×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

PayPal Plans To Ban Unsafe Browsers

Soulskill posted about 6 years ago | from the we-are-the-boss-of-you dept.

Security 367

Alternative Details brings news that PayPal is developing a plan to stop users from accessing its financial services if they aren't using browsers with anti-phishing protection. PayPal is recommending the use of blacklists, anti-fraud warning pages, and EV SSL certificates. Browsers without anti-phishing features will be considered "unsafe." It seems likely Safari will be included in this category given PayPal's warning about the Apple browser last month. "'At PayPal, we are in the process of reimplementing controls which will first warn our customers when logging in to PayPal of those browsers that we consider unsafe. Later, we plan on blocking customers from accessing the site from the most unsafe--usually the oldest--browsers,' he declared. Barrett only mentioned old, out-of-support versions of Microsoft's Internet Explorer among this group of 'unsafe browsers,' but it's clear his warning extends to Apple's Safari browser, which offers no anti-phishing protection and does not support the use of EV SSL certificates."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

367 comments

What If?... (5, Insightful)

Slashdot Suxxors (1207082) | about 6 years ago | (#23113334)

Instead of having to force PayPal users to use only specific browsers, they educate the consumers on safe browsing habits and not blindly clicking on "OMG SEND ME UR CC NUMBER AND BANK DETAILS LOLOL".

Sounds about right. Root Cause Ignored. (3, Insightful)

twitter (104583) | about 6 years ago | (#23113366)

I don't like to blame the victim but who clicks a link in an email? Really. Any site that makes it hard for me to get things done from their front page does not deserve my business, so I'll never follow the phish. The reason people still fall for this stuff is because copyright warriors and other IPtards make browsers and sites more complex than they need to be.

If Iceweasel and Konqueror are not on their "safe" list, I won't be able to use them even if I want to. Either the EWeek author or PayPal is clearly clueless because they used the words "safe" and "IE" in the same sentence, so their elimination of safe OS would not be a surprise. The world won't really be safe until insecure OS and the spam they generate are eliminated. Even then there will be a stuff that trickles through.

LOL. (-1, Flamebait)

gnutoo (1154137) | about 6 years ago | (#23113380)

Would they really block Apple and GNU/Linux users as "unsafe"?

Re:LOL. (5, Funny)

Anonymous Coward | about 6 years ago | (#23113390)

Rob Malda has barely made any effort to fully describe the process of selecting Slashdot moderators. What little information that has been supplied is an outright lie. The story of Malda's moderation system is far more insidious than merely separating wheat from chaff.
Last night, as I leaned over to give my Natalie Portman poster a tender kiss goodnight, I was psychically cast into a hypnotic trance. While entranced, my spirit guides delivered unto me the tale of the Slashdot moderators. Prepare to have your faith in Mr. Malda and moderation shaken to the core.
Difficult as it is to believe, Rob Malda was an outcast teenager. He did well in some of his classes, but was terrible with English. As is so often the tragic case today, his teachers passed him anyway, just to get rid of him. Since Malda had no real life, he spent much of his time on the computer (of course), and watching the public-access cable channel. It was there that Malda heard of the mysterious Mongolian Monks.
Malda was watching his favorite talk show, "Elizabeth Claire Prophet." The guests that night were a group of monks based in Mongolia. The monks described how they had been travelling to China to trade some of their cute teen daughters for Natalie Portman memorabilia. The monks had travelled no more than three days when they noticed a brilliant light in the daytime sky. The light grew larger. And larger. And larger. Soon the sky was completely hidden, from horizon to horizon, by a giant metallic disk.
The monks were taken aboard the craft and placed under some sort of alien mind-control. There, they were given the deepest possible insights into the nature of man, the universe and God. A week later, the alien beings returned the monks to the Earth and vanished forever.
The monks considered the area holy ground and constructed a new temple there, not bothering to return to their old monastery. They took their daughters as wives and began their own commune of worship, based on the teachings of the aliens. The monks practiced meditations which unleashed powerful spiritual forces within them. As the wives bore children, the community grew.
Malda was intrigued by the spiritual insights received by the monks and excited by the idea of incestuous pleasures. Unfortunately, the monks had no internet connection and so Malda could not email them. Without hesitation, Malda booked a flight and left for Mongolia. The plane ride was long and tiring, but his curiosity kept him driven.
After a month of searching, Malda finally located the commune. Initially, he, kept a safe distance, for fear of rejection. He studied the monks from afar. Malda had heard stories of the monks' bizarre meditations, which gave them extraordinary powers. Malda was somewhat skeptical of these stories at first, until he saw the truth first-hand.
In the week that Malda studied the monks, he witnessed the breaking of every natural law. He was astonished as he watched the monks levitate, create pockets of lush weather within the commune and communicated with spirit forces. Malda grew more and more excited and he devised a plan for meeting them.
Malda knew the monks would respect him if he could display his own "magical" powers. He was determined to win their confidence, and he had with him all of the necessary tools. He approached the commune confidently. The monks greeted him with skepticism at the gate. Malda took a deep breath and began his show.
Using an AIBO, a can of Jolt Cola and an inflatable sex doll, Malda shocked the monks with his display of magical powers. The monks accepted him into the commune. Malda's head was shaved and he was given a robe and a room. The monks warned Malda to stay away from their daughters-wives.
The monks methodically taught malda the word of the great messengers. He learned eagerly at first, but soon grew bored with his life in the commune. Malda's life was further stressed when his blow-up doll suffered a puncture-wound and became useless. A few days later, his AIBO's power dried up. With no pet and no woman, Malda slowly grew crazed.
Malda had hit rock-bottom. His penis chafed from dry-hand masturbation and the cold, dry climate. One dark night, he snuck into the kitchen and convinced one of the daughter-wives to join him in his room. Malda was quite relieved that he would finally get some female tenderness... for the first time in his life. He was so excited, he almost closed the deal prematurely.
Unluckily for Malda, the daughter-wife's father-husband was expecting her in bed at that particular moment. The women were expected to be with the monks at a very specific time for retirement. The monk went on a violent rampage throughout the temple, ending with Malda's room. He flung open the door to behold his daughter-wife half disrobed and laying on top of Malda. Malda looked up at the monk and gasped. The daughter-wife giggled.
The monk unsheathed his sword and the daughter-wife was beheaded on the spot. Malda kicked the unviable head away from him and jumped out of the bed. He backed himself into a corner, terrified. The monk approached him the with sword raised. Just as he reached striking distance he dropped the sword and collapsed, crying for the loss of his daughter and the betrayal of his adopted son. Malda was dishonorably discharged from the commune.
Malda wandered into the forest and took shelter in a cave. He spent the next five days curled up in a fetal position, feeding on bat guano and insects. The bitterness and hatred consumed Malda. Once again, he was an outsider. He decided that this time, he would not be trampled on.
Malda wandered for three days until he came upon a small village. He entered the shop of the local blacksmith and killed the iron-worker by bashing him in the head with the AIBO. Malda crafted himself a massive machete. He took apart the AIBO and used its quality Sony components to enhance the machete with a nuclear driven flaming mechanism.
Malda returned to the commune. He took one last look at the peaceful community, then hit the ignition switch on his machete. The weapon screamed like a thousand tortured souls as it ignited with flame. Malda then inserted the rechargeable battery from the AIBO into his rectum. Malda stormed the compound, beheading all of the monks and devouring their brains, thus capturing their souls into the battery in his anus.
The sky turned the color of blood and a great storm of pestilence swept over the village. Malda barely escaped before the commune was decimated by the hand of God, thus purging the terrible evil that had been committed. His face stained with blood and his heart stained with the forces of evil, Malda returned to the United States.
Malda was crazed with power. He devised another insidious plan. He would build an army of mindless followers, which he would use to bring the world to its knees. He would use an online site for the tech-savvy elite to build this army. But he needed a way to control the chaotic masses that would come flocking to his new site. He needed his generals.
Malda prowled the streets of his hometown, enticing male prostitutes with promises of cheap crack cocaine and sexual favors. Once the prostitutes agreed to join Malda in his basement, he would tie them up and place the AIBO battery, upside down, in their rectum. He would then abuse the hapless victim with words of derision and samples of his writing.
The abuse was so severe, that the spirit of the victim would be broken and the soul of one monk would be absorbed from the battery. The resultant creature was not a man, nor a zombie. It was some pathetic monstrosity. The beaten souls of the monks were enslaved to Malda's terrible evil. They depended upon his evil powers for sustenance. Malda labelled his terrible, elite guard the "moderators."
Malda's site grew quickly in popularity and the moderators enforced blandness and conformance with a heavy hand. No good army has room for an individual. The moderators are psychically connected to Malda and know his word. That word is enforced on Slashdot. The subtle moderations effectively warped the minds of those who visited the site and grew addicted, due to the powerful evil force exuded by its words.
Today, Malda sits in his office, strumming his electric guitar, waiting for his army of darkness to ripen.

Re:LOL. (4, Funny)

piojo (995934) | about 6 years ago | (#23113520)

I have never before been so entertained by a troll/weird off-topic story. But I loved this line:

He took apart the AIBO and used its quality Sony components to enhance the machete with a nuclear driven flaming mechanism

Re:LOL. (-1, Offtopic)

Anonymous Coward | about 6 years ago | (#23113612)

God that is so freaking cool!! I just want to know where you getting the sh*t you smokin... That must be some hardcore sh*t to give you this kind of visions.
God, the thing about the female wife-daughters living on a mongolian monastery created from a gospel sent by aliens, that is fragging coollio sh*t right there...

Re:LOL. (-1, Offtopic)

Anonymous Coward | about 6 years ago | (#23113620)

laugh();
laugh();
laugh();
laugh();
laugh();
laugh();
laugh();
laugh();
Hi there, Mark V. No Quack Ne Never mind.
this.mod(-1);

Re:LOL. (-1, Offtopic)

Anonymous Coward | about 6 years ago | (#23113742)

I love you.

Re:LOL. (1, Funny)

Anonymous Coward | about 6 years ago | (#23113784)

That's the most delicious copypasta I've seen on /. in months, and yeah, I browse at -1 regularly.

MOAR!

Re:LOL. (-1, Offtopic)

Anonymous Coward | about 6 years ago | (#23113848)

Holy mother of fuck, if I had mod points, that's the funniest troll I've read in months.

We also knead moar folks upping the Scilon firehose submissions. We had the Scilons-vs-Wikileaks at "Red" for three days before Malda decided to ignore it. We had a journal entry talking about the "red rotting tomato" up to "orange", for Dobbs' sake. Let's not let that happen again. Suggested avenues of attack prone to /. firehose upvoting would include the link between Scilon Sonny Bono, the Copyright Term Extension Act of 1998, and the DMCA. Tie that in to the current campaign, and you've got win. (Yeah, May 10th is is Battletoads.)

But all that shit notwithstanding... whoever came up with that story, we want MOAR!

Yes. (0, Flamebait)

Mactrope (1256892) | about 6 years ago | (#23113464)

Considering their basis for this decision is some kind of market data about fewer IE7 users abandoning their accounts, yes they would be dumb enough to block free browsers that run on more secure platforms than Windoze. The whole phishing problem is one created by M$ - it would not exist without the high percentage of compromised desktop machines that are sending out spam in the first place. IE7 is no more safe than it is standards compliant because the platform itself is easily, remotely compromised with keyloggers that report user information regardless of user activity. This whole thing is stupid.

Re:Yes. (4, Insightful)

LoadWB (592248) | about 6 years ago | (#23113504)

Windows is not to blame for the phishing problem, PEOPLE are. Phishing has been around a lot longer than Windows and Internet Explorer, it was just a lot lower-tech and could not be perpetrated quite as fast.

Unsafe for any user. (1, Flamebait)

Mactrope (1256892) | about 6 years ago | (#23113624)

So you just want to ignore the whole botnet thing that's creates the opportunity to screw up? That's a bad idea because everyone makes mistakes. Some make fewer than others but everyone will fail given enough chances. This also points out the futility of Paypal's ill advised action. The platform is insecure so their little green bandaid is not going to fix anything.

Pay Pal does not really have or they have chosen not to publish what browsers are "safe" based on actual fraud. Safari and other blocked browsers would not be at the top of that list, but any version of IE would and let's face it, IE 7 users are pushovers likely to get screwed. Windows itself is unsafe with anyuser, so the whole thing is just stupid.

Re:Unsafe for any user. (2, Insightful)

LoadWB (592248) | about 6 years ago | (#23113724)

No more than we walked away from the telephone, fax machine, and postal mail. I simply found folly in your statement that the whole phishing thing was Microsoft's fault. Put blame where responsibility falls, on people who manage important data.

Re:Yes. (4, Insightful)

Orion Blastar (457579) | about 6 years ago | (#23113656)

What next, users have to pass an IQ test to get on the Internet? That way all of the stupid people who click on email links from phishing scams before looking at the message to see if it is fake or not, will forever see "Error ID10T: User is not smart enough to use the Internet. Request denied!"

Re:Yes. (4, Insightful)

LoadWB (592248) | about 6 years ago | (#23113752)

Obviously IQ tests are not required to use the Internet, nor have children, nor drive, etc.

Re:Yes. (3, Insightful)

alex4u2nv (869827) | about 6 years ago | (#23113688)

And the reason people purchase products from large companies is so that they could offload some of the "hassle" or responsibility to the company that is hiring qualified professionals to analyze and develop the product they wish to sell.

If me as a regular user (Pretend at the moment I'm not writing this from my linux laptop) wanted to trade my personal time to assume the responsibility of learning cutting edge counter phishing procedures, then I fail to see the purpose of paying for the service.

From the above statement, we could look at the underling problem here.
We as geeks know how to avoid these problems on the internet and whatnot, because it is our every day life. However don't expect a singer, entertainer, pilot, lawyer or mechanic.

If we could afford to, we will not change our own automobile's engine oil, even if we knew how to. So why should we expect mechanics, lawyers and any non geek to stay on top of CERT/Slashdot and all other form of security concerns when all they want to do is use it for basic communications and features?

Its the whole idea of specialization. People specialize in various trades, and sell services to each other.

In conclusion: When a regular user choose to pay $xxx.00 for a Windows license instead of learning how to install and use Linux for free. Its a time and hassle investment that they're making, and not really a religious preference.

Re:Yes. (4, Insightful)

LoadWB (592248) | about 6 years ago | (#23113864)

And thusly, we purchase a service from PayPal MegaCorp and expect them to take measures it deems necessary to protect the service it provides. The bottom line is simple: this is PayPal's business, it is PayPal's right to choose how to operate it, and we can take our ball and go home. And considering how many people think PayPal is evil, anyway, this should come as a neither surprise nor disappointment.

But I still stand firm that people are to blame for the lack of security on the Internet. The telephone, the radio, the television, the tabloids, the newspapers, books, and so on were all considered at one time a method of mass disinformation, and some still are to a lesser extent. Why else would we have phrases in our lexicon like "you can't believe everything you read/see on TV/hear on the radio"? Because people are willing to throw caution to the wind. We are more apt to scrutinize and discriminate against information people may throw at us in person, face-to-face, but as soon as the information is put into some form of communication medium, we lose our senses.

We know the guy on the street corner in New York is not selling real Rolex watches; we know the fella that chats you up on the bus is not legitimately selling prescription medications. Even so, we are more apt to believe that these things are available on web sites, because we have it drilled into us that the world is at our finger tips, every thing can be found on the Internet.

If you want to get down to brass tacks and point fingers, WE are to blame for the folly of those who surround us. Yes, WE are to blame. Because WE chose to learn and understand and ignore the plight of those who have not. WE are the shop class instructors letting the uninformed use the table saw without proper instruction and then blaming them when they lose fingers. It is our responsibility to educate and inform others why what they are doing is wrong -- and in many cases we even get paid for doing so.

And I do not mean that using Windows is wrong, but that clicking on email links without thorough scrutiny -- or even at all -- is wrong; that blast-forwarding unconfirmed rumors is wrong; that not understanding that the bank will never send an email and tell you to go to a site and enter all of your vital statistics (and if it does, then you should run like hell, anyway.); that the use of semicolons is ill-advised.

I find it amusing that some of us will take the "duty" to throw out Mom and Dad's Windows PC and replace it with a Linux or Mac box, then walk away pleased with ourselves over the "service" we have just done. When, in fact, the "service" we should be providing is education. It does not matter in front of what box Mom and Dad sit, without the proper knowledge, they are still vulnerable to phishing schemes and exploits.

Really, these so-called idiots out there are mostly just uninformed. Some non-BOFH-type PFY handed them a computer at the WorstBuy, CompUSELESS, or Radio Shanty, without taking the short amount of time it takes to instill a small bit of cynicism over unsolicited or unexpected information and requests. There were no pamphlets at the store explaining how email can be as dangerous as a phone call from "your phone company" or "your bank." Most of these people CAN be taught and guided.

And the ones that cannot will be eliminated one way or another, but of course not before making complete and utter asses of themselves.

Re:Yes. (1)

RobertM1968 (951074) | about 6 years ago | (#23113798)

Windows is not to blame for the phishing problem, PEOPLE are. Phishing has been around a lot longer than Windows and Internet Explorer, it was just a lot lower-tech and could not be perpetrated quite as fast.

I am really confused... let's see. Before Windows had "Internet Access" there was OS/2 which beat them out the door with it. Once Windows got Internet access (and before Internet Explorer), there was NetCom, various other dialups and AOL... NetCom and the dialups being one of the few that brought users onto the 'Net...

Then came Netscape (etc)...

...at which time, the Internet was so in it's infancy that phishing (by the definition on Wikipedia and elsewhere) did not exist or barely existed at all. There were less mechanisms for the more complex methods available today, and some mechanisms that existed both then and now (such as email) were in states that did not allow such things at that time.

Then MS bought Internet Explorer... then they eventually included it in Windows.

No matter how you look at it, Windows and Internet Explorer ARE the cause of phishing being as prevalent as it is.

One can blame it on the holes and lack of security in the platform or various versions of Internet Explorer...

Or one can blame it on the fact that it was due to Internet Explorer being integrated in Windows that the popularity of the Internet grew (of course, since Netscape owned the browser market at this time, that wouldnt be true)

Or one can blame it on the fact that the Internet is so popular because of a combination of PCs being so cheap and Windows dominance in the market (ie: mostly non-tech saavy users, who are the main cause of phishing problems/exploits).

Or one can blame it on a combination of 2 or more of the above (and others I havent mentioned) - but no matter how you look at it, phishing was not nearly the problem it is today (IF it even existed in anything we would even equate as the same thing in concept, or in definition).

Re:Yes. (1)

LoadWB (592248) | about 6 years ago | (#23113924)

I see your point, and I disagree with the basis of the argument.

Before any of what you mention there was the telephone, mail, fax machines, and more. Fraud schemes abounded long before phishing as we know it today, but the principles were the same: find some way to extract enough useful information from the mark. Phishing is the technological evolution of social engineering, and on a grand scale.

Additionally, in the past when scam spam was rampant, the thought of a botnet was just barely formulated. Such emails were blasted out via open relay mail servers, poorly programed web forms, free email services, off-shore hosting, and the like. I will not argue that the botnets have not made sending the emails exceptionally easy and avoiding them exceptionally difficult, not for a second, and will cede that without the botnets the flood would be a lot more shallow. I simply cannot subscribe to the notion that Windows botnets are completely to blame for Internet fraud.

Until I see reliable data which breaks down phishing victims based on operating system and browser, I reject the notion that any one group is responsible for the existence of the phishing problem. Except for the criminals who have mastered and continue to develop its attacks.

Re:Yes. (3, Informative)

willyhill (965620) | about 6 years ago | (#23113746)

Anyone moderating this thread should be aware of the fact that twitter == Mactrope == gnutoo == Erris == inTheLoo. A little army of sockpuppets.

More [slashdot.org] information [slashdot.org] here [slashdot.org] and here [slashdot.org] .

Re:LOL. (5, Interesting)

fluffman86 (1006119) | about 6 years ago | (#23113720)

Yes. Go to http://turbotax.intuit.com/freedom [intuit.com] and pretend you want to file your taxes there. Understandably, you need to enable cookies/javascript. But then what happens? "Your browser is not up to date" it says. "Please install Firefox 1.07, IE 6, or Netscape 8 on Windows, or some other stuff for Mac."

Wow...please install these out-of-date or defunct browsers. So I contacted tech-support to let them know their page was broken, and they actually took the time to *link to the firefox 1.0.7* page, which says it's the most up-to-date version of firefox. When you click the download link, it takes you to mozilla.com where you can download firefox 2. *facepalm*

So after a bit of googling, I found the user agent for firefox 2 on windows (firefox 3's windows user agent *still* wouldn't work) and plugged that into the User Agent Switcher extension. TurboTax worked like a charm after that! All I had to do was lie and say that I was using Firefox 2 on windows instead of firefox 3 on ubuntu.

Re:What If?... (4, Funny)

Frankie70 (803801) | about 6 years ago | (#23113472)

Instead of having to force PayPal users to use only specific browsers, they educate the consumers on safe browsing habits and not blindly clicking on "OMG SEND ME UR CC NUMBER AND BANK DETAILS LOLOL".


Wow. That's a rather clever stragegy. I wonder why no one thought of it earlier.
I think they should just get all paypal users to assemble one day (may be in the Arizona
desert) and then teach all of them what you suggested.

Thinking more about it, maybe they should not just restrict themselves to Paypal users -
they should just assemble all internet users & teach them these things.

Re:What If?... (4, Funny)

csnydermvpsoft (596111) | about 6 years ago | (#23113762)

I think they should just get all paypal users to assemble one day (may be in the Arizona
desert) and then teach all of them what you suggested.


Send out a spam like this:

"I am the widow of a wealthy Arizonan entrepreneur. I am in need of assistance in transferring large sums ($153m) of money. Your help is appreciated. Meet me at the Tuscon desert state park at 8:00 in the evening on April the 19th to complete the transaction. I will give you 25% of the money as a reward for your assistance."

Also:

"Your PayPal account has been deactivated! To reactivate it, you must come to the Tuscon desert park at 8:00 PM on April 19. If you do not proceed, your account will be permanently closed!"

That should get all of the people in need of such education to show up.<g>

Re:What If?... (5, Insightful)

causality (777677) | about 6 years ago | (#23113508)

Because whenever scammers come along to make stupidity more painful, we focus only on the fact that the scammers do this for their own short-term personal gain. Therefore, we lose sight of what happens to any community when all standards are lowered, no one is expected to think for themselves or make informed decisions, and causes (large number of clueless users) are confused with effects (criminals who take advantage of that cluelessness). It's easy for people who cannot separate their emotions from their intellect to get caught up in the outrage at parasitic people who profit from this situation and completely ignore why such scams are so successful in the first place.

Unprincipled people apparently need a fire under their ass before they will willingly broaden their knowledge, expand their experience or otherwise understand anything beyond the superficial level. To me that's quite a shame that they really seem to consider learning, an appreciation for self-reliance, and thinking for yourself to be terribly hard work to be avoided at all costs, rather than a journey of discovery that makes life much less routine and much more interesting. At any rate, if the goal is to remove all incentive to ever actually understand the tools (computers, networks, etc) that we use each day, we are on the right track.

As the saying goes, "A fool and his money are soon parted." Anyone who uses what he does not remotely understand and expects consistently good results qualifies as a fool. For some reason, when a computer is involved this commonsense concept is completely ignored.

Now cue the apologists and their thousand excuses for why literate individuals with no learning disabilities should not be expected to understand the basic concepts behind tools that they decided, of their own free will, to use on a daily basis. It's willful helplessness, plain and simple.

With the increasing social acceptability of this kind of victim mentality, the idea that you are responsible for your own well-being is apparently rather threatening to many people. This is obvious because they tend to give angry emotional responses instead of well-reasoned arguments explaining why they believe I am wrong.

Re:What If?... (4, Insightful)

rtechie (244489) | about 6 years ago | (#23113740)

People who fall for phishing scams are not stupid. They are often very smart people. Mere general intelligence is no defense against scams. Even being a scam artist or security expert yourself isn't a guarantee because NOBODY has encyclopedic knowledge of every scam in human history. If they run across a scam they're not familiar with they're just as vulnerable as "stupid" people.

Knowing how to use the tools offers no protection against scams. Knowing how to use a telephone does not protect you from callers that contact you and attempt to scam you. Knowing how to open a door does not protect you from people who come to your door and try and scam you.

You have a "blame the victim" mentality. It's clearly the fault of the stabbing victim that he got stabbed. He should have jumped out of the way. It's willful helplessness, plain and simple.

Scammers existed long before computers. If you created a free tool that would 100% stop all phishing under all circumstances the scammers would just switch to a different scam. The PROBLEM is the scammers. Period. Crime is the fault of criminals, not the victims.

Re:What If?... (1)

zappepcs (820751) | about 6 years ago | (#23113786)

I think of myself as a bit above average when it comes to computers and the Internet. I remember the first time I saw mosaic :)

In the early days of phishing, every now and then there would be a confusing but authentic looking email from one of my financial institution. Long after I started ignoring anything sent to ME from an institution, they stopped sending out stuff.

Now, if you are smart, ignore anything, log in and get your email messages from the system itself. Much safer that way. Yes, there is man in the middle, but much safer than clicking through someone else's proxy.

Even the intelligent can be confused or in a hurry and not paying too much attention.

Re:What If?... (5, Insightful)

Anonymous Coward | about 6 years ago | (#23113886)

Grandparent is not equating being a victim with being stupid, but with being ignorant. Unfortunately in most cases, ignorant by choice. Notice he said "literate individuals with no leaning disabilities" should take responsibility for understanding what they are doing online. I imagine he, like me, would have more tolerance for the truly stupid who are literally incapable of doing any better.

If you understand the basic concepts of how the internet works and apply critical judgment in your transactions, you don't need to have encyclopedic knowledge of every scam in human history -- that's the whole point.

Grandparent also predicted that some would give "angry emotional responses instead of well-reasoned arguments." Nice job proving him right.

Re:What If?... (1)

Nefarious Wheel (628136) | about 6 years ago | (#23113792)

For some reason, when a computer is involved this commonsense concept is completely ignored.

Disagree a little here. I don't believe a computer is necessary for common sense to be ignored, just an endocrine system.

Re:What If?... (1)

dmadzak (997352) | about 6 years ago | (#23113534)

What planet are you from? Do you really think phishing, spam, and viruses will be stopped with an education campaign?

Overall people are trusting and think that the bad things they read about will never happen to them. You can educate them up the wazoo, but you won't change their mindset.

Consumers view it as the company's job anyways to solve all of the above problems. If a consumer gets their information stolen they first blame the company instead of the phisher.

And finally the funny thing is by doing this, paypal will probably run the most effective campaign for security by forcing users to confront the issue. Of course they will just switch browsers and still will be easily scammed, but at least they were warned first.

Re:What If?... (1)

causality (777677) | about 6 years ago | (#23113790)

What planet are you from? Do you really think phishing, spam, and viruses will be stopped with an education campaign?

With an education campaign? No. A campaign is precisely the sort of one-to-many communication that presumes that your education (and therefore your well-being) is someone else's job. Did you not read my post? That needless dependence on someone else to look out for your own interests is exactly what I am against. It is the one thing that makes all the other problems possible, which is why the issue of whether PayPal should ban certain browsers based on features is a phony debate.

Overall people are trusting and think that the bad things they read about will never happen to them. You can educate them up the wazoo, but you won't change their mindset.

You're absolutely right. That's why I said "a fool and his money are soon parted." That's why I don't feel a shred of pity for people who refuse to take responsibility for their own experience and therefore end up getting screwed. Again, did you not read my post? If you did, I do not believe you understood it since you're exhibiting exactly the sort of knee-jerk reaction I hinted at. It's not like internet fraud is some obscure unheard-of subject. Some people (I would argue the smarter, wiser ones) can read about those bad things and learn from the mistakes of others. Other people (unfortunately this seems to be the majority) go on being too trusting and have to get screwed over before they decide that perhaps being such an easy target was a bad idea. Both scenarios are perfectly fine, since the individual involved has complete control over which one happens to them. Completely fine, that is, until folks with good intentions and no understanding of the Law of Unintended Consequences come along and tell the clueless that they are 100% pure victims and that what happened is not related in any way to their poor decision-making.

Consumers view it as the company's job anyways to solve all of the above problems. If a consumer gets their information stolen they first blame the company instead of the phisher.

Here, you are really just restating my point that people seem to think that their well-being (financial in this case) is someone else's responsibility. For as long as they believe this, they will continue to make poor choices and will continue to be naive, easy targets for these types of scams.

And finally the funny thing is by doing this, paypal will probably run the most effective campaign for security by forcing users to confront the issue. Of course they will just switch browsers and still will be easily scammed, but at least they were warned first.

With this statement you seem to agree with me that protecting people against their own stupidity is not within PayPal's power. In fact, no company has that power -- the best they can do is damage control and that's a far cry from prevention. Guess who does have that ability? That's right, the people themselves.

Indeed, this has a decent chance of creating a false sense of security. This is especially true when you consider that phishing is only one method used by scammers. Like I said, there are (many) people who have good intentions and a poor understand of the Law of Unintended Consequences ...

Re:What If?... (1)

davidfromoz (801492) | about 6 years ago | (#23113552)

You mean all we have to do is stop users from clicking on deceptive links?

It sounds so simple, why didn't anybody do this before?

The fact is users have already proven they can't learn to avoid these scams. And its getting harder, not easier to avoid them. One day it might be me who falls below the geek intelligence threshold and becomes the victim. Hats off to Paypal!

Of course if they restrict my browser of choice, I'll have a choice to make. I'll either use a different browser or use another on line payment method.

Re:What If?... (1)

TheSpoom (715771) | about 6 years ago | (#23113700)

Because PayPal's real reason for doing this is to extend the ways that they can keep you from withdrawing your money from your PayPal account, because they get more interest on it the longer it's in there.

This is why I'm very careful whenever someone wants to pay me a large amount via PayPal. I usually prefer a check or direct deposit.

PROTECT YOUR PASSWORD (1)

hendridm (302246) | about 6 years ago | (#23113780)

I received the following at the bottom of a message from PayPal confirming a funds transfer:

"PROTECT YOUR PASSWORD

NEVER give your password to anyone, including PayPal employees. Protect yourself against fraudulent websites by opening a new web browser (e.g. Internet Explorer or Netscape) and typing in the PayPal URL every time you log in to your account."

Education? Hardly a solution! (1)

v(*_*)vvvv (233078) | about 6 years ago | (#23113884)

3 reasons:

1) It takes time and effort for everyone involved

2) There will always be people who don't get it

3) There will always be newcomers

Yes, "knowing" is a good thing. However it is something the educated often take for granted because they believe the problem only applies to the uneducated, and they aren't the one's responsible for the education. Well, if it did apply to you you would be "surprised", and if you had to do the teaching, you'd try and think of something else once you realized what a waste of time it was.

Still vulnerable to phishing... (5, Insightful)

daeg (828071) | about 6 years ago | (#23113344)

Dear PayPal User:

After much consideration, we've determined that your browser is safe again! Please log in at http://127.0.0.1/some/unsafe/address/ [127.0.0.1] .

PayPal apologizes deeply for the inconvenience.

Re:Still vulnerable to phishing... (5, Funny)

BadAnalogyGuy (945258) | about 6 years ago | (#23113386)

Heh. That address resolves! 404, though.

But back up a bit and you get the whole directory structure. TONS of porn in a couple folders.

Re:Still vulnerable to phishing... (2, Funny)

daeg (828071) | about 6 years ago | (#23113426)

Dear PayPal User:

Please go to http://www.whatismyip.org/ [whatismyip.org] and copy and paste your IP address into a reply e-mail.

PayPal thanks you for your time and effort.

Re:Still vulnerable to phishing... (1)

LoadWB (592248) | about 6 years ago | (#23113512)

Or just send a reply email and we can dig it out of your headers.

Re:Still vulnerable to phishing... (1)

RazzleDazzle (442937) | about 6 years ago | (#23113892)

Let's look at a random email I have here. OMG the end user IP is 10.1.0.50? let me paste that into nmap and see what ports you have open.
You can't always get end user public IP address if they are NAT'ed.

I think paypal should just quadruple their usage fees for those users instead of banning them, then get rid of the fees for the rest of us. If people are retarded enough to use a Mac (Safari) or other unsafe browser then they are probably easily persuaded to pay the additional fees for no reason other than they are not going to catch on.

j/k about Mac users being retarded. Well... not really. Hey if you cant take a joke you should probably stop reading slashdot as there are a lot of jokey jokemakers here.

Re:Still vulnerable to phishing... (2, Funny)

Anonymous Coward | about 6 years ago | (#23113782)

Holy fuck that's MY computer. WTF guys, that's not cool. Ok so maybe I don't have my firewall PERFECTLY configured, but why would you make fun of me by showing all my porn on slashdot? Shit dude I'm totally freaked out. I don't know how to fix it I'm fucking unplugging everything for the night. Fuck.

Re:Still vulnerable to phishing... (0)

Anonymous Coward | about 6 years ago | (#23113834)

Where? WHERE? I only see a couple thousand of .mp3s in mine. Life's not fair. :(

Re:Still vulnerable to phishing... (5, Funny)

Anonymous Coward | about 6 years ago | (#23113888)

Heh. That address resolves! 404, though. But back up a bit and you get the whole directory structure. TONS of porn in a couple folders.
Yeah, but it's stuff I already have.

Another one... (2, Funny)

Anonymous Coward | about 6 years ago | (#23113488)

Dear PayPal User,

Due to recent security upgrades, you may no longer be able to log in. In order to give all our customers the highest level of protection against fraud and identity theft, we are requiring that you have up-to-date security measures on your computer.

Please install the enclosed program [malware.exe] to upgrade the security of your computer to ensure that you can continue to access your PayPal account.

Thank you,
- Scams R. Us

Benefits for Everyone Else (2, Insightful)

Ai Olor-Wile (997427) | about 6 years ago | (#23113370)

While probably rather nasty and nanny-statish of them to do so, I can't help but think that this will force at least some people using certain archaic standards-non-complaint browsers to use better ones, or at least heavily-patched copies of IE 6 (although, since Microsoft is big on IE 7, they might skip that entirely.) Who knows, it might improve standards compliance a little bit—at least as far as transparent PNGs are concerned. (Obviously, this does not count Safari.)

Re:Benefits for Everyone Else (0)

Anonymous Coward | about 6 years ago | (#23113682)

Uh, even IE7 doesn't handle PNG's correctly. You can work around it with some Javascript but that's pretty lame.

Safe, Secure Internet? (1)

Fluffeh (1273756) | about 6 years ago | (#23113374)

Goodness me, that's just not right. The internet should partly stay a case of survival of the fittest. Gosh, in some way, it might be our next evolutionary platform to weed out the poor badly adjusted humans from propagating into the future? I can just see it now... (Angry womans voice) "What? You lost your bank account because you used a poor browser to access Paypal? That's the last straw! I am leaving you for another man - one that is more aware of internet security!"

Banks should do this. (1)

sc0ob5 (836562) | about 6 years ago | (#23113404)

Banks should have been doing this since they introduced internet banking. Now the onus is on you and if you loose all your money because there was no requirement to use a safe browser it's your own fault. Seems like banks don't understand the concept of "users".

Re:Banks should do this. (5, Insightful)

Tackhead (54550) | about 6 years ago | (#23113434)

Banks should have been doing this since they introduced internet banking.

Are you nuts?

"We're sorry. You're not using IE. And if you are using IE, your IE configuration isn't permitting us to run the MegabanX proprietary ActiveX control that our conslutants [sic] told us would eliminate all our liability. Please enable ActiveX support in order to continue banking with us, or turn off that Netscape thingy and upgrade to IE4.0 and resize your window to 800x600 while you're at it."

Forgive me for the sarcasm, but I had to switch banks twice because of that sort of crap. Think back a few years. The last thing any of us would have wanted "since they introduced internet banking" was our banks doing User-Agent and Javashit-based snooping on our configuration.

Re:Banks should do this. (0)

Anonymous Coward | about 6 years ago | (#23113484)

The US treasury pulled that sort of thing a couple of years ago. Suddenly everybody that logs in has to type in their passwords via an onscreen keyboard that is randomized each time.

I haven't been able to access the account since, because they also insist on having archaic security in other areas which happens to be wrong. Vague information on how to remove the lock and leaving some people no way of getting in at all.

The banking industry while being hardly the most secure is far more reasonable about their security.

Re:Banks should do this. (1)

fluffman86 (1006119) | about 6 years ago | (#23113772)

My bank did the same thing...I complained and they finally fixed it after about 6 months. Luckily I lived so close to a branch, or I would have left. Almost did, but I can't complain now. :)

(except for the exact same TurboTax mess above) :P

Re:Banks should do this. (0)

Anonymous Coward | about 6 years ago | (#23113566)

1) We do not want this. The web should be based on standards, not Microsoft controlling everything.

2) Banks have FDIC insured accounts, unlike PayPal. PayPal likes to act like and pretend to be a bank. But it is not.

3) Raise your hands if PayPal has ever made it difficult to access your funds? I know my hand is raised.

4) Please do not PayPal or Microsoft decide what web browser you can use. Additionally, banks are not very good at understanding or making decisions about enduser tech. They should not decide this either.

5) In summary, the answer is standards. Just not the ones passed by the ISO. Seems the IETF is better at these things.

User Agent Change (5, Interesting)

macbuzz01 (1074795) | about 6 years ago | (#23113410)

Safari for Mac:

Preferences > Advanced > "Show Develop Menu in Menu Bar"

Develop > User Agent > Firefox 2.0.0.12

Suck it > Paypal

Re:User Agent Change (1)

NeverVotedBush (1041088) | about 6 years ago | (#23113492)

I never new about turning on the Develop menu!

Thanks, Macbuzz. It's done and done!

Re:User Agent Change (-1, Troll)

Anonymous Coward | about 6 years ago | (#23113672)

I never new about turning on the Develop menu!

Thanks, Macbuzz. It's done and done!


"I never knew about a feature that was right there from the beginning, that was not hidden, could be easily found with the slightest effort to peruse the settings, and is probably documented in several places!"

Perhaps you're exactly the sort of user that makes PayPal feel that they have to take such a shitty measure. Did you ever consider that?

Re:User Agent Change (0)

Anonymous Coward | about 6 years ago | (#23113776)

I never new about turning on the Develop menu!

Thanks, Macbuzz. It's done and done!

"I never knew about a feature that was right there from the beginning, that was not hidden, could be easily found with the slightest effort to peruse the settings, and is probably documented in several places!"

Perhaps you're exactly the sort of user that makes PayPal feel that they have to take such a shitty measure. Did you ever consider that?

Perhaps you're an obnoxious twit who doesn't realize the Develop menu was only added in Safari 3.1, which was released just under a month ago.
(there was a somewhat similar Debug menu in earlier versions, but it had to be enabled via the command line, not via a simple GUI preference)

Re:User Agent Change (2, Informative)

Nullav (1053766) | about 6 years ago | (#23113738)

And for Konqueror, it's 'Tools > Change browser identification'.

Really, I'd love to see someone knock PayPal out of the spotlight. For those of us without credit cards, it's usually the only option.

Well... (1)

Renraku (518261) | about 6 years ago | (#23113430)

Not sure what to make of it at this point, but the gut feeling says this will be an excuse to be anticompetitive.

Re:Well... (2, Insightful)

jt2377 (933506) | about 6 years ago | (#23113518)

anti-competitive??? what's wrong with forcing user to use safer browser to access their private data. If nothing else, this move will force Safari to include the feature that can protect their users. What you are saying is cop enforcing safe belt is anti-competitive to car maker that doesn't include a safety belt and safety belt have saved more lives than without it. what kind of logic is that?

Huh? (1, Insightful)

What Would NPH Do (1274934) | about 6 years ago | (#23113436)

I guess I'm missing what's supposed to be so scandalous about this. I've seen plenty of government and financial institution websites do the same thing with blocking old versions of browsers or certain browsers they deem unsafe. Why is it that when Paypal does it that it's some big todo?

I have an idea... (5, Insightful)

Snowspinner (627098) | about 6 years ago | (#23113442)

Why don't you trust me not to be an idiot instead of requiring that I use a different browser due to the fact that other users of my browser are idiots?

They have not even gotten that far. (0, Flamebait)

Mactrope (1256892) | about 6 years ago | (#23113514)

People who run Safari are not idiots and PayPal does not have any data indicating one browser is any more secure than another. The only basis for this stupid policy is that IE7 has some kind of anti-phishing and they noticed that IE7 users don't abandon PayPal as frequently as users of other browsers. That's it, leap of logic and case closed.

M$ has it's hooks deep into PayPal for them to say crazy shit like that.

Re:I have an idea... (0)

Anonymous Coward | about 6 years ago | (#23113582)

But only an idiot would use PayPal.

Netcraft seems to have a slightly different take (5, Insightful)

micheas (231635) | about 6 years ago | (#23113500)

Paypal is hyping Extended Validation certificates after Netcraft posts articles like this:

Extended Validation certificates and XSS considered harmful [netcraft.com]

Curious if nothing else.

Re:Netcraft seems to have a slightly different tak (4, Funny)

jd (1658) | about 6 years ago | (#23113590)

Netcraft is dead. Paypal confirms it. And E-bay swapped it for some military hardware.

Who are they to decide what is and isn't safe? (5, Insightful)

Antony-Kyre (807195) | about 6 years ago | (#23113526)

Who are they to decide what is and isn't safe? They're not a bank, so I don't think they necessarily have any liability if one of their customers loses money, correct? Please correct me if I am mistaken.

Is this even legal? Seriously. If someone has money in PayPal, and if that same someone happens to be using a browser that is deemed "unsafe" and is sequentially banned, isn't that like PayPal holding the money hostage? What happens to those who refuse to "upgrade" in order to access their account?

Maybe instead of doing stupid stuff like this, which breeds a false sense of security among some less-smart users of PayPal, they should think of new and innovative ways to prevent unauthorized access to accounts. (I don't care to list my ideas right now.)

Re:Who are they to decide what is and isn't safe? (1, Troll)

corsec67 (627446) | about 6 years ago | (#23113554)

You aren't at all mistaken:

Paypal doesn't give a shit about anything but making money from themselves, and don't hesitate to take money from anybodys account for almost any reason.

PayPalSucks.com [paypalsucks.com]

It is kind of silly, forcing people to access PayPal with secure browsers when money stored at PayPal isn't secure from PayPal itself.
(PayPal isn't a bank, nor does it even try to pretend to be one, so don't let them have any EFT account numbers, and never store any money there.)

Re:Who are they to decide what is and isn't safe? (0)

Anonymous Coward | about 6 years ago | (#23113696)

(PayPal isn't a bank, nor does it even try to pretend to be one, so don't let them have any EFT account numbers, and never store any money there.)
Sure you can.

When you get your PayPal account, just give them the account number of a SAVINGS account. They can do their EFT test deposit in, but they can't suck anything out.

But yeah, don't keep any money there just in case.

Re:Who are they to decide what is and isn't safe? (0, Insightful)

Anonymous Coward | about 6 years ago | (#23113562)

It is their website. They have every right to support certain browsers and to use it, you accept their ToS.

Grow up.

Re:Who are they to decide what is and isn't safe? (1)

RiotingPacifist (1228016) | about 6 years ago | (#23113606)

gunna have to disagree on this one, thier test is fairly simple.
Does it have fishing protection?
yes = allow
no=recommend one that does.

OFC its legal, they're not forcing you to pay anybody anything, and people have been forced to use a certain browser for sites for years. hopefully they will do it via user strings, and assume anybody that is smart enough to fake a userstring is smart enough to not get phished.

Re:Who are they to decide what is and isn't safe? (2, Insightful)

Anonymous Coward | about 6 years ago | (#23113660)

Not the same. They certainly would care if their customers lose money - PayPal isn't the only fish in the online payment sea, though it is the largest. If phishing becomes too common it impacts their image and reputation as a safe way to shop.



And of course it's legal. Considering at least one allowed browser is FREE, and is available to basically every platform out there (Firefox), there's no burden on the consumer to have a "safe" browser.



That's like complaining that your bank inconveniences bike riders by being in a location only accessible by car. Bad business decision perhaps, but far from illegal.

Re:Who are they to decide what is and isn't safe? (1)

hendridm (302246) | about 6 years ago | (#23113844)

Who are they to decide what is and isn't safe?

That's what I was thinking, sort of. Requiring a "safe" browser seems about as effective as the TSA - some bogies get through, some grannies get nailed.

What about Lynx? (4, Funny)

homerj79 (58075) | about 6 years ago | (#23113528)

Is Lynx still considered unsafe? Have they fixed that graphics display hole yet? That was reported, like, 20 years ago.

Gypsies in the palace... (1)

VeryVito (807017) | about 6 years ago | (#23113536)

Paypal warning against internet fraud seems a lot like Michael Jackson speaking against child exploitation. The company has a history of making money just disappear. "You must use a secure browser so that we may have unregulated access to your banking account. Otherwise, somebody might be able to stop us."

First, Ebay Should BAN Sending Email to Users (5, Insightful)

Ron Bennett (14590) | about 6 years ago | (#23113538)

And yet, Ebay still sends email to users regarding important matters despite the security risks that poses - ie. how can a user know the email is real, it's not encrypted, etc.

Instead of banning browsers, Ebay should address the bigger security issue of Ebay sending email to users - instead Ebay should only send notices simply saying one has new messages in their Ebay message center, and require the user to actually visit Ebay to view the message contents - not fool-proof, but would substantially reduce the effectiveness of email spoofs.

Ron

Re:First, Ebay Should BAN Sending Email to Users (5, Insightful)

Nushio (951488) | about 6 years ago | (#23113610)

Dear eBay User,

There is a new message waiting for you. You may login into here [slashdot.org] to access it.

Sincerely,
eBay Scammer.

Re:First, Ebay Should BAN Sending Email to Users (3, Insightful)

SpottedKuh (855161) | about 6 years ago | (#23113664)

Ebay should only send notices simply saying one has new messages in their Ebay message center, and require the user to actually visit Ebay to view the message contents - not fool-proof, but would substantially reduce the effectiveness of email spoofs.

One very important thing they would have to do is include some sort of identifying information, otherwise this would open the door to some very easy phishing attacks (as per Nushio's sibling comment).

Perhaps in your eBay account, you could choose one from several thousand little pictures (e.g., as you do with video games and video game systems to choose an avatar picture). Then, the messages could read something like:

Dear SpottedKuh: [picture of a little cow that I chose] ... check your eBay message centre, etc.

Then again, I think things like this have been tried before (don't some banks do something similar to this when you log in?) I guess if the users don't care to pay attention, they won't notice the difference between what I wrote above and:

Dear eBayUser: [picture of random anything] ...

Re:First, Ebay Should BAN Sending Email to Users (1)

bendodge (998616) | about 6 years ago | (#23113874)

Even better than choosing some random thing G-Ma might forget would be requiring (or at least pushing) her to upload her own photo.

Personally, I think this is a great thing. Finally, people will have major incentive to upgrade from IE5 and 6, the bane of web developers.

How much does it cost to become a "safe" browser? (1)

shatfield (199969) | about 6 years ago | (#23113546)


Wow, PayPal has figured out #2!

1) Declare a browser as "unsafe"

2) ???^H^H^H^H^H^H
2) Block the browser from your popular site

3) Profit! --> Approach the company that makes the browser... "we'll declare it safe... for a price".

What about older OSes? (1, Interesting)

Anonymous Coward | about 6 years ago | (#23113564)

What if you're on an older OS (e.x. Windows 2000) and you don't have access to a browser that supports EV SSL?

This sounds like eBay trying to get too controlling of PayPal users. I have a feeling that "security" might mandate a browser plugin in the future to verify that you are viewing the real paypal site (coincidentally, it automatically fills out transaction information if PayPal is the payment method)....

Re:What about older OSes? (3, Informative)

Orion Blastar (457579) | about 6 years ago | (#23113616)

They can always download and install Firefox. Then install an anti-phishing addon.

Firefox works as far back as Windows 95 IIRC? I installed Firefox on my uncle's Windows 98 box, the only issue was that the start bar title icon didn't show up properly but it ran.

Sure he can't use his iPod with Windows 98, but Firefox works great. If he gets a RAM upgrade he can run Windows 2000. But technically with 128M of RAM or more he can run Windows XP on his 333Mhz processor, but it will be really slow.

I don't think we can afford to buy a new machine, and his old machine runs great.

How valuable are EV SSL certs? (5, Interesting)

LoadWB (592248) | about 6 years ago | (#23113568)

If you want to try a new conspiracy on for size, maybe this is also a chance to try to push the use of EV SSL certificates.

I have attended several of the webinars and read a number of the white papers on EV SSL certificates, and I am not completely sold on the usefulness.

Sure, thorough validation of a requester's right to purchase an SSL certificate is a good idea. That should be done already for any SSL purchase, but it is and will not be done because it makes the process too difficult, time consuming, and expensive. Well, too expensive for GoDaddy to sell a $20 certificate and thoroughly validate it, but for the $350+ Verisign certificates? Please...

More to the point, older browser showed a lock icon which indicated the site was secure. With the ease of SSL certificate purchases that quickly became less important because even phishing sites can have valid certificates. The EV SLL scheme is to put up a BIG GREEN BAR with the issued company's name in it. Why not just do that anyway? Those notification bars that come up when a pop-up is blocked, or an ActiveX control wants to install, or a file wants to download; how about use that to show critical information in the certificate, like the CN?

Sure, the URL says www.paypal.com, but the certificate CN says "www.phishingurinfoz.ru".

But then, I suppose a little Java and no protection of that particular window element could lead to a phalse display.

How about this? (3, Insightful)

TheSpatulaOfLove (966301) | about 6 years ago | (#23113576)

Can we ban Paypal for unsafe money exchange?

Re:How about this? (1)

dhaines (323241) | about 6 years ago | (#23113858)

Lately I've had a transactions where the site (not eBay) used a Paypal cart. Each time I contacted the merchant and requested another way to order/pay. Most of them mentioned how many complaints they hear about Paypal. One business gave me a $24 order for free because I detailed in writing why I won't use Paypal. All but one of the others either had a different merchant account or sent the order with an invoice, trusting me to send payment. Only one lost my business because they "had" to use Paypal.

Paypal would be way more safe if they'd just ban all browsers.

Paypal blocks unsafe browsers... (5, Funny)

russotto (537200) | about 6 years ago | (#23113636)

...but the head of the International Phishers Guild says that all of their sites will continue to work with any browser you want. Spokesman Anome Smith says "We will not be following Paypal's lead on this. Popular phishing sites like www.payypal.com, www.paypa1.com, and 192.168.178.287/paypal will all continue to work with any browser you please. "

stupid and pointless (3, Insightful)

Thaelon (250687) | about 6 years ago | (#23113638)

This is stupid and pointless.

The problem isn't "unsafe browsers". Phishing is social engineering, not hacking. The problem is unsafe users.

Give a stupid user a safe browser and a semi-sophisticated phish and they'll cough up that login.

Give a smart user a IE 5.0 and they'll never get busted.

If paypal really wanted to increase user safety they'd do it with user education.

Tell users to very carefully navigate to the correct site, make a bookmark, and then never go to the site any other way again.

Re:stupid and pointless (0)

Anonymous Coward | about 6 years ago | (#23113878)

A UCLA study [ucla.edu] shows that people are willing to click on anything.

Will take my business elsewhere (2, Interesting)

wshwe (687657) | about 6 years ago | (#23113670)

eBay and PayPal have demonstrated that they no longer deserve my business.

Marlboro Virginia Blend: Chain Smokers Rejoice! (-1, Offtopic)

Anonymous Coward | about 6 years ago | (#23113678)

The distinctive, gold-trimmed platinum box is the first deviation from the signature Marlboro design. Even the top of the box bears the blue leaf stamp to the right rather than across the middle, as displayed on soft packs. Aside from the black "MARLBORO," the rest of the lettering is burgundy.

The cigarette itself looks like...a cigarette. No fancy changes besides the platinum band at the base of the filter.

I purposely smoked two Virginia Blends before I even read the descriptive marketing phrases on the cigarette box. I wanted no power of suggestion clouding my mental capacity to judge the new addition to the plethora of Marlboro smokes. Unlike most consumer products, the absence of cigarette commercials eliminates their suggestive power over the cigarette smoker. So it was easy to experience the difference this single leaf blend purported.

To my delight, the flavor and inhalation were both smooth and mild. My lungs were not arrested by the typical asperity that normally impedes the smoking experience. As a habitual menthol lover, I am used to an extra amount of crystallizing lung pressure. Even with the brown sugar laced Marlboro 27s, I get that extra hacking the morning after; therefore, I was ready for some harsh ingredient to mar any chance at a deep drag.

Not so.

Upon lighting the third grit, I fancied a glance at the burgundy message on the back of the box: "VIRGINIA LEAF. 400 years ago perfected in Virginia--now grown around the world. Today, hand-selected Virginia tobaccos make our only single leaf blend unique. Enjoy the crisp, mellow taste and easy finish."

There it is, in the last sentence. The power of suggestion exposed: "...crisp, mellow...easy."

Easy Phish - Thank you Paypal (5, Funny)

fireheadca (853580) | about 6 years ago | (#23113718)

Paypal not letting you in?

Have no fear.. with paypalproxy.com you can use any browser to access your account.

--
So long and thanks for all the phish.

I am an unhappy customer (4, Insightful)

prxp (1023979) | about 6 years ago | (#23113804)

I am a PayPal customer. I have a paypal secure ID, a hardware token that generates 6 digits numbers (synchronized with paypal's servers) that are part my password authentication process. That means that even if someone gets my password (i.e. fisher), they won't be able to login that easily (they would need the hardware token to generate the current 6 digits number set, which changes periodically every 30 seconds). With all of that, I see no reason for paypal to block me if I am using Safari, even if Safari is a bit unsafer than other browsers. That would just mean adding an extra item to the list of things my iPhone can't do: access PayPal's webpage. That would really piss me off.

If Paypal wanted to slow phishers (2, Interesting)

CrazyJim1 (809850) | about 6 years ago | (#23113836)

I'm not sure if there is a word for this(Phish and release), but it goes like this:
Paypal should send out official looking emails with links to a site that isn't on Paypal.
If someone enters their information on this fake site, Paypal would warn them that they got phished and released!
Paypal could tell them important stuff like only manually going into paypal.com and never clicking on a link in an email.

Lazy Unregulated Global Banking Monopoly (1)

Doc Ruby (173196) | about 6 years ago | (#23113906)

A lot less phishing would go on if PayPal would just enforce it's trademark and force the FBI to investigate these phishers using those marks to compete with PayPal and rip off its customers.

All these banks should be doing that. The FBI should be busy protecting us from these modern bank robbers, not all the domestic snooping and other abuses they waste their time and our money on.

Trademark holders are supposed to lose their trademarks when they don't defend them against imitators. Banks are supposed to secure their transaction systems from fraud.

I guess since they're making so much money doing their bad jobs, they don't miss it much when we lose our money. They'll just get it back when the phisher deposits it in their own accounts later.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...