PayPal Denies It Will Block Safari

Despite reports that PayPal may drop support for Apple's Safari browser because it lacks anti-phishing features, PayPal now says it ain't so. Though PayPal telegraphed displeasure with Safari last January, they're now unambiguous about their position: "We have absolutely no intention of blocking current versions of any browsers, including Apple's Safari, from our website."

Current versions?

[calebt3]

So up-to-date Lynx, Links2, Dillo, etc are all perfectly acceptable?

Backpedaling faster tha you can say...

[Fluffeh]

Wowsa, that change is quicker than it takes the read the following:

Previous: "We know better than you do about what you should and shouldn't be using, so we will stop you possibly getting yourself into trouble."

Current: "Wow, there are so many of you that are quite happy to be wrong that we think you better be allowed to get yourselves into trouble."

My interpretation: Right or wrong, the masses will always win it seems.

Re:Backpedaling faster tha you can say...

[Fluffeh]

There were quite a few indications that Safari would have been included in the list of browsers that no longer were supported:

Ars link
Anti Phishing Block

So, the general meaning of "so we will stop you possibly getting yourself into trouble" really wasn't wrong. Just because you don't type it in with black and white fonts doesn't mean you don't mean it.

"Lets put this out and check public reaction before we make it 100% official.

People still use Paypal?

I closed my Paypal *and* eBay accounts when eBay said you HAD to accept Paypal in order to sell stuff and Paypal said they would hold payments for 21 days. Hated to see all that positive eBay feedback go, but I don't like being dicked around by corporate bozos.

There are so many other alternatives to Paypal that I don't see why people bother with it.

Re:People still use Paypal?

[dgatwood]

If/when they do this in the U.S., I will stop using eBay. I'm no longer gong to deal with PayPal after the fiasco on a group buy I've been involved with.

Backstory: A bunch of us on a home recording bulletin board set up a group buy to purchase microphones, preamps, shock mounts, etc. from a manufacturer in China. This is about the third or fourth group buy organized by the same person, so his reputation is darn near unquestionable.

After order taking was done, we got sabotaged. Someone (who we strongly suspect works for a company that imports from this vendor and sells at a huge markup) signed up for a Yahoo email account and joined the group buy and requested a small item. Once about 10% of the people had paid their invoices, this person paid for the item, then sent in a claim to PayPal. The problem is that this person claimed to be a member of a bulletin board, yet that person has never been a member of the board in question. So basically the whole complaint was one giant fraud, and we're pretty sure we know who did it, as they have tried to sabotage group buys in the past....

Since the complaint was filed, PayPal's story keeps changing. First, they said that the person claimed he hadn't received an invoice, which is absurd, but easily rectified if the person had contacted anyone involved. Next, PayPal provided lots of details about how the group buy worked (way more than you would normally expect) and said that it wasn't a type of transaction that they wanted to deal with. That I could believe, but it isn't a violation of their TOS as best I can tell. Finally, they claimed that someone had claimed the product was "not as described", which is pure comedy since the manufacturer hasn't started making the products yet. Basically one half truth after the next (and even that half is giving PayPal the benefit of the doubt...).

After about a week of this crap, PayPal finally released everyone's funds. Fortunately, this time, one of the people they were screwing was friends with a highly placed executive at PayPal, so we had some leverage to get the situation expedited and get our funds back in a timely fashion. The last time PayPal screwed over a group buy, it took several weeks before we got our money back. (Yes, these dirty tricks have happened before thanks to a certain company who will remain nameless at least until I can prove it was them---if anybody in Yahoo's mail team would be willing to help with this, you'd have about 400 fans for life....)

Unfortunately, however, the person who set up the group buy had received another payment for an unrelated sale and needed the money to pay his taxes. His account is frozen for something like six months, after which he'll get his money and his account will be closed... all because of a single complaint by someone who could not provide one shred of documentation of any communication with the seller prior to filing the complaint.

Having seen how PayPal treats sellers, I'm no longer inclined to do business with PayPal. If I can't trust them to hold up their contractual obligations and do so in an equitable and reasonable fashion, then why should I trust them with my hard-earned money? I'm not protected any better than I used to be back when eBay sales all happened with cashier's checks, so why should PayPal be getting a cut if they aren't providing any real additional protection for the transaction?

At this point all I can say is this: PayPal Sucks, and if you deal with them long enough, you will eventually get burned. It's just a question of when.

Re:People still use Paypal?

[SirJorgelOfBorgel]

Yup, PayPal definitely sucks.

I run a business, about a month ago we started to accept PayPal as payment (while waiting for our own merchant account to clear). We made about $17k in a week. We transferred the first $7.5k to our bank account (thank god!) after a day or two. After no more than seven days, PayPal closed our account, without giving any reason.

After having our lawyer write some letters to them (they didn't respond to us ourselves at all), and PayPal giving several different and evasive andwers, it came out that the 'contact person' for our business account had once ordered something of an erotic nature with PayPal, and that is against their agreement.

Now, several things are wrong with that. I won't go so far as to say that person has never bought erotica, I don't know and really don't care. What is definitely wrong with that, though, is that said person has only made two PayPal payments in his life and they weren't related to erotica (yes I am sure of this). Furthermore, PayPal mentions accounts that do not actually exist and never have. It's complete BS.

What else is wrong with that, how the hell can they close a business account because they do not like the contact person's personal account. Since when is a company responsible for their employees' private actions? What's worse, their allegations aren't even true.

So now PayPal is sitting on $10k of my money I desperately need, without a valid reason. They refuse to clear it, they refuse to discuss it. They have even refused giving us the 'offending' transaction details (how the hell can we dispute anything if we don't have access to the data?) - lawyer is dealing with that, though.

All in all, the money, the lawyer costs, the lost customers, reputation damage, etc, are now easily more than a $50k loss for us.

Should you read this and be a no cure no pay type lawyer (hey, PayPal got my money) in the UK, feel free to drop me a line so we can talk about sueing PayPal's pants off (our company lawyers cannot help us there, as PayPal Europe operates under English law and we're not from England).

Hey, I thought it wouldn't happen to me. But yeah I got burned. Doing business with PayPal is an accident waiting to happen...

Re:PayPal does treat some browsers differently

[Auckerman]

My suspicion is that when PayPal deals with browsers that are not "up to snuff", there will be differences in behaviour and additional back-end security measures that may not be used with "approved" secure browsers. But I doubt they will disallow any modern browser entirely.

The real question is what exactly does this do for "security". Anything that PayPal does on their end will have no affect on phishing sites. All current web browsers, regardless of how PayPal treats them, will function with phishing sites just fine. Any user that falls for a phishing scam is just going to think, "cool PayPal works again". I see no point in blocking a web browser unless for some ungodly reason, the phishers blocked those browsers too.

Re:Are you sure?

[Hal_Porter]

I wonder if you could make a OS X exploit that works on both ARM and x86. You'd need to find a sequence of four bytes that was a NOP or something harmless on one architecture and a jump on the other?

I was thinking of something like this

0x67 0xE9 Lo Hi

Which is a jump rel16 on x86, overriden by the address size prefix. On a little endian ARM this looks like this

0xHiLoE967.

Now if rel16 was negative and between 0 and -256 I could make it Hi=0xFF. Which used to mean NV, i.e. the instruction would be a NOP regardless of the other bits. Unfortunately NV is deprecated and the instruction space is used for new instructions. Which makes this code harder to write. It's probably possible though.

Re:PayPal does treat some browsers differently

[RiotingPacifist]

They might download something so it doesn't break, but go back to whatever they wanted to use in the first place. People do that you know. But in that case paypal has made them make their browser secure.

You do make a good point, but the people that get hit most by phising are those that dont even know what a browser is, the kind of people that will phone you up with such useful complaints as "paypal is broken, what do i do?". These people will have a friend "fix paypal" like this, and wont even know what's happened.
The next most affected people are People who do understand thier browser but dont know about phising, this will not protect them, but hopefully this will cause apple to fix their defective browser where it matters instead of work on ACID3
The least affected people are the slashdot crowd that can argue about reading address bars and the have always checked the site for a padlock.

While not perfect this does help a lot of vulnerable users, at little cost to the rest

Re:Too late, CTO should resign

[Ilgaz]

Well here are facts. One of least popular (if popular at all) extensions for firefox is the EV certificate thing. They (Verisign) couldn't even make it work right. Phishing prevention is one thing, selling your soul to Google and send them every single URL (including the page part) you visit is another. There are Paypal phishing pages which are up for DAYS as you can see from http://www.phishtank.com/ which they (as they are mega corp) can call the countries police chief directly from his home phone and get site raided. If you get thousands of dollars stolen from your paypal recorded CC (never do it!) your support mail ends up in some typing/template monkey at Bangalore.

Also, another fact: Never, ever call a system default browser insecure if you are CTO of a high profile company like Paypal. Get the damned source from www.webkit.org , code and mail/call Apple "We think Safari would be better with EV certificate checking, here is the code you can review internally."