because of a combination of PCs being so cheap and Windows dominance in the market (ie: mostly non-tech saavy users, who are the main cause of phishing problems/exploits).
Or one can blame it on a combination of 2 or more of the above (and others I havent mentioned) - but no matter how you look at it, phishing was not nearly the problem it is today (IF it even existed in anything we would even equate as the same thing in concept, or in definition).
StarTrekPhase2 - The Five Year Mission Continues!
I am a PayPal customer. I have a paypal secure ID, a hardware token that generates 6 digits numbers (synchronized with paypal's servers) that are part my password authentication process. That means that even if someone gets my password (i.e. fisher), they won't be able to login that easily (they would need the hardware token to generate the current 6 digits number set, which changes periodically every 30 seconds). With all of that, I see no reason for paypal to block me if I am using Safari, even if Safari is a bit unsafer than other browsers. That would just mean adding an extra item to the list of things my iPhone can't do: access PayPal's webpage. That would really piss me off.
I'm not sure if there is a word for this(Phish and release), but it goes like this:
Paypal should send out official looking emails with links to a site that isn't on Paypal.
If someone enters their information on this fake site, Paypal would warn them that they got phished and released!
Paypal could tell them important stuff like only manually going into paypal.com and never clicking on a link in an email.
God spoke to me.
And thusly, we purchase a service from PayPal MegaCorp and expect them to take measures it deems necessary to protect the service it provides. The bottom line is simple: this is PayPal's business, it is PayPal's right to choose how to operate it, and we can take our ball and go home. And considering how many people think PayPal is evil, anyway, this should come as a neither surprise nor disappointment.
But I still stand firm that people are to blame for the lack of security on the Internet. The telephone, the radio, the television, the tabloids, the newspapers, books, and so on were all considered at one time a method of mass disinformation, and some still are to a lesser extent. Why else would we have phrases in our lexicon like "you can't believe everything you read/see on TV/hear on the radio"? Because people are willing to throw caution to the wind. We are more apt to scrutinize and discriminate against information people may throw at us in person, face-to-face, but as soon as the information is put into some form of communication medium, we lose our senses.
We know the guy on the street corner in New York is not selling real Rolex watches; we know the fella that chats you up on the bus is not legitimately selling prescription medications. Even so, we are more apt to believe that these things are available on web sites, because we have it drilled into us that the world is at our finger tips, every thing can be found on the Internet.
If you want to get down to brass tacks and point fingers, WE are to blame for the folly of those who surround us. Yes, WE are to blame. Because WE chose to learn and understand and ignore the plight of those who have not. WE are the shop class instructors letting the uninformed use the table saw without proper instruction and then blaming them when they lose fingers. It is our responsibility to educate and inform others why what they are doing is wrong -- and in many cases we even get paid for doing so.
And I do not mean that using Windows is wrong, but that clicking on email links without thorough scrutiny -- or even at all -- is wrong; that blast-forwarding unconfirmed rumors is wrong; that not understanding that the bank will never send an email and tell you to go to a site and enter all of your vital statistics (and if it does, then you should run like hell, anyway.); that the use of semicolons is ill-advised.
I find it amusing that some of us will take the "duty" to throw out Mom and Dad's Windows PC and replace it with a Linux or Mac box, then walk away pleased with ourselves over the "service" we have just done. When, in fact, the "service" we should be providing is education. It does not matter in front of what box Mom and Dad sit, without the proper knowledge, they are still vulnerable to phishing schemes and exploits.
Really, these so-called idiots out there are mostly just uninformed. Some non-BOFH-type PFY handed them a computer at the WorstBuy, CompUSELESS, or Radio Shanty, without taking the short amount of time it takes to instill a small bit of cynicism over unsolicited or unexpected information and requests. There were no pamphlets at the store explaining how email can be as dangerous as a phone call from "your phone company" or "your bank." Most of these people CAN be taught and guided.
And the ones that cannot will be eliminated one way or another, but of course not before making complete and utter asses of themselves.
This Apple and Linux user blocks Paypal as unsafe.
3 reasons:
1) It takes time and effort for everyone involved
2) There will always be people who don't get it
3) There will always be newcomers
Yes, "knowing" is a good thing. However it is something the educated often take for granted because they believe the problem only applies to the uneducated, and they aren't the one's responsible for the education. Well, if it did apply to you you would be "surprised", and if you had to do the teaching, you'd try and think of something else once you realized what a waste of time it was.
A lot less phishing would go on if PayPal would just enforce it's trademark and force the FBI to investigate these phishers using those marks to compete with PayPal and rip off its customers.
All these banks should be doing that. The FBI should be busy protecting us from these modern bank robbers, not all the domestic snooping and other abuses they waste their time and our money on.
Trademark holders are supposed to lose their trademarks when they don't defend them against imitators. Banks are supposed to secure their transaction systems from fraud.
I guess since they're making so much money doing their bad jobs, they don't miss it much when we lose our money. They'll just get it back when the phisher deposits it in their own accounts later.
--
make install -not war
I see your point, and I disagree with the basis of the argument.
Before any of what you mention there was the telephone, mail, fax machines, and more. Fraud schemes abounded long before phishing as we know it today, but the principles were the same: find some way to extract enough useful information from the mark. Phishing is the technological evolution of social engineering, and on a grand scale.
Additionally, in the past when scam spam was rampant, the thought of a botnet was just barely formulated. Such emails were blasted out via open relay mail servers, poorly programed web forms, free email services, off-shore hosting, and the like. I will not argue that the botnets have not made sending the emails exceptionally easy and avoiding them exceptionally difficult, not for a second, and will cede that without the botnets the flood would be a lot more shallow. I simply cannot subscribe to the notion that Windows botnets are completely to blame for Internet fraud.
Until I see reliable data which breaks down phishing victims based on operating system and browser, I reject the notion that any one group is responsible for the existence of the phishing problem. Except for the criminals who have mastered and continue to develop its attacks.
... of where the Terrorists won.
Ironically, phishing sites won't block users using "unsafe" browsers, which just makes them more user-friendly than paypal.
More people than you think. Many of them aren't sophisticated enough to look at the URL of the site they are about to visit and notice the absence of the proper domain. Something like http://95.32.56.224/to/be/or/not/to/be/sucker.html (example, not an actual link) definitely isn't Paypal, but they don't figure that out until their browser (hopefully) sends up the phishing flag.
"It is a denial of justice not to stretch out a helping hand to the fallen; that is the common right of humanity."
...Either the EWeek author or PayPal is clearly clueless because they used the words "safe" and "IE" in the same sentence... I think that I should fix that, Safe and any form of connection to the internet should not go hand in hand. Maybe Safer or more safe than other ways but it is never safe in general.hello
Only dumb people require browsers with anti-phishing protection to save them from themselves.
"... so their little green bandaid is not going to fix anything."
I always thought this was a plot cooked up by VeriSign and Microsoft anyway. IE gets a cute little green bar that looks like it means something, and VeriSign charges four times as much money for the same certificate.
Any sect, cult, or religion will legislate its creed into law if it acquires the political power to do so.
And WE used to educate them every September. That is until AOL based their business on getting everyone to connect to the internet without bothering to properly educate them.
09F91102 no, 455FE104 nope, F190A1E8 uh-uh, 7A5F8A09 that's not it, C87294CE no. Ah! 452F6E403CDF10714E41DFAA257D313F.
The latest Opera snapshot 9903 didn't succomb to the cross-site scripting vulnerability.
At SiteTruth, we divide certificates into three categories, rather than the usual two:
Browsers normally lump category 2 and 3 together. This is not a good thing.
Category 3 certs, the "Instant SSL" certs, have no value in identifying the business. A category 1 or 2 cert increases the site's SiteTruth legitimacy rating, since we have a third party which has vouched for the ownership of the site. A category 3 cert does not.
Browsers should make this distinction. You never want to enter a credit card number into a site that only has a class 3 cert. You have no idea where your money is going.
... ; that the use of semicolons is ill-advised.
I take my hat off to you good sir, for sneaking in that nice little amusement.
...let me try the link I got in that e-mail.
If Chaos Theory has taught us anything, it's that we must kill all the butterflies.
Nor vote either or get a mortgage it seems. :)
Remember, Slashdot does not have a -1 disagree moderation, and no, troll, flamebait, and overrated are not substitutes.
So how does this help? The emails sending people to fake PayPal pages will still work. For some reason, the people trying to steal your money dont follow the PayPal rules.
"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
This is really cool. I wish I had five sockpuppets to shill my posts up and get me out of the karma hell I got myself into for trolling. So I can troll some more.
-
You have a "blame the victim" mentality. It's clearly the fault of the stabbing victim that he got stabbed. He should have jumped out of the way. It's willful helplessness, plain and simple.
That's the kind of emotional drivel that's being used to erode our civil liberties. Of course, the perpetrator is the guilty party, and the victim is the innocent party. But were discussing policy, not guilt, so that doesn't mean that we need to protect the victim. It isn't the government's function to protect everybody from anything that might happen to them.
In this case, it's PayPal, a company doing this to reduce their financial losses, which is their right. But it's also my right to say that they are stupid. I don't use anti-phishing technology because all those technologies themselves have serious problems, and they are completely unnecessary: for any important site, I just type the URL or use a bookmark.
There are four scenarios, assuming we agree to what "safe" is.
The immediate result is only affecting scenario 2, so there will be some loss of business.
In the long run, paypal expects users who hit the scenario 2 to switch to a safe browser. And paypal is big and important enough (whether we like it or not) for a reasonable number of users to do the switch.
We regret to inform you that we will not be able to process your Paypal Buyer Protection claim for the money because we have determined that you are not using a "safe" browser - a violation of our terms.
This, despite the fact that your victimization had nothing to do with phishing and your account was not actually compromised.
Due to this violation and to protect Paypal internal security, we have locked your account (and will be keeping the other $20,000 you had in it.)
This space available.
in other news, safe internet browsers plan to ban paypal from loading...
why hasn't the banking industry down this with their billions of dollars i hear you ask? because they aren't the ones paying for this, we are. until you make your politicians change this, we will continue to have scammers and phishers.
If you mod me down, I will become more powerful than you can imagine....
I don't really care about Paypal, and unlike some of the other comments, they have every right to determine what is secure and what isn't. It's their business. The important thing is that this is GOOD NEWS because MAYBE then the 80% of the world still using shitty, old IE6 browser will be forced to upgrade. Unbelievably good good GOOD news.
A while back I dropped the direct Paypal links to my checking account after years of never using it. I recently got an email after an eBay purchase about a new sending limit. Their solution? Re-add my bank account to Paypal. Why I need to have a middleman for online transactions is beyond me. I could care less about them profiting from sitting on my cash midstream. I'm guessing a lot of people are going to pressure Paypal to change this practice (I hope).
I swear to God...I swear to God! That is NOT how you treat your human!
Why would anyone choose Safari over Firefox? (I'm being serious.)
Dear god in heaven, please let it be so!
John
I use OpenDNS which will not resolve a phishing site. Also, Paypal is one to talk. Their own Paypal plugin for creating virtual debit card numbers detects their own site as a phishing site. There goes using paypal on my Wii.
---- "Excuse me. Where's the children's gun section?"
What next, users have to pass an IQ test to get on the Internet? That way all of the stupid people who click on email links from phishing scams before looking at the message to see if it is fake or not, will forever see "Error ID10T: User is not smart enough to use the Internet. Request denied!"
We have those now. They are administered from a testing center in Nigeria. If you fail, your internet is soon cut off for non-payment.
I love how you need a license to drive, but not to CREATE LIFE!
And people wonder why society is fucked.
And yeah, a written test to be allowed to use the internet would be nice.
SSL certs never had any value as an implement of secure identification. Regarding them as that was misuse. The sole value of SSL certs is encryption. End of story.
Added to that nonsense is the idea that you normally know anything about the people you're doing business with. You don't. These EV certs are a supreme waste of money.
I give it a thumbs up, in the end it's all done with the interest of protecting the users.
Besides probably people don't know that their browsers are unsafe, in that case you would be making them a favor by informing them of this fact.
I wonder how come a company like Apple is not implementing features found in other free products in their own... are Apple's developers lazy?... maybe they're thinking: "why waste my time and resources in providing my clients with features they don't even know they could use and have never asked for?".
This is pretty bad for a company that actually gets most of it's money directly from the end users of their products and i applaud every time someone provides them with the bad publicity they deserve.
Solution - Paypal themselves send out a scam email - anyone who responds to it has their account shut down.
Professor Karmadillo Songs of Science
I think it's a bit convenient that they are against browsers that don't support EV Certs since those cost extra from companies like PayPal. So, it is in their financial interest to have all browsers support EV Certs.
I find your ideas intriguing and wish to subscribe to your newsletter.
Subject says it all. Have anti-phishing (i.e. use light curtains) but switch on javascript (leafe the front *and* the back door wide open. Bunch of idiots.
If we could afford to, we will not change our own automobile's engine oil, even if we knew how to.
I can afford to pay someone to change my car's engine oil, but I don't. I do it myself. Why? Because knowing the job is done right is worth more to me than paying 40 quid each for five cars to have some spotty YTS do a bad job of putting the cheapest oil money can buy into my incredibly expensive and delicate engines. Sometimes it's not about convenience, it's about knowing it's right.
In conclusion: When a regular user choose to pay $xxx.00 for a Windows license instead of learning how to install and use Linux for free. Its a time and hassle investment that they're making, and not really a religious preference.
So they have to learn how to install and maintain Windows, which presumably means they need one of those expensive courses that Microsoft is peddling. Then they have to buy and learn how to install and maintain virus scanners. Then they need to buy and learn how to install and maintain spyware removers and firewall software and who knows what all else?
Or they could pop in an Ubuntu CD, click the "Install" icon, and walk away for five minutes and make a cup of tea. I know which I'd rather talk my 70-year-old woefully non-technical mother through over the phone.
If they were really being consistent, they would ban Internet Explorer first.
No matter what soi-disant "security features" Microsoft implements, the fundamental design of IE is inherently insecure, and it can not be made secure without making deep changes in the API that will cause Microsoft to lose too much face to go through with it.
...or browsers that have anti-phishing protection turned on?
Anti-phishing protection in Firefox basically reports every site you access to google. No Thanks.
It should be "Paypal plans to allow Lynx only"...
Privacy is terrorism.
If Paypal is really concerned about phishing, why do they still send out emails saying their Terms and Conditions have changed please log in to your paypal account (link helpfully provided) to view the changes? Why do I need to log in to see the Terms and Conditions anyway? What if I want to see them before creating an account?
While surfing around, it's likely you encountered some websites trying to install some malware. This malware will kick-in when you are entering paypal.com, your-bank.com etc. in your browser and instead of opening the requested login-page you are diverted to a fraudulent page looking exactly the same. You start entering your password, secureID etc. and get any plausible error message like service is down at the moment. Meanwhile, all your data is sent to the attacker who already logged into your 'safe' account and is making some transfers. At the same time, you are surfing to slashdot complaining about companies trying to protect your assets.
But I'm stuck at the end. Where's the "Suck it" menu?
I disable phishing protection in the browsers I use which do support it. I also disable javascript because I consider it a security risk; the majority of browser vulnerabilities require javascript be enabled. Paypal does work without script but makes some stuff difficult, encouraging your customers to run their browsers in a less secure mode.
So which is it, are you concerned about security or not?
If they ban the default browser on the 2nd most popular desktop OS in the market they will lose hundreds of thousands of users and buyers will go elsewhere....maybe a good thing then, especially with their anti-competitive PayPal association actions lately!
Not IQ tests perhaps, but there is generally a test you must pass before you're legally allowed to drive.
While a mandatory test to use the internet would help things, not all countries would enforce it at the same time. Plus, you can guarantee that the content of the test would be fucked up somehow.
It was better a few years ago, when the only people on the internet were academics and geeks, ie people who are generally fairly smart.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
I realize I'm a little late in the game for this, and I give myself 50/50 odds that I'll actually send it in, but here goes:
I use PayPal right now because it is one of the more secure options out there. I give my financial details to one party (PayPal) instead of every site I do business with -- which means PayPal gives me the opportunity to review every single transaction, and approve or deny.
It's also nice and reassuring to visit www.paypal.com, and see an https URL the whole way through -- knowing nothing important is ever transmitted in the clear.
And for some small amount of money -- I forget exactly how much it is, but relatively cheap -- I can even get a physical security token, which, I believe, is also valid with VeriSign. And due to its implementation, this token requires no additional software -- I just read a number off the token and into a browser window. What's not to like?
These are the reasons a highly technical and security-conscious person might want to use PayPal. Highly secure, with a lot of control and choice.
Now, I can understand wanting to protect the less-technical users. Send them emails every now and then, telling them not to click links in emails. Warn them if they're not using a secure browser. Provide technical support, walkthroughs, and as much hand-holding as you like.
But please don't alienate those of us who know what we are doing by removing our choice. Don't block browsers simply for not supporting anti-phishing, or having it disabled -- some of us know how to read the address bar, and value our privacy. Block older, actually vulnerable browsers if you must, but do not make it a whitelist.
The day I have to turn on user-agent spoofing to get to my money is the day I take my money somewhere else.
Don't thank God, thank a doctor!
Of course windows is to blame.
Take guns, for example. I'm actually pro-gun ownership (in fact, I'm a card-carrying member of the NRA), and I firmly believe that - as they say - guns don't kill people, people kill people.
But you know what? Gun manufacturers still put thought into their designs. They design guns to be safe to handle, to fail gracefully and so on. Now imagine that someone put a gun on the market that randomly went off, and imagine those guns had like 95% market share.
I sure would agree that in THAT case, it'd indeed be guns killing people.
And of course, you could blame the owners in that case, saying that they should know their guns are unsafe, that they should treat them accordingly, never load them, and so on.
Bullshit, I say! Guns are intended to be usable, and blaming the owner for an gun that's unsafe by design instead of the manufacturer is stupid. Same for windows. It's an OS, and it's intended to be usable; of course it can be used in a secure fashion, but most people actually want to do things like, I don't know, connect to the Internet and browse the web.
And windows is not secure enough for that.
I'm not saying that other OSes like Linux or OS X are necessarily better solutions, but even if they aren't, the fact that there's no alternatives doesn't make windows better.
So stop spouting that bull.
It is not just email. A lot of web pages have a 'pay me by paypal' button. I am sure that it is possible for a dishonest web author to link to a phishing site instead of the real paypal.
Firefox 3 (final) hasn't been released yet, I don't know why you would expect them to support a beta version.
Im not going to send some server every URL Im visiting, no fucking way. I don't care their privacy policy (that can change at any time). Im specially not sending them to MS, or Google so they can cross reference it with my search results and mails. Its OK if they need some particular type of certificate support, but Im not giving up my privacy because some retards click on any URL. In any case, Im not using Paypal either, but I hope nobody follows suit on this.
Thanks for posting this, it saves me some typing.
The only thing that changes is that the fraudsters don't have to be physically at your wallet anymore to steal your cards. ID theft has been around for as long as paying with your ID (be it CC or cash card) has been around. The only thing that changed is that they don't have to steal your card anymore, then phone you, pose as your bank and ask for your secret number to void your card. As stupid as it sounds, people fell for that.
There is one, and only one, thing we can do to make ID theft harder (not impossible, though): Educate people that their personal information is not to be handed out like candy. Unfortunately, I don't expect much help from our governments in this issue. It kinda works against their agenda.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
What happens if the browser is using a 3rd party tool bar that offers phishing protection? Does this system only detect if the protection is built into the browser itself?
If it is only detecting built in protection perhaps this will encourage IE6 to die! Anything speeding up IE6's death is MORE than welcome by every developer and designer on the internet.
"Enclosing a sentence in Quotation Marks doesn't make it correct or profound." -- R.O.Bably
"People tend to think that their own values are the best and finest values a human being could have, that other people would do well to follow their example, and that the flaws in their own logic are virtues." -- R.O.Bably
also
"We need specialists in our society, without them we would never have flown, never have reached the moon, never have discovered DNA or black holes. That Heinlein quote is bollocks." -- R.O.Bably
The obvious Userfriendly cartoon to this topic: http://ars.userfriendly.org/cartoons/?id=19991114
Illiad already had that idea a decade ago. And it was already a good one back then. Unfortunately, how do you want to enforce it?
I wouldn't react with keeping the "dumb" people out. But I would highly recommend (not require, just recommend) that people get some sort of "internet 101, do's and dont's" class before hooking up. I'm honestly amazed that no bank or other financial page ever had the idea of offering such a course, free of charge. Just a few pages, informing you of the various scams and practices, as well as some counterstrategies when you think you might have already done something foolish. Setting up such a page, especially if you outsource it, runs in the four or lower five digit range. A single ID theft attack can easily reach 6 digits in damages.
So I wouldn't say that only "dumb" people fall for such scams. It's simply that people don't even think a lot of the things that happen are possible. When they click a link, they expect to visit the page this link displays, they don't even know it's possible to show a completely different URL than what you link to. And that's just the tip of the iceberg. The idea that some BHO could hook into their browser and hijack a secure transaction is completely beyond their imagination. We have to educate the users. Information is the only sensible shield against ID theft.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Unfortunately I have had many bad experiences with PayPal. They are a brick wall when it comes to disputes. I have had to have my bank cancel cc transactions because of their intransigence.
Lets hope that the banks gang up to put PayPal out of business some day. What are they waiting for?
According to Wikipedia (which is never wrong), Windows (1985) pre-dates phishing (1987).
Well, since you usually have your bank where you live, for 99% of the bigger online scams, this would already help. I'm quite amazed that banks don't press for something like this.
But how would you want to enforce it? How do you pull someone over and ask for his internet license? Or do you have to have one to get a contract with an ISP? How do you want to enforce that only people holding a license may use a computer hooked up to the net (and not, say, their kids or peers)? What if you still get infected (something that's even far from impossible for people who do know a fair lot about the threats, it's not unheard of that AV researchers themselves get infected)?
A lot of buts and ifs, and even more hows.
The internet has turned from a geek toy into a tool for everyone. Which isn't really a bad thing, it's great that everyone from 8 to 80 uses it. It do think, though, that we should educate people. And the first step has to be to inform them that the internet is not a "friendly" net. It is hostile. Every single computer out there is out to get you. Not really true, but given the large number of machines hooked up, it makes sense.
What we have to teach people is that distance does not matter on the internet. All the crooks on the net, all over the world, are living right in front of your apartment, just outside of your connection to the net. When you get someone to understand that, his first question will be how to protect himself.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Ah crap, there's a whole load of angles on this.
a) it's not a matter for Paypal to "support" browsers, but rather, this being the web, for them to write according to standards and let browsers display their site how they will, etc...
b) if they cannot trust me to use my own choice of browser (currently epiphany) correctly and put an error-message in front of me, they will not get my custom. I only use sites who want me to use them.
c) Right when I was getting all interested in them because of the convenience, too...
d) of course it's no real security at all. How will they know what the browser is? User-agents are so fakeable it would be beyond preposterous; javascript can be disabled (and if they refuse to work without js, that raises whole questions about accessibility)
e) what about the effects on people using paypal for "donate" buttons on their sites - do they deserve the subsequent drop in income *and* ill-will this will engender?
Someone remind me who the alternativs are for sending money back & forth...
~Tim
--
Rushing on down to the circle of the turn
Yay for car analogies! :)
I see your point, but it doesn't require a car mechanic to drive safely. I do agree, when my car doesn't start, I call a mechanic. I don't want to deal with engine, spark plugs and all the other greasy junk under my hood. I turn a key, if that doesn't do it, someone else is called for.
But I still have to drive. I can't just kick down the pedal to the metal and blame the car when I don't make the corner and crash instead.
And the same is true for computers. I don't expect anyone to know whether TCP/IP is some protocol or the Chinese secret service. Making a computer run and fixing it if it stops doing this is something you can (and should) outsource to someone who knows what he's doing. But that does not mean your computer should know whether you really want to do what you're doing. You still can't click on every fraud mail that comes your way, launch every invoice.pdf.exe and demand that your machine can tell whether some program you execute is "good" or "bad".
You have to turn your brains on when using a computer. I think that's a requirement you can impose on everyone, from mechanic to lawyer. It doesn't take a degree in computer science to learn that your bank doesn't send you emails asking for your online banking credentials, nor that lawyers don't send subpoenas through email.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
All I had to do was lie
It's a page that deals with doing your taxes. Duh.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
... giving Paypal money. Wow, right on brother. Sock it to the man.
Help poke pirates in the eyepatch, arr.
Most definitely not required to hold elected office, either.
"Every great cause begins as a movement, becomes a business, and eventually degenerates into a racket." -- Eric Hoffer
"Considering their basis for this decision is some kind of market data about fewer IE7 users abandoning their accounts, yes they would be dumb enough to block free browsers that run on more secure platforms than Windoze."
What does a phishing scam have to do with how secure a platform is? Comparing browser to browser, if browser A helps protect against phishing and browser B doesn't, then browser A is more secure (in that respect). I doubt anyone that has lost money to a phishing scam would disagree.
"The whole phishing problem is one created by M$ - it would not exist without the high percentage of compromised desktop machines that are sending out spam in the first place."
What does the origin of the email have to do with protecting people who receive the email?
"IE7 is no more safe than it is standards compliant because the platform itself is easily, remotely compromised with keyloggers that report user information regardless of user activity."
1. Standards compliance has nothing to do with this argument.
2. IE7 is very secure, particularly on Vista, where the product runs on a less privileged account.
"This whole thing is stupid"
If you are taking about your post, then yes, I agree.
Download free e-books, lectures, and tutorials at bookgoldmine.com
Does anyone actually like or use it? I know the first thing I do on a new Mac is download Firefox and Camino. I am not sure whey but I've always found Safari to be annoying for some reasons. Perhaps it's just me.
Because it's a criminal enterprise.
Windows NT 3.51 is technically older than Windows 95, so you can go that far back if you want. The problem will be for Windows 3.x users, though, and yes there still are some out there on the WWW (including myself on occasion.) However, I never trust the web for anything financial anyway, due to exploits I find on my own, so I'm not impacted anyway. :)
Several people have posted saying "why don't banks do X" and I just happened to hit reply on yours, so this is adding to the conversation.
Banks, as one used to think of them were the cutting edge of vault design and technology. The internet and computers however, have passed them up. You need to be dealing with a VERY big bank before you can count on professional experienced IT folks making decisions about this stuff.
For a bank, IT staff like a janitor. They don't listen to them or take them seriously.
At most small or regional banks, some goober vice president who knows nothing but thinks he does (because he installed AOL at home) is in control of the IT department.
The web site, that's managed by the youngest female member of the marketing department because she both has the most internet skills, and doesn't have the authority to push the crap jobs on someone else. So the web site itself slowly rots with more and more animated GIFs and less and less sense.
All the while, you have a large industry of fraudsters selling useless services to these banks, without anybody anywhere along the line really having a clue. They spend thousands of dollars a year on certification services, auditors, "penetration tests" (which is really just off the shelf open source programs) and then refuse to upgrade to an individual server (for an extra $20 a month) so they can lock it down to their tastes, and they won't spend $100 to get a bit of consulting to help them do it.
Also, if a bank tries to teach someone something, they take on MORE liability. Because now the lawyer has the "your training was inadequate, you owe my client".
Banks are about minimizing and mitigating risk. Teaching something, ADDS risk. So they don't do it. Telling folks that event XYZ happened and they should protect themselves just reveals they knew it was happening.
The bottom line is, they don't give a flying fuck about the end customer's individual accounts, they care about their overall accounts and what the government will do to them, they DONT care about what market forces will do to them because that's not a big threat.
Banks need their Bill Cosby of IT. Someone with pull, well respected, and known to them to go "You are doing it wrong!" Until that guy comes along, they will continue to founder.
Until then, consumers are on their own. Protect your friends and family as much as you can, but don't go insane banging your head against the wall of human IT ignorance. You can't bust through it. Only time will let it crumble as the ignorant die off in 60 years.
Finally taking some of the blame for the problems out there, good for you!
First of all, thanks for belittling me. I was that bank IT guy, from 98 to 02. And contrary to your opinion, the IT staff of the average bank is quite good. It's just hard to find someone with good hacking skills and no police record these days.
What's true, though, is that the prophet ain't worth a dime in his own country. Only after I quitted and started consulting, they hired me and took me serious, essentially paying me to tell them the same thing I repeated over and over while i was there. Banks do take security serious. Mainly out of self interest. First of all, the obvious loss of money. But more important even, the possible loss of goodwill. Usually a bank settlement after a fraud takes place can be summed up as "we pay, you shut up".
So whether they're liable for the loss is moot anyway. Paying some moron the 2k he lost when his account was hijacked and ransacked is peanuts compared to bad press. Banks will pay. Even if they keep telling that they won't (this is mostly hoping people will start getting a bit more wary when doing online banking).
Banks already started to acknowledge that there is a problem. Recently we had a week long two page "bank security course" in our major newspaper. To understand the quality of this, you have to know that no paper can write anything the major banks don't want it to write (banks are amongst the most important ad buyers here, piss off the banks and you close your doors). Actually, I know it was some sort of "sponsored report", if you know what I mean.
So appearantly banks did wake up to hear the music. And when you look at their pages, they try to inform about the most recent frauds taking place, but that simply isn't enough. When you do your online banking once a week, you might already have clicked that "give info now or your account is gone" mail, without reading the warning.
What I'd envision is something like a quiz, where you can win a savings account with some token amount of money predeposited if you answer it all right. People like quizzes, especially when you can win something. The selling point would be that your bank does care about your money and your security, something that sells pretty well here (people would rather give you the keys to their home than their banking info, or tell you how much they earn, here).
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
THIS IS WHAT SCIENTOLOGISTS ACTUALLY BELIEVE
for those who missed it (and to avoid the lameness filter) that was a south park reference
Oh, was I supposed to say "Trick or Treat"?
Well, what were you looking for, an argument?
"Our opponent is an alien starship packed with atomic bombs. We have a protractor."
40 quid to change oil?
Here in the US it is 20-35 USD, even less at some decent mechanics.
40 Quid (80 USD) will get me an oil change, tire rotation (which I really can't do on my own anyway), and tanked on expensive beer at a bar).
Last time I changed my own oil it ended up costing me more in oil and a filter than my mechanic would have charged me (though with 5 cars I suppose you could get an economy of scale going).
Apparently it isn't just imports you get screwed on in England (or my entire premise is wrong and you are in Australia or something).
Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
Can someone explain to me why PayPal decides a browser is "unsafe" when they still allow their IMAGES to be hotlinked by any remote host?
Every phishing scam I have ever seen that looks like a valid PayPal page also has all the image files HOSTED BY PAYPAL (which of course saves bandwidth charges for the scam site)
I just tested this a minute ago and I was able to easily replicate the PayPal Login Page on one my sites with PayPal still hosting all the image files.
If PayPal is serious about stopping Phishing maybe they could start by dis-abling HOTLINKING their files?
I don't know, maybe I am asking too much.
I like microcars
I don't want to get into an argument, or act judgmental, so I apologize in advanced.
As a firm believer of the second amendment I wanted to put out there another lobby group that I personally find more reasonable:
http://www.huntersandshooters.com/
I warn you though, I believe strongly in allowing gun ownership and freedom, but also believe in requiring trigger locks, and tracking of gun ownership. Believing that the true meaning of the second amendment is to protect the opportunity for armed rebellion and against government backed militias. As such truly acting upon its intended (in my interpretation) purpose is an honorable act of treason such as the American revolution was to England, but an act of treason none the less.
Again, I do not want to start a debate, and do not mean to offend or imply my judgment is better than yours. I just wanted to put out there another group that believes in the second amendmant, that was formed by gun owners who believed the NRA was taking stand on issues not close to their hearts, and dividing and conquering the second amendment fight. Hanging gun owners in more liberal states out to dry.
Thanks if you read this far.
Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
Your company's computer guy?
:)
"You're doing it wrong, moooooove!" Then he sits down and fixes it.
Remember, Slashdot does not have a -1 disagree moderation, and no, troll, flamebait, and overrated are not substitutes.
For shame, you got marked as a troll for writing your comment in php. This should have been the proper response:
for (int i = 0; i < 50; i++) {
laugh();
}
I personally wouldn't expect them to support it, but I also wouldn't expect them to ban it.
Be more careful next time, please.
I have never read something so beautiful. I just keep reading it over and over. We have to tell the world. Everyone, post this on digg. Email it to every person in your contacts. Call the radio stations. THE WORLD MUST BE TOLD!!!
I had no idea this happened. Thanks!
Australia uses dollars, dumbass.
It doesn't mean much now, it's built for the future.
"I don't need to be forgiven" -- Baba O'Riley
Light travels faster than sound. This is why some people appear bright until you hear them speak.........
So they get blocked if visiting the real site but not when they click the scammers link. Seems like a useless plan to me.
And unfortunately, many other things.
Pusbag, is that you???
Considering the plan for eBay to start REQUIRING PayPal as the only form of payment for auctions, PayPal's notorious habits of freezing people's accounts unfairly and improperly, and now, their intentions of banning popular web browsers just because they don't include dubious "anti-phishing" technologies in them ... I'd say the INTELLIGENT thing to do is give PayPal the boot!
I did... Google Checkout works fine for me as an alternate way to accept credit card payments from people, and seems to cost a little less too.
I don't live in England. Also, at least two of my cars require five litres of very expensive fully synthetic oil each. It sounds like if you're spending $20 on an oil change including labour, then you're getting cheap crappy oil.
I can understand intuit (or any financial institution) not supporting a browser that isn't considered to be production software by its authors. The same thing happens to users of IE8. Besides, most people who are using beta versions of a browser have another, stable, browser installed.
I like my beverages with warning labels!
Winders and the Exploder are security incidents waiting to happen so I guess that means PayPal users so equipped will be SOL.
Why ban Safari?
It is the only truly 100% secure browser out there, being as immune to any attack as an air gap.
Windows is not to blame for the phishing problem, PEOPLE are.
Some programs make it easier. IE allows sites to show fake addresses when you hover over them. IE allows sites to disable right-click on pages so you can't copy the link address to see what it really is before you go there. These are features put in to "help" users that decrease security. Phising isn't caused by any software, but it may be made easier by some software.
Learn to love Alaska
From Wikipedia's Big Book of Things That Might Not Be True (by the Internet):
There has been some concern that EV certificates, despite their improved authentication and higher cost, will not prevent phishing attacks[9].
In 2006, researchers at Stanford University and Microsoft conducted a usability study[10] of the EV display in Internet Explorer 7. The study measured users' ability to distinguish real sites from fraudulent sites when presented with various kinds of phishing attacks, and found that there was no significant difference between users who saw extended validation indicators and those who did not. Users who received training with the Internet Explorer 7 help file were more likely to judge all sites legitimate, regardless of whether they were fraudulent.
9 = http://www.schneier.com/blog/archives/2006/12/microsoft_antip.html
10 = http://www.usablesecurity.org/papers/jackson.pdf
Pulling together is the aim of despotism and tyranny. Free men pull in all kinds of directions. It's the only way to mak
Me too!
Take off every sig. For great justice.
Looks like Rob Malda is not the only one who has no life.
In that case, the blocking wouldn't help, because the fake paypal wouldn't block.
Prov 9:8 Do not rebuke mockers or they will hate you; rebuke the wise and they will love you.
I don't know whether you are trolling, confused, mistyped, or I completely misunderstood you. If you believe that "the second amendment is to protect the opportunity for armed rebellion and against government backed militias", for which there is strong documentary evidence that you are correct, why on earth would you believe that tracking of firearm ownership is a good thing?
While one prays and hopes that there is never a need for armed insurrection against one's own government (and no, though many things deserve scrutiny, I don't believe that ANYTHING currently transpiring in the US even comes close to that necessity), to not only be unopposed to tracking firearm owners but actively support it seems, well... foolish. Please explain.
I don't live in England.
http://en.wikipedia.org/wiki/Quid From that, it looks like you are in the UK or using a local slang on a US site and guessing that we'll manage to figure out that you are using one of the least used definitions of the word. Just doing that makes you an ass. You are either ignoring your audience, or you are purposefully setting them up for failure for using an uncommon usage of the word with no clarifaction.
Also, at least two of my cars require five litres of very expensive fully synthetic oil each.
The number of cars that "require" fully synthetic oil is pretty small. For someone to own two such vehicles indicates an involvement with cars such that if oil changes were free he may still elect to do it himself out of some personal attachment to the vehicles, making price irrelevant. I own a car that does not "require" synthetic, but it is recommended (one of the last years of the aircooled 911s). The cost of buying the oil at a store in one-quart containers exceeds getting a mechanic to put in the same volume of the same synthetic into my car, changing the filter at the same time.
Oh, and I'm curious what you mean by wanting only "fully" synthetic? Are you excluding blends, or are you excluding the oils labeled as 100% synthetic that are derived from the same oil stock that makes regular motor oils?
Learn to love Alaska
Most of the places I buy my shoes at online use Paypal! And I love Safari!!! I can't believe that Paypal has declared war on my shoes. I guess i will have to shop at non-paypal places. Just posted about Paypal's attack on my shoes http://webpoet.wordpress.com/2008/04/18/paypal-verses-my-new-summer-shoes/
I filed my taxes through TurboTax for the Web using Firefox 2 on Ubuntu Gutsy without any problems. You get the warning, stating your browser isn't supported, and then you just continue anyway. It's just a disclaimer that, if you have issues with the site, they may not be able to provide technical support, as you're using an untested configuration.
Have you driven a fnord... lately?
You must wait a little bit before using this resource; please try again later.
Totally agree. In fact, PayPal is probably making things worse by insinuating that if you're using IE and you have a little green bar then you're absolutely safe.
Any sect, cult, or religion will legislate its creed into law if it acquires the political power to do so.
I had some lurid crime photographs on my large website. In order to see these lurid crime photographs, I asked readers to prove they were "an adult by their community's standards." Most simply stated their birthdates or ages. A few sent dog tag numbers. One quipped, "I'm a resident of Washington DC. What community standards?"
Some proved their maturity by describing their life experiences. "I haven't paid off MasterCard in six years, and my car is a beat-up '80 Chevy." "I remember the words to Delta Dawn, and Michael Jackson when he was still black." "Fire hydrants were painted red, white, and blue for the 1976 Bicentennial." "There are five bordeaux grapes: Cabernet Sauvignon, Cabernet Franc, Merlot, Petit Verdot, and Malbec."
But some responses were dangerously clueless. A significant subset sent scanned licenses, passports, and photographs. A few even gave me their checking account numbers!
Are people so gullible and unaware? People are.
That one's definitely twitter. I'm Macthorpe, and so's my wife! :D
"It does not do to leave a live dragon out of your calculations, if you live near him." - Tolkien
You're spelling is remarckable. I wish mine was as good.
$
From that, it looks like you are in the UK
The UK isn't England.
The number of cars that "require" fully synthetic oil is pretty small
Yup. One of them is a 1991 Citroen XM V6-24, which has a pretty highly-strung engine that needs lots of careful attention otherwise you're going to be replacing 24 teeny-tiny hydraulic tappets.
Wait a minute here. Paypal is going to block browsers? How does this stop phishing since the phishing is not occurring at paypal.com? I guess they want to attempt to get existing users accustomed to using a secure browser, but I'm sure phishermen will find a way around that too. As for me, I wouldn't change my browser permanently because one webpage fails in it, so I think this move is phishy.
You must think you're exceedingly clever. All your sockpuppets are going to karma hell, just like your twitter and Erris accounts. Just a matter of time.
I want to buy pot from you.
Yes. All they care about is that the browser window changes color to show whether or not there's a Cert, and whether the Cert is Low Assurance (Domain Validated), Medium Assurance (electronic validation of domain and owner) or High Assurance (validated by humans taking multiple steps).
Which is reasonable (even though it may cost me business) because most people never even notice that most phishers don't even have certs.
I will clarify that by tracking I mean registering and reporting lost or stolen.
I don't think there should be GPS tracking or surprise inspections or anything like that (except so much as registration is kind of like that).
If someone is going to need to violate gun laws in an act of treason I think that is a risk they must be willing to take. If they are not, the treason is probably ill-advised.
In many parts of the county there is a serious problem of guns ending up in the underground and the owners that allowed it to happen are not accountable at all.
Allowing people to move many guns into an underground where they are being actively used and killing bystanders is a bad thing. And a peace of freedom that leads to a very real increase in security.
I think a reasonable way to decrease the amount of control government has on firearms is to increase the amount of accountability owners have when there gun kills an innocent bystander.
It's hard enough to be a cop without somebody giving there pistol to the guy you are arresting and then saying "It was stolen 6 months ago".
I also think we have things a little backwards, and it is worrying to me. A small gun (pistol for example) is far more dangerous to me than an assault rifle, or even a militarized one (fully automatic). And a pistol is not particularly useful in armed rebellion.
And yes, I am probably confused.
Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
Just one note, if you define "High Assurance" as "Humans taking multiple steps" then all Verisign certificates are High Assurance, even the non-EV version.
At a previous employer, I was part of the process to get us a Verisign cert (the "cheap" version, not EV) and they required us to fax them a Certificate of Incorporation, look us up in a trusted company directory, call us on a number they got from the phone book (they would not trust our word on the number). Hell, the only thing missing was a DNA sample from the directors.
For a site about things like basic rights, Slashdot users sure do like to censor "dissent".