Slashdot Mirror
PayPal Plans To Ban Unsafe Browsers
Alternative Details brings news that PayPal is developing a plan to stop users from accessing its financial services if they aren't using browsers with anti-phishing protection. PayPal is recommending the use of blacklists, anti-fraud warning pages, and EV SSL certificates. Browsers without anti-phishing features will be considered "unsafe." It seems likely Safari will be included in this category given PayPal's warning about the Apple browser last month.
"'At PayPal, we are in the process of reimplementing controls which will first warn our customers when logging in to PayPal of those browsers that we consider unsafe. Later, we plan on blocking customers from accessing the site from the most unsafe--usually the oldest--browsers,' he declared. Barrett only mentioned old, out-of-support versions of Microsoft's Internet Explorer among this group of 'unsafe browsers,' but it's clear his warning extends to Apple's Safari browser, which offers no anti-phishing protection and does not support the use of EV SSL certificates."
Instead of having to force PayPal users to use only specific browsers, they educate the consumers on safe browsing habits and not blindly clicking on "OMG SEND ME UR CC NUMBER AND BANK DETAILS LOLOL".
Dear PayPal User:
After much consideration, we've determined that your browser is safe again! Please log in at http://127.0.0.1/some/unsafe/address/.
PayPal apologizes deeply for the inconvenience.
Are you nuts?
"We're sorry. You're not using IE. And if you are using IE, your IE configuration isn't permitting us to run the MegabanX proprietary ActiveX control that our conslutants [sic] told us would eliminate all our liability. Please enable ActiveX support in order to continue banking with us, or turn off that Netscape thingy and upgrade to IE4.0 and resize your window to 800x600 while you're at it."
Forgive me for the sarcasm, but I had to switch banks twice because of that sort of crap. Think back a few years. The last thing any of us would have wanted "since they introduced internet banking" was our banks doing User-Agent and Javashit-based snooping on our configuration.
Why don't you trust me not to be an idiot instead of requiring that I use a different browser due to the fact that other users of my browser are idiots?
Philip Sandifer's academic website
Paypal is hyping Extended Validation certificates after Netcraft posts articles like this:
Extended Validation certificates and XSS considered harmful
Curious if nothing else.
Work bio at MMWD
Windows is not to blame for the phishing problem, PEOPLE are. Phishing has been around a lot longer than Windows and Internet Explorer, it was just a lot lower-tech and could not be perpetrated quite as fast.
Who are they to decide what is and isn't safe? They're not a bank, so I don't think they necessarily have any liability if one of their customers loses money, correct? Please correct me if I am mistaken.
Is this even legal? Seriously. If someone has money in PayPal, and if that same someone happens to be using a browser that is deemed "unsafe" and is sequentially banned, isn't that like PayPal holding the money hostage? What happens to those who refuse to "upgrade" in order to access their account?
Maybe instead of doing stupid stuff like this, which breeds a false sense of security among some less-smart users of PayPal, they should think of new and innovative ways to prevent unauthorized access to accounts. (I don't care to list my ideas right now.)
How about the other way around? Have safe browsers ban PayPal!
And yet, Ebay still sends email to users regarding important matters despite the security risks that poses - ie. how can a user know the email is real, it's not encrypted, etc.
Instead of banning browsers, Ebay should address the bigger security issue of Ebay sending email to users - instead Ebay should only send notices simply saying one has new messages in their Ebay message center, and require the user to actually visit Ebay to view the message contents - not fool-proof, but would substantially reduce the effectiveness of email spoofs.
Ron
Can we ban Paypal for unsafe money exchange?
This is stupid and pointless.
The problem isn't "unsafe browsers". Phishing is social engineering, not hacking. The problem is unsafe users.
Give a stupid user a safe browser and a semi-sophisticated phish and they'll cough up that login.
Give a smart user a IE 5.0 and they'll never get busted.
If paypal really wanted to increase user safety they'd do it with user education.
Tell users to very carefully navigate to the correct site, make a bookmark, and then never go to the site any other way again.
Question everything
What next, users have to pass an IQ test to get on the Internet? That way all of the stupid people who click on email links from phishing scams before looking at the message to see if it is fake or not, will forever see "Error ID10T: User is not smart enough to use the Internet. Request denied!"
Remember, Slashdot does not have a -1 disagree moderation, and no, troll, flamebait, and overrated are not substitutes.
And the reason people purchase products from large companies is so that they could offload some of the "hassle" or responsibility to the company that is hiring qualified professionals to analyze and develop the product they wish to sell.
If me as a regular user (Pretend at the moment I'm not writing this from my linux laptop) wanted to trade my personal time to assume the responsibility of learning cutting edge counter phishing procedures, then I fail to see the purpose of paying for the service.
From the above statement, we could look at the underling problem here.
We as geeks know how to avoid these problems on the internet and whatnot, because it is our every day life. However don't expect a singer, entertainer, pilot, lawyer or mechanic.
If we could afford to, we will not change our own automobile's engine oil, even if we knew how to. So why should we expect mechanics, lawyers and any non geek to stay on top of CERT/Slashdot and all other form of security concerns when all they want to do is use it for basic communications and features?
Its the whole idea of specialization. People specialize in various trades, and sell services to each other.
In conclusion: When a regular user choose to pay $xxx.00 for a Windows license instead of learning how to install and use Linux for free. Its a time and hassle investment that they're making, and not really a religious preference.
-Alex. http://bit.ly/1iVPtfA
Obviously IQ tests are not required to use the Internet, nor have children, nor drive, etc.
I am a PayPal customer. I have a paypal secure ID, a hardware token that generates 6 digits numbers (synchronized with paypal's servers) that are part my password authentication process. That means that even if someone gets my password (i.e. fisher), they won't be able to login that easily (they would need the hardware token to generate the current 6 digits number set, which changes periodically every 30 seconds). With all of that, I see no reason for paypal to block me if I am using Safari, even if Safari is a bit unsafer than other browsers. That would just mean adding an extra item to the list of things my iPhone can't do: access PayPal's webpage. That would really piss me off.
And thusly, we purchase a service from PayPal MegaCorp and expect them to take measures it deems necessary to protect the service it provides. The bottom line is simple: this is PayPal's business, it is PayPal's right to choose how to operate it, and we can take our ball and go home. And considering how many people think PayPal is evil, anyway, this should come as a neither surprise nor disappointment.
But I still stand firm that people are to blame for the lack of security on the Internet. The telephone, the radio, the television, the tabloids, the newspapers, books, and so on were all considered at one time a method of mass disinformation, and some still are to a lesser extent. Why else would we have phrases in our lexicon like "you can't believe everything you read/see on TV/hear on the radio"? Because people are willing to throw caution to the wind. We are more apt to scrutinize and discriminate against information people may throw at us in person, face-to-face, but as soon as the information is put into some form of communication medium, we lose our senses.
We know the guy on the street corner in New York is not selling real Rolex watches; we know the fella that chats you up on the bus is not legitimately selling prescription medications. Even so, we are more apt to believe that these things are available on web sites, because we have it drilled into us that the world is at our finger tips, every thing can be found on the Internet.
If you want to get down to brass tacks and point fingers, WE are to blame for the folly of those who surround us. Yes, WE are to blame. Because WE chose to learn and understand and ignore the plight of those who have not. WE are the shop class instructors letting the uninformed use the table saw without proper instruction and then blaming them when they lose fingers. It is our responsibility to educate and inform others why what they are doing is wrong -- and in many cases we even get paid for doing so.
And I do not mean that using Windows is wrong, but that clicking on email links without thorough scrutiny -- or even at all -- is wrong; that blast-forwarding unconfirmed rumors is wrong; that not understanding that the bank will never send an email and tell you to go to a site and enter all of your vital statistics (and if it does, then you should run like hell, anyway.); that the use of semicolons is ill-advised.
I find it amusing that some of us will take the "duty" to throw out Mom and Dad's Windows PC and replace it with a Linux or Mac box, then walk away pleased with ourselves over the "service" we have just done. When, in fact, the "service" we should be providing is education. It does not matter in front of what box Mom and Dad sit, without the proper knowledge, they are still vulnerable to phishing schemes and exploits.
Really, these so-called idiots out there are mostly just uninformed. Some non-BOFH-type PFY handed them a computer at the WorstBuy, CompUSELESS, or Radio Shanty, without taking the short amount of time it takes to instill a small bit of cynicism over unsolicited or unexpected information and requests. There were no pamphlets at the store explaining how email can be as dangerous as a phone call from "your phone company" or "your bank." Most of these people CAN be taught and guided.
And the ones that cannot will be eliminated one way or another, but of course not before making complete and utter asses of themselves.
... of where the Terrorists won.
Ironically, phishing sites won't block users using "unsafe" browsers, which just makes them more user-friendly than paypal.
There are four scenarios, assuming we agree to what "safe" is.
The immediate result is only affecting scenario 2, so there will be some loss of business.
In the long run, paypal expects users who hit the scenario 2 to switch to a safe browser. And paypal is big and important enough (whether we like it or not) for a reasonable number of users to do the switch.
It is...
Not only does it make more money for verisign, but it also raises the bar for retailers so that smaller shops can't afford the same certificate, and thus look to be "less secure" than their larger competitors.
A green bar means nothing, what's really needed is for users to make a white list of the sites they use, then when they visit a scam site it will say "this is a new site you've never visited before" as opposed to "this is paypal, one of your frequently visited sites"... The browser can tell the difference between www.paypal.com and www.p4yp4l.scam.cn, it just needs to communicate that to the user in a sensible way. Users need educating too, i can't believe people are still stupid enough to try logging in to paypal when the url bar contains something completely different.
Also, it should be impossible to change the status bar (that shows where a link points when you hover over it) and mail clients should ALWAYS do something similar, hyperlinks in html can say one thing but point somewhere completely different, and html mail clients are a lot worse at telling that to the user than browsers.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!