News, info, and opinion by Mac users, for Mac users.

April 18, 2008

security

PayPal tells Safari it’s not wanted

Posted Apr. 18, ’08, 12:53 PM PT by Dan Moren
Category | Security

nosafari.jpgWhat. The. Hell. Paypal. So, just because you ragged on Safari for not having anti-phishing features, you’re going to block them from your site. We have a word for that, but it’s not printable on this blog, so use your imagination. No, worse than that. There you go.

At last week’s RSA security conference, PayPal (which, in case you were unaware, is owned by the folks at eBay) Chief Information Security Officer Michael Barrett presented a paper (PDF link) on the topic, filled with choice analogies like this:

Letting users view the PayPal site on one of these browsers is equal to a car manufacturer allowing drivers to buy one of their vehicles without seatbelts.
I’m not trying to begrudge the seriousness of identity theft in today’s world, but that seems a little extreme.

According to Barrett, there are two features that web browsers must have in order to pass muster: blocking known or suspected phishing sites, and support for Extended Validation certificates (a kind of uber version of the SSL certificates most merchants use). Those on non-compliant browsers, such as Safari, will first be warned, then later blocked.

From my experience, PayPal and eBay are both commonly used in phishing emails, so I can understand why they’re eager to institute more security. But putting the burden on browsers to comply with safety regulations seems a little bit like passing the forged buck to me.

Think I’ll go see what Google Checkout is up to…


15 Comments

wesg Author Profile Page said:

I was able to log in with Safari 3.0 just a minute ago. When do these rules go into action?

Someone tried scamming me just a few weeks ago. I don't think it was because I was using Safari.

http://www.wesg.ca/2008/03/how-i-avoided-a-potential-ebay-scam/

April 18, 2008 1:16 PM
Goobimama said:

What kind of 'ed up reporting is this? I just checked paypal and it works fine on Safari 3.1.1.

Or is it that they have changed their policy again?

In any case, I do think Paypal has a right to block a browser if they think it will lure their customers into getting scammed. They do after all want customers to get a sense of security, and people getting scammed is not what they want people to hear in the news. I think Apple could easily make the bar turn yellow or whatever other colour they want to when there is a security certificate involved.

April 18, 2008 1:46 PM
David Johnson said:

I have a solution; quit using PayPal. I don't use it and get along just fine without it. If someone I want to buy from lists PayPal as the only option, I go somewhere else or do without.

April 18, 2008 1:54 PM
Dan Moren Author Profile Page said:

I think you missed this part: "Those on non-compliant browsers, such as Safari, will first be warned, then later blocked."

They haven't given a timetable yet, though.

April 18, 2008 1:57 PM
Al Billings said:

Rather than not using Paypal, I've got a better solution: use a better browser.

Try Firefox (or even Camino, if you prefer).

April 18, 2008 2:23 PM
fletcher Author Profile Page said:

I think this is the last gasp of a company that has been killed by spam. The idea of building ant-phishing technology into browsers is sound. Strong arming companies into doing it strikes me as being a bit short sighted. The way this is being handled makes me think negatively of PayPal. I doubt I will find an opportunity ever to do business with them again. In fact, this may give me the impetus to change several clients who do rely on PayPal over to Google or something.

April 18, 2008 2:39 PM
Goobimama said:

Dan: I think you missed this part: "Those on non-compliant browsers, such as Safari, will first be warned, then later blocked."

My mistake. Didn't quite get that on first glance.

April 18, 2008 3:47 PM
Dave-O said:

Damn, that first paragraph needs a rewrite.

As for passing the buck, I don't really see what PayPal is supposed to do. If you click a link to a site that looks like PayPal and are stupid enough to enter your information, what can PayPal do? Of course blocking browsers won't help. I'm guessing people won't change their default browsers because of PayPal. They'll use a different browser when they need to. Then when they click on a phishing link... their default browser will launch. Oops.

April 18, 2008 4:16 PM
Greg said:

http://www.paypalsucks.com

http://www.paypalwarning.com/

Why use Paypal if it is going to a horrific experience? Maybe this needs to be fixed first.

April 18, 2008 6:36 PM
tayker Author Profile Page said:

Wouldn't it be nice if Safari evolved the way languages do?

April 19, 2008 11:06 AM
Dano said:

It's great for Paypal to say that they're protecting "the customer" by banning non-secure browsers from their site, however, the idea of EV is to let "the customer" know whether they've made it to their site or not, right? So a person surfing to their site, intending to get to their site, gets there but will be BLOCKED because the browser bar doesn't turn green acknowledging that they got to Paypal's site? How stupid is that?

I'm not knocking EV - I think it's worthwhile, and anything to beef up security, particularly where online transactions are concerned, should be applauded. But why block legitimate customers? Is it because you can't (or won't?) find a way to block the thieves and criminals, or are you suggesting that most phishing occurs using Safari and other "non-compliant" browsers? Good luck with that...

Hey, maybe this could work to our (Mac users) advantage - if you arrive at a Paypal site after the embargo is in place - DON'T USE IT!!!

April 19, 2008 6:47 PM
Ian said:

@David Johnson Here in Australia, Ebay have stopped sellers from using anything other than PayPal for payment processing. We've got no choice than to use PayPal!

April 19, 2008 6:57 PM
stu8rt said:

wouldnt trust paypal, i tried to change my email address to a new one, they told me it was already in use despite only getting it 30mins before? so i requested they send me my password via email.... this arrived only when i logged in it was for someone with my name living in canada i could access all transactions... so i closed his account down as it was linked to my email, despite contacting paypal they have todate refused to comment on this... despite numerous request... so be warned

April 20, 2008 7:00 AM
Bob said:

Where is the beef?

Microsoft has been trying for years to force all users to the 'latest and greatest' version.

Sounds like just another attempt to dictate what users can do on the 'open' web.

April 20, 2008 9:01 AM
Mark said:

Here is a real simple solution and one that I prefer as I HATE Paypal. Anyone that charges me 3% for using their horrific services deserves to be abandoned. Try out revolution money exchange. They are terrific and best of all, FREE. They don't nickel and dime you like paypal does. There website is https://www.revolutionmoneyexchange.com/Login.aspx

April 20, 2008 9:46 AM

Leave a comment

 



Visit other IDG sites: