Slashdot Mirror

← Back to Stories (view on slashdot.org)

PayPal Plans To Ban Unsafe Browsers

Posted by Soulskill on from the we-are-the-boss-of-you dept.

Alternative Details brings news that PayPal is developing a plan to stop users from accessing its financial services if they aren't using browsers with anti-phishing protection. PayPal is recommending the use of blacklists, anti-fraud warning pages, and EV SSL certificates. Browsers without anti-phishing features will be considered "unsafe." It seems likely Safari will be included in this category given PayPal's warning about the Apple browser last month. "'At PayPal, we are in the process of reimplementing controls which will first warn our customers when logging in to PayPal of those browsers that we consider unsafe. Later, we plan on blocking customers from accessing the site from the most unsafe--usually the oldest--browsers,' he declared. Barrett only mentioned old, out-of-support versions of Microsoft's Internet Explorer among this group of 'unsafe browsers,' but it's clear his warning extends to Apple's Safari browser, which offers no anti-phishing protection and does not support the use of EV SSL certificates."

24 of 367 comments (clear)

  1. What If?... by Slashdot+Suxxors · · Score: 5, Insightful

    Instead of having to force PayPal users to use only specific browsers, they educate the consumers on safe browsing habits and not blindly clicking on "OMG SEND ME UR CC NUMBER AND BANK DETAILS LOLOL".

    1. Re:What If?... by causality · · Score: 5, Insightful

      Because whenever scammers come along to make stupidity more painful, we focus only on the fact that the scammers do this for their own short-term personal gain. Therefore, we lose sight of what happens to any community when all standards are lowered, no one is expected to think for themselves or make informed decisions, and causes (large number of clueless users) are confused with effects (criminals who take advantage of that cluelessness). It's easy for people who cannot separate their emotions from their intellect to get caught up in the outrage at parasitic people who profit from this situation and completely ignore why such scams are so successful in the first place.

      Unprincipled people apparently need a fire under their ass before they will willingly broaden their knowledge, expand their experience or otherwise understand anything beyond the superficial level. To me that's quite a shame that they really seem to consider learning, an appreciation for self-reliance, and thinking for yourself to be terribly hard work to be avoided at all costs, rather than a journey of discovery that makes life much less routine and much more interesting. At any rate, if the goal is to remove all incentive to ever actually understand the tools (computers, networks, etc) that we use each day, we are on the right track.

      As the saying goes, "A fool and his money are soon parted." Anyone who uses what he does not remotely understand and expects consistently good results qualifies as a fool. For some reason, when a computer is involved this commonsense concept is completely ignored.

      Now cue the apologists and their thousand excuses for why literate individuals with no learning disabilities should not be expected to understand the basic concepts behind tools that they decided, of their own free will, to use on a daily basis. It's willful helplessness, plain and simple.

      With the increasing social acceptability of this kind of victim mentality, the idea that you are responsible for your own well-being is apparently rather threatening to many people. This is obvious because they tend to give angry emotional responses instead of well-reasoned arguments explaining why they believe I am wrong.

      --
      It is a miracle that curiosity survives formal education. - Einstein
    2. Re:What If?... by Anonymous Coward · · Score: 5, Insightful

      Grandparent is not equating being a victim with being stupid, but with being ignorant. Unfortunately in most cases, ignorant by choice. Notice he said "literate individuals with no leaning disabilities" should take responsibility for understanding what they are doing online. I imagine he, like me, would have more tolerance for the truly stupid who are literally incapable of doing any better.

      If you understand the basic concepts of how the internet works and apply critical judgment in your transactions, you don't need to have encyclopedic knowledge of every scam in human history -- that's the whole point.

      Grandparent also predicted that some would give "angry emotional responses instead of well-reasoned arguments." Nice job proving him right.

  2. Still vulnerable to phishing... by daeg · · Score: 5, Insightful

    Dear PayPal User:

    After much consideration, we've determined that your browser is safe again! Please log in at http://127.0.0.1/some/unsafe/address/.

    PayPal apologizes deeply for the inconvenience.

    1. Re:Still vulnerable to phishing... by BadAnalogyGuy · · Score: 5, Funny

      Heh. That address resolves! 404, though.

      But back up a bit and you get the whole directory structure. TONS of porn in a couple folders.

    2. Re:Still vulnerable to phishing... by Anonymous Coward · · Score: 5, Funny

      Heh. That address resolves! 404, though. But back up a bit and you get the whole directory structure. TONS of porn in a couple folders. Yeah, but it's stuff I already have.
  3. Re:LOL. by Anonymous Coward · · Score: 5, Funny

    Rob Malda has barely made any effort to fully describe the process of selecting Slashdot moderators. What little information that has been supplied is an outright lie. The story of Malda's moderation system is far more insidious than merely separating wheat from chaff.
    Last night, as I leaned over to give my Natalie Portman poster a tender kiss goodnight, I was psychically cast into a hypnotic trance. While entranced, my spirit guides delivered unto me the tale of the Slashdot moderators. Prepare to have your faith in Mr. Malda and moderation shaken to the core.
    Difficult as it is to believe, Rob Malda was an outcast teenager. He did well in some of his classes, but was terrible with English. As is so often the tragic case today, his teachers passed him anyway, just to get rid of him. Since Malda had no real life, he spent much of his time on the computer (of course), and watching the public-access cable channel. It was there that Malda heard of the mysterious Mongolian Monks.
    Malda was watching his favorite talk show, "Elizabeth Claire Prophet." The guests that night were a group of monks based in Mongolia. The monks described how they had been travelling to China to trade some of their cute teen daughters for Natalie Portman memorabilia. The monks had travelled no more than three days when they noticed a brilliant light in the daytime sky. The light grew larger. And larger. And larger. Soon the sky was completely hidden, from horizon to horizon, by a giant metallic disk.
    The monks were taken aboard the craft and placed under some sort of alien mind-control. There, they were given the deepest possible insights into the nature of man, the universe and God. A week later, the alien beings returned the monks to the Earth and vanished forever.
    The monks considered the area holy ground and constructed a new temple there, not bothering to return to their old monastery. They took their daughters as wives and began their own commune of worship, based on the teachings of the aliens. The monks practiced meditations which unleashed powerful spiritual forces within them. As the wives bore children, the community grew.
    Malda was intrigued by the spiritual insights received by the monks and excited by the idea of incestuous pleasures. Unfortunately, the monks had no internet connection and so Malda could not email them. Without hesitation, Malda booked a flight and left for Mongolia. The plane ride was long and tiring, but his curiosity kept him driven.
    After a month of searching, Malda finally located the commune. Initially, he, kept a safe distance, for fear of rejection. He studied the monks from afar. Malda had heard stories of the monks' bizarre meditations, which gave them extraordinary powers. Malda was somewhat skeptical of these stories at first, until he saw the truth first-hand.
    In the week that Malda studied the monks, he witnessed the breaking of every natural law. He was astonished as he watched the monks levitate, create pockets of lush weather within the commune and communicated with spirit forces. Malda grew more and more excited and he devised a plan for meeting them.
    Malda knew the monks would respect him if he could display his own "magical" powers. He was determined to win their confidence, and he had with him all of the necessary tools. He approached the commune confidently. The monks greeted him with skepticism at the gate. Malda took a deep breath and began his show.
    Using an AIBO, a can of Jolt Cola and an inflatable sex doll, Malda shocked the monks with his display of magical powers. The monks accepted him into the commune. Malda's head was shaved and he was given a robe and a room. The monks warned Malda to stay away from their daughters-wives.
    The monks methodically taught malda the word of the great messengers. He learned eagerly at first, but soon grew bored with his life in the commune. Malda's life was further stressed when his blow-up doll suffered a puncture-wound and became useless. A few days later, his AIBO's power dried up. With no pet and no woman, Malda slowly

  4. User Agent Change by macbuzz01 · · Score: 5, Interesting

    Safari for Mac:

    Preferences > Advanced > "Show Develop Menu in Menu Bar"

    Develop > User Agent > Firefox 2.0.0.12

    Suck it > Paypal

  5. Re:Banks should do this. by Tackhead · · Score: 5, Insightful

    Banks should have been doing this since they introduced internet banking.

    Are you nuts?

    "We're sorry. You're not using IE. And if you are using IE, your IE configuration isn't permitting us to run the MegabanX proprietary ActiveX control that our conslutants [sic] told us would eliminate all our liability. Please enable ActiveX support in order to continue banking with us, or turn off that Netscape thingy and upgrade to IE4.0 and resize your window to 800x600 while you're at it."

    Forgive me for the sarcasm, but I had to switch banks twice because of that sort of crap. Think back a few years. The last thing any of us would have wanted "since they introduced internet banking" was our banks doing User-Agent and Javashit-based snooping on our configuration.

  6. I have an idea... by Snowspinner · · Score: 5, Insightful

    Why don't you trust me not to be an idiot instead of requiring that I use a different browser due to the fact that other users of my browser are idiots?

    --
    Philip Sandifer's academic website
  7. Netcraft seems to have a slightly different take by micheas · · Score: 5, Insightful

    Paypal is hyping Extended Validation certificates after Netcraft posts articles like this:

    Extended Validation certificates and XSS considered harmful

    Curious if nothing else.

    --
    Work bio at MMWD
  8. Who are they to decide what is and isn't safe? by Antony-Kyre · · Score: 5, Insightful

    Who are they to decide what is and isn't safe? They're not a bank, so I don't think they necessarily have any liability if one of their customers loses money, correct? Please correct me if I am mistaken.

    Is this even legal? Seriously. If someone has money in PayPal, and if that same someone happens to be using a browser that is deemed "unsafe" and is sequentially banned, isn't that like PayPal holding the money hostage? What happens to those who refuse to "upgrade" in order to access their account?

    Maybe instead of doing stupid stuff like this, which breeds a false sense of security among some less-smart users of PayPal, they should think of new and innovative ways to prevent unauthorized access to accounts. (I don't care to list my ideas right now.)

  9. How about the other way around? by failedlogic · · Score: 5, Insightful

    How about the other way around? Have safe browsers ban PayPal!

  10. First, Ebay Should BAN Sending Email to Users by Ron+Bennett · · Score: 5, Insightful

    And yet, Ebay still sends email to users regarding important matters despite the security risks that poses - ie. how can a user know the email is real, it's not encrypted, etc.

    Instead of banning browsers, Ebay should address the bigger security issue of Ebay sending email to users - instead Ebay should only send notices simply saying one has new messages in their Ebay message center, and require the user to actually visit Ebay to view the message contents - not fool-proof, but would substantially reduce the effectiveness of email spoofs.

    Ron

    1. Re:First, Ebay Should BAN Sending Email to Users by Nushio · · Score: 5, Insightful

      Dear eBay User,

      There is a new message waiting for you. You may login into here to access it.

      Sincerely,
      eBay Scammer.

      --
      Check out Unsealed: Whispers of Wisdom! http://unsealed.k3rnel.net It's an action-RPG about Open Sourcerers.
  11. How valuable are EV SSL certs? by LoadWB · · Score: 5, Interesting

    If you want to try a new conspiracy on for size, maybe this is also a chance to try to push the use of EV SSL certificates.

    I have attended several of the webinars and read a number of the white papers on EV SSL certificates, and I am not completely sold on the usefulness.

    Sure, thorough validation of a requester's right to purchase an SSL certificate is a good idea. That should be done already for any SSL purchase, but it is and will not be done because it makes the process too difficult, time consuming, and expensive. Well, too expensive for GoDaddy to sell a $20 certificate and thoroughly validate it, but for the $350+ Verisign certificates? Please...

    More to the point, older browser showed a lock icon which indicated the site was secure. With the ease of SSL certificate purchases that quickly became less important because even phishing sites can have valid certificates. The EV SLL scheme is to put up a BIG GREEN BAR with the issued company's name in it. Why not just do that anyway? Those notification bars that come up when a pop-up is blocked, or an ActiveX control wants to install, or a file wants to download; how about use that to show critical information in the certificate, like the CN?

    Sure, the URL says www.paypal.com, but the certificate CN says "www.phishingurinfoz.ru".

    But then, I suppose a little Java and no protection of that particular window element could lead to a phalse display.

  12. Paypal blocks unsafe browsers... by russotto · · Score: 5, Funny

    ...but the head of the International Phishers Guild says that all of their sites will continue to work with any browser you want. Spokesman Anome Smith says "We will not be following Paypal's lead on this. Popular phishing sites like www.payypal.com, www.paypa1.com, and 192.168.178.287/paypal will all continue to work with any browser you please. "

  13. Easy Phish - Thank you Paypal by fireheadca · · Score: 5, Funny

    Paypal not letting you in?

    Have no fear.. with paypalproxy.com you can use any browser to access your account.

    --
    So long and thanks for all the phish.

  14. Re:LOL. by fluffman86 · · Score: 5, Interesting

    Yes. Go to http://turbotax.intuit.com/freedom and pretend you want to file your taxes there. Understandably, you need to enable cookies/javascript. But then what happens? "Your browser is not up to date" it says. "Please install Firefox 1.07, IE 6, or Netscape 8 on Windows, or some other stuff for Mac."

    Wow...please install these out-of-date or defunct browsers. So I contacted tech-support to let them know their page was broken, and they actually took the time to *link to the firefox 1.0.7* page, which says it's the most up-to-date version of firefox. When you click the download link, it takes you to mozilla.com where you can download firefox 2. *facepalm*

    So after a bit of googling, I found the user agent for firefox 2 on windows (firefox 3's windows user agent *still* wouldn't work) and plugged that into the User Agent Switcher extension. TurboTax worked like a charm after that! All I had to do was lie and say that I was using Firefox 2 on windows instead of firefox 3 on ubuntu.

  15. Re:LOL. by dhaines · · Score: 5, Funny

    This Apple and Linux user blocks Paypal as unsafe.

  16. Re:Yes. by complete+loony · · Score: 5, Funny

    And WE used to educate them every September. That is until AOL based their business on getting everyone to connect to the internet without bothering to properly educate them.

    --
    09F91102 no, 455FE104 nope, F190A1E8 uh-uh, 7A5F8A09 that's not it, C87294CE no. Ah! 452F6E403CDF10714E41DFAA257D313F.
  17. Re:Yes. by plover · · Score: 5, Funny

    What next, users have to pass an IQ test to get on the Internet?

    Dear god in heaven, please let it be so!

    --
    John
  18. Re:Yes. by houstonbofh · · Score: 5, Funny

    What next, users have to pass an IQ test to get on the Internet? That way all of the stupid people who click on email links from phishing scams before looking at the message to see if it is fake or not, will forever see "Error ID10T: User is not smart enough to use the Internet. Request denied!"

    We have those now. They are administered from a testing center in Nigeria. If you fail, your internet is soon cut off for non-payment.

  19. Re:LOL. by Anonymous Coward · · Score: 5, Funny

    I find your ideas intriguing and wish to subscribe to your newsletter.