Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

PayPal Security Flaw Allows Identity Theft

Zonk posted more than 7 years ago | from the watch-your-back dept.

212

miller60 writes "Phishing scammers are actively exploiting a security flaw in the PayPal web site to steal credit card numbers belonging to PayPal users. The scam tricks users into accessing a URL hosted on the genuine PayPal site, which presents a valid 256-bit SSL certificate confirming that the site belongs to PayPal. However, some of the content on the page has been modified by the fraudsters via a cross-site scripting technique, and victims are redirected to a spoof site that requests their account details."

cancel ×

212 comments

Sorry! There are no comments related to the filter you selected.

No signature = No liability (4, Informative)

neoform (551705) | more than 7 years ago | (#15548867)

What most people don't realize is this, if your card number is stolen and someone uses it.. you aren't liable for the charge.

Unless a merchant has proof that you made the transaction on your credit card, you can always refute any charge on your credit card statement and you wont have to pay it.

Re:No signature = No liability (5, Insightful)

Mick Ohrberg (744441) | more than 7 years ago | (#15548904)

It's still a hassle and a violation of privacy.

Unless it's a debit card. (4, Informative)

Grendel Drago (41496) | more than 7 years ago | (#15548907)

Of course, if you've been silly enough to use a debit card, you're out the money for six months or however long it takes until the bank gets around to deciding that you didn't really spend the money. Happened to Tom Tomorrow [thismodernworld.com] .

Or worse, a brokerage debit card. (3, Interesting)

vinn01 (178295) | more than 7 years ago | (#15549232)


I used to have a brokerage debit card. It withdrew funds from my money market account. It was an insane risk to use that card. It would have been a jackpot if thieves got that number. And my financial life would have been in ruins for months.

Since the bubble burst, I don't have to worry about having a lot of money in a money market account.

Re:No signature = No liability (5, Informative)

goodcow (654816) | more than 7 years ago | (#15548915)

I think you're forgetting the fact that PayPal also stores checking account information, which is far, far more difficult to get money back from in the event of identity theft.

Re:No signature = No liability (2, Informative)

rdavis542 (878124) | more than 7 years ago | (#15548989)

This is a great point, checking accounts are different beasts alltogether. I setup a completely seperate checking account at a different bank from my personal one for Paypal transactions only. It works because, yes it has the potential of being hacked, but they aren't privy to access my other primary accounts which pays my mortgage. If a customer has a rather large transaction I always do money orders.

Money Orders are bad news for sellers (0)

Anonymous Coward | more than 7 years ago | (#15549210)

MO take 6 months to clear, are trivial to forge, and impossible to verify ahead of time. They bite even worse than Western Union for buyers.

Re:No signature = No liability (3, Insightful)

Golias (176380) | more than 7 years ago | (#15549359)

I think you're forgetting the fact that PayPal also stores checking account information, which is far, far more difficult to get money back from in the event of identity theft.

Which is one of several reasons why linking your bank accounts directly to PayPal is a terrible idea, no matter how much they like to push it on you.

If you use PayPal at all, only link it to a credit card which you've kept at a low limit. PayPal has long shown themselves far too irresponsible to be trusted with any of your real money.

Re:No signature = No liability (4, Insightful)

fallen1 (230220) | more than 7 years ago | (#15549409)

This is the reason I have an account set up with my bank that states it is specifically for PayPal. Period. The only money I keep in the account is enough to cover 4 to 6 months of banking charges (like $5/month) so even if someone were to try and steal the money in that account, I'm out $20 to $30 or so AND I am immediately alerted to the fact that account has been breached.

At this point I immediately shut down the checking account, check with my bank to see if anyone has called and tried to change account information or get more info on accounts, apply for my money back based on fraud/identity theft, log in to PayPal (_if_ I can) and change passwords (if I cannot log in to PayPal then I try and contact PayPal to have that account shut down), set up a new checking account for PayPal only, and finally - if needed - start a new PayPal account.

With a special checking account for PayPal only, and it designated as such, that makes it much easier to prove fraud/identity theft since I have NO checks for the account, NO check card for the account, NO online banking for the account, NO way to access the account other than through PayPal or by walking into or calling the bank. Sure it costs $5 per month but if you really need/want to do transactions through PayPal it is the safest way. Also, if PayPal gets a wild hair up their ass and decides to freeze your account for some reason (someone accuses you of fraud, whatever) then the only thing they tie up is that same small amount of money in an easily closed account.
 

Re:No signature = No liability (1)

Bourdain (683477) | more than 7 years ago | (#15549418)

Yeah, that's why I always suggest two general pieces of advise -- with regard to paypal, sign up for and use a checking account at a separate bank just for those transactions (i.e. I have such an account -- a free checking account -- and typically only have $1 in it to avoid getting a fee for the account when I'm not using it)

also, unless you have spending problems, never use a credit card or at least make yourself use a secured card so you can't overspend how much money you have and also build credit simultaneously

Re:No signature = No liability (3, Informative)

telchine (719345) | more than 7 years ago | (#15548918)

What some people don't realise is that a lot of the credit card companies will put layer upon layer of beurocracy in front of you to try and stop you claiming. Recovering stolen funds can be very time consuming.

On top of that, you have to have cards re-issued and any recurring payments set up on them have to be re-established with the new card.

For a lot of people, the fear of having their credit card details stolen is not about losing their money but the considerable amount of hasstle involved in getting things back in order after the event.

Re:No signature = No liability (1)

dubmun (891874) | more than 7 years ago | (#15548921)

That's why I like to steal credit card numbers. Zero guilt!

Re:No signature = No liability (4, Insightful)

HardCase (14757) | more than 7 years ago | (#15548936)

Absolutely true, but, like everything else, there ain't no such thing as a free lunch. We all end up paying for it because reversed transactions are a cost of doing business that all merchants must calculate into their retail prices. If nothing else, it ought to cause people to be more aware of just what they're clicking on when they get an email.

-h-

Re:No signature = No liability (1)

Lumpy (12016) | more than 7 years ago | (#15548940)

what you dont realize is that if someone get's your paypal info they can empty your checking account and paypal will tell you.

"Sorry but your fault. thanks for giving us money!"

paypal != creditcard.

in any way shape or form. never EVER link your bank accounts to paypal.

Re:No signature = No liability (2, Informative)

neoform (551705) | more than 7 years ago | (#15549014)

Which is pretty much why i stay away from Paypal like the plague.

Paypal is trying to be a bank without having ANY of the federal regulations set forth to banks. You have no insurrance on any of the money in your paypal account, which could be 'fozen' at any time. It's a total wonder to me why anyone trusts paypal enough to give them their banking information..

Re:No signature = No liability (1)

ScottLindner (954299) | more than 7 years ago | (#15549141)

"Paypal is trying to be a bank without having ANY of the federal regulations set forth to banks."

Are you sure about this statement? I believe they are regulated as a bank just like a brick and mortar bank.

Re:No signature = No liability (2, Informative)

schon (31600) | more than 7 years ago | (#15549278)

I believe they are regulated as a bank just like a brick and mortar bank.

You believe incorrectly. [auctionbytes.com]

Re:No signature = No liability (1)

OnlineAlias (828288) | more than 7 years ago | (#15549428)

Looks like their tactics have worked on you....Paypal=evil

Re:No signature = No liability (1)

Soruk (225361) | more than 7 years ago | (#15549451)

In the UK PayPal are regulated by the Financial Services Authority. So you're probably a little bit safer if your PayPal account is a UK one. The FSA do have teeth.

Re:No signature = No liability (1)

chonchito (982403) | more than 7 years ago | (#15549172)

Knowing the way things are in England you'd probably have to pay some kind of "peace of mind" insurance for such a luxury

I'm protected from all identity theft for life.... (5, Funny)

sgant (178166) | more than 7 years ago | (#15549177)

I've been working on this for years now...decades actually....but now I'm totally protected from people stealing my identity and ruining my credit. Here's how I did it:

I've personally destroyed my credit so badly over the years that if someone were to steal my identity, the joke would be on them! Hell, it may actually even help my credit.

Oh sure, people laughed at me over the years...but who's laughing now?!! Ok....so they're still laughing at me...but that's beside the point.

Re:No signature = No liability (1)

katorga (623930) | more than 7 years ago | (#15549191)

That will not last forever. The credit card vendors are moving the shift liability back to the retail merchant not the issuing merchant bank or the the aquirer. The merchants will either raise prices or hold the cardholder responsible.

Secondly, what else can a phisher do if they have your name and CC data? Can they bootstrap from that to further knowledge about you allowing them to actually access your credit (for loans, cars, etc.) Once they can assume your credit history the sky is the limit and your life is ruined for 12-18 months while you try and fix it.

At the end of the day, nothing is free. Credit card fraud costs $$$ and those costs are factored back into the system somewhere. It is either higher fees, interests rates, prices or taxes. Somehow you will pay for it.

Identity "Theft"? (-1, Flamebait)

goldspider (445116) | more than 7 years ago | (#15548882)

I'm really tired of hearing this term. Nobody's identity is being physically stolen; therefore it is not theft. Please reference a SINGLE case when a "victim" woke up to find that he/she NO LONGER HAD AN IDENTITY!! It's even more absurd than arguing that copyright infringement is theft!

It really grinds my gears when industry lobbyists and shills use inflammatory rhetoric to exaggerate the impact of mundane, victimless crimes.

Re:Identity "Theft"? (0)

Anonymous Coward | more than 7 years ago | (#15548902)

Yep. Right up there with copyright "theft". (It's not "theft", anymore than it's "murder".)

Illegal, sure. Immoral, why not. Unethical, I guess.

Re:Identity "Theft"? (1)

eightheadsofdoom (25561) | more than 7 years ago | (#15548923)

Interesting points... I don't think "Identity Infringement" has that same scary ring to it though.

What the hell? (2, Insightful)

Grendel Drago (41496) | more than 7 years ago | (#15548931)

You're right; it's not identity theft, it's identity fraud. Which, guess what, has its victims [privacyrights.org] .

Is this some sort of natural outgrowth of MP3 downloading and software piracy? What are we going to pretend is "victimless" next?

Re:What the hell? (1)

goldspider (445116) | more than 7 years ago | (#15548969)

Copyright infringement != theft
Fraud != theft
Extortion != theft

All I'm asking for is some accurate and consistent depiction of the issue at hand. I suspect that the number of people who wake up with no concept of who they are is similar to the number of movie and record executives murdered/kidnapped on the high seas.

Nothing new (2, Interesting)

Moraelin (679338) | more than 7 years ago | (#15549033)

"Is this some sort of natural outgrowth of MP3 downloading and software piracy? What are we going to pretend is "victimless" next?"

AFAIK, at least one psychopath has already argued that raping children is a victimless crime. It should be pretty hard to beat that, but I have no doubt that someone will try to.

Anyway, it's nothing new. The software pirates certainly didn't start it, they just found a niche where it's easier to convince someone that since a copy of the original was made, nothing had really been lost. But, as you can see, it doesn't prevent people from claiming the exact same when some demonstrable harm _did_ get done. (E.g., money from someone's account aren't duplicated, they actually disappear from person A to enter the possession of person B.)

And honestly seeing some of the arguments made, I can't help notice a common theme of handwaving someone else's loss, time, suffering, even pain, as unimportant and not enough to make anyone a victim or to make the act a crime. In effect, the gross disregard for other people. It's beyond individualism, and outright in the realm of sociopathy.

Re:Nothing new (1)

Jimmy King (828214) | more than 7 years ago | (#15549148)

Anyway, it's nothing new. The software pirates certainly didn't start it, they just found a niche where it's easier to convince someone that since a copy of the original was made, nothing had really been lost. But, as you can see, it doesn't prevent people from claiming the exact same when some demonstrable harm _did_ get done. (E.g., money from someone's account aren't duplicated, they actually disappear from person A to enter the possession of person B.)

And honestly seeing some of the arguments made, I can't help notice a common theme of handwaving someone else's loss, time, suffering, even pain, as unimportant and not enough to make anyone a victim or to make the act a crime. In effect, the gross disregard for other people. It's beyond individualism, and outright in the realm of sociopathy.

There's also the far less often thought about or mentioned harm to the retailers. Even if the vicitim who has their card number stolen or whatnot reports it and manages to not have to pay for any of it, the retailer who accidentally lets the purchase through gets screwed. Victim reports that charge and does a chargeback? Retailer loses the money (although the product or service has probably already been rendered) plus gets charged an additional $10.

In the case of straight credit cards, it's fairly easy for the fraud to be detected beforehand, but to be certain, requires an actual human to go over every order by hand and probably make phone calls, which gets quite time consuming. In the case of paypal, it's worse. When I used to use them to take online payments, they didn't actually provide enough information to the retailer to verify fraud or lack thereof to protect the privacy of the purchaser, you just had to trust in paypal's non-existant fraud detection. Usually what would happen is that 2-4 months AFTER the fraudulent purchase, when that money is long spent, they remove it from your account and then charge the chargeback.

Re:What the hell? (1)

iminplaya (723125) | more than 7 years ago | (#15549101)

What are we going to pretend is "victimless" next?
War

Re:Identity "Theft"? (2, Insightful)

NineNine (235196) | more than 7 years ago | (#15548938)

You have to understand.... in this society, in this day and age, people DO define (identify) themselves by the things they own, the money they have in their bank account, and their credit rating. Sad, really.

Re:Identity "Theft"? (1)

dasunt (249686) | more than 7 years ago | (#15549113)

You have to understand.... in this society, in this day and age, people DO define (identify) themselves by the things they own, the money they have in their bank account, and their credit rating. Sad, really.

I might not identify myself by my money in my bank account or my credit rating, but I'd be pissed if it disappeared.

That's money I worked hard for, money that I set aside for an emergency, in case of job loss or accident.

While a credit rating is an artificial number, it is also a reflection of my financial history. I do pay bills on time, I am responsible with seeking credit. Through my actions, I can build up a good credit history, and when I need to go to get a loan, that credit history reports that I'm a low risk borrower. Identity theft is a form of libel. By stealing and abusing someone else's credit, the theft is (in effect) writing "don't lend to Mr. Smith, he has no intention of paying back his loans".

As for the things I own, if I lose them, it isn't the end of the world. But the stuff I own is stuff I paid for, and a fair chunk of my net worth in material goods is for work-related items: Vehicles, computer, books. These goods help me earn money. In effect, they are an investment. The rest is stuff I traded time (money) for so that I may enjoy them and live an easier life. That TV in the corner might be 4 hours worth of work, that table in the other room might be 15 hours worth of work. That dishwasher is 30 hours of my life. I'm not complaining about the work I've traded for those possessions because that's my decision. However, when some lazy thief takes away those goods, I will complain. If they want a TV, they can learn valuable skills and join the workforce like the rest of us.

Just my $.02

Re:Identity "Theft"? (1)

gowen (141411) | more than 7 years ago | (#15549187)

I don't define myself by the money I have in the bank, but my landlord certainly does. The categorical definitions he applies to me are "tenant" and "recently evicted former tenant". So lets not pretend that the after effects of fraud are purely cosmetic.

Re:Identity "Theft"? (4, Insightful)

kenthorvath (225950) | more than 7 years ago | (#15548958)

It really grinds my gears when industry lobbyists and shills use inflammatory rhetoric to exaggerate the impact of mundane, victimless crimes.

It's a semantic point and one not even worth making. If you think that there are no victims when people's identities are assumed by others for nefarious purposes, then it has clearly never happened to you. I'd be curious to see how you felt when you had to spend countless hours of your life in aggrevation trying (perhaps futilely) to restore your credit and repair the possible damage to your reputation when some asshat overseas assumes your identity to purchase $100,000 worth of electronics and registers a kiddie-porn site in your name. These things do happen and are not at all uncommon.

In short, using the word 'theft' to describe copyright infringement is misleading, but using the word 'theft' to describe those things that are deprived to the victims of identity theft is perfectly acceptable. In the latter case there are often very real victims with very real things that are deprived them.

Re:Identity "Theft"? (1)

Dixie_Flatline (5077) | more than 7 years ago | (#15549058)

lrn2lol

That post was obviously made in jest as a poke at all the people that say downloading music is/isn't stealing.

Re:Identity "Theft"? (1)

MobileTatsu-NJG (946591) | more than 7 years ago | (#15549143)

"It's a semantic point and one not even worth making."

Heh. Actually, I think he's pointing out Slashdot hypocrisy. From the responses he's gotten, I think he was rather clever about it. (I nearly replied and put my foot in my mouth.)

Re:Identity "Theft"? (1)

SirTalon42 (751509) | more than 7 years ago | (#15548963)

It really grinds my gears when industry lobbyists and shills use inflammatory rhetoric to exaggerate the impact of mundane, victimless crimes.

'Identify Theft' is not a victimless crime (you've obviously never had your identity stolen).

Re:Identity "Theft"? (0, Flamebait)

goldspider (445116) | more than 7 years ago | (#15549007)

You are correct. My identity has never been physically taken from me without (or with, for that matter) my consent.

(and 2 down-mods on a single post constitutes "excessive bad posting"? What kind of fascists are running this site?)

Re:Identity "Theft"? (1)

krunk7 (748055) | more than 7 years ago | (#15548981)

It really grinds my gears when industry lobbyists and shills use inflammatory rhetoric to exaggerate the impact of mundane, victimless crimes.

First a little definition for you:
victim |?vikt?m| noun a person harmed, injured, or killed as a result of a crime, accident, or other event or action.
a person who is tricked or duped : the victim of a hoax. a living creature killed as a religious sacrifice.

It would seem these folks are most definately victims even if you don't consider having to clean your credit record up, dispute charges, and the general headache of canceling cards and waiting for new ones a "harm".

Just because something is stolen doesn't require tht the person no longer has access to it. A number isn't some physical thing to be stolen and never returned to the world. . . "I'm sorry but all mathematics have halted, '2' was stolen years ago and no one ever caught the perpetrator". But don't be an idiot by somehow making a direct correlation between physical theft and the theft of a unique sequence of numbers allowing access to certain private information. Identity theft is the same concept, someone has stolen the necessary information to pretend to be someoen they are not.

Re:Identity "Theft"? (4, Informative)

llamalicious (448215) | more than 7 years ago | (#15548990)

I agree the terminology uses terms popularized by media and designed to frighten the general public; but these crimes are hardly mundane or victimless.

I almost lost the house my wife and I were buying due to so-called "identity theft". How? One part stupidity on my part (using a linked check-card/bank account to make online purchases), on part large MasterCard database hack.

Thousands and thousands of dollars of Google AdWords purchased on my card; draining my bank account completely, and into the negative even with overdraught protection. When that money goes missing days before you have to cut a certified check to the bank for your final closing costs the results are anything but mundane.

That's just a stolen credit card; you can have your financial situation ruined for months if someone starts opening up lines of credit in your name (unbeknownst to you).

Yes, you aren't liable for credit theft; but getting your money back isn't always quick process (unless your bank/card offers 24-hour turnaround on fraud)
But when someone uses your identity and opens lines of credit, with a fraudulent signature, and your SSN and other personal information; that's an even more painful process to sort out with the credit agencies (Equifax, et. al)

Just a bit of nit-picking.

Re:Identity "Theft"? (1)

snarlydwarf (532865) | more than 7 years ago | (#15549122)

And don't forget that even once your own life and credit are restored... someone is out money.

Whether that is the vendor who sold an item or service and had the payment cancelled, or the bank that ate the loss: real money went into the hands of the thief and real money left the hands of someone else.

We all pay the cost of this: even if your Visa has never been stolen, merchants will pay higher fees to banks, banks will give less money to shareholders, and consumers will, as always just pay higher rates and prices and eat the loss.

A crime that injures a million people only marginally is still not a victimless crime.... especially when that crime is executed a million times a year. "Marginally" starts getting noticable.

Re:Identity "Theft"? (2, Insightful)

sconeu (64226) | more than 7 years ago | (#15549013)

Actually, it's a hell of a lot closer the theft than copyright infringement.

By using my identity (and credit and ....) , the fraudster has impinged upon my ability to use it freely.

Copythieving also ruins the original (1)

MarkByers (770551) | more than 7 years ago | (#15549223)

When you commit copy-theft against a song, it makes the artistic owner of that song sad, and you can hear the sadness in their songs. Studies show that you can also hear the sadness in the original copy. The song didn't actually change of course, but it sounds sadder, because of all the crimes committed against it.

So copythieving does affect your ability to listen to songs.

  - RIAA Anti Theft Squad

Half right (2, Interesting)

MarkByers (770551) | more than 7 years ago | (#15549102)

You are right that 'identity theft' is a misleading and incorrect term. However, most people will just tell you 'I could care less.'

However, you are wrong that it is a victimless crime.

For example, if I use your Slashdot username to post troll comments under your name, it will negatively affect your karma, and not mine. Same thing applies with other forms of using someone else's identity, except instead of karma, think 'credit history', 'bank account' or 'criminal record'.

Re:Identity "Theft"? (1)

BronsCon (927697) | more than 7 years ago | (#15549112)

Oh, they still have an identity. Just not the one they had when they went to sleep. You see, I have an identity, as far as financial institutions are concerned, which can walk in, get a loan with a good rate, and walk out. Someone steals my identity, walks in, gets a good rate on a loan, never repays it... I wake up, I no longer have that identity. I was stolen. Pull your head out of your ass.

Re:Identity "Theft"? (3, Informative)

LunaticTippy (872397) | more than 7 years ago | (#15549167)

Speaking as someone who has suffered from fraud, you are wrong.

One day I woke up and started getting hundreds of collection calls. All my credit cards were deactivated. My bank account was frozen. Phone turned off.

I literally could not use my identity. It was like a DOS attack. I couldn't perform any financial transactions, it was a complete nightmare.

For years it was impossible to get credit.

I wish someone had infringed my identity, leaving me with my original one completely intact. But no...

Re:Identity "Theft"? (0)

Anonymous Coward | more than 7 years ago | (#15549437)

One day I woke up and started getting hundreds of collection calls... Phone turned off.

At least those calls weren't annoying.

Re:Identity "Theft"? (2, Insightful)

DragonWriter (970822) | more than 7 years ago | (#15549269)

I'm really tired of hearing this term. Nobody's identity is being physically stolen; therefore it is not theft.
No, people's tangible and intangible personal property is stolen by means of misrepresenting identity (not always the one whose property is stolen, depending on the particular manner of identity theft.) "Identity theft" is not "theft of identity" its "theft by misrepresenting identity". And, therefore, it is theft.
It really grinds my gears when industry lobbyists and shills use inflammatory rhetoric to exaggerate the impact of mundane, victimless crimes.
Identity theft is no more "victimless" than than armed robbery.

Re:Identity "Theft"? (2, Funny)

LordOfTheNoobs (949080) | more than 7 years ago | (#15549306)

So it's what, identity copyright infringment?

Re:Identity "Theft"? (0)

Anonymous Coward | more than 7 years ago | (#15549406)

Holy crap identity theft is NOT a victimless crime. Last summer I received a notice in the mail that a warrant had been issued for my arrest because I failed to pay for a ticket that I supposedly received in a city I've never been to! The ticket was for speeding and get this: failure to show an ID. Whoever impersonated me knew my name and DOB and the sad thing is that the police in TX do not take a picture or fingerprint when ticketing people w/o an ID - they just take their word for it (as opposed to Florida where I believe they take a fingerprint).

Well, that wasn't the end of it. I have received *3* more such tickets each of which have taken me countless hours to get dismissed (driving to the court house, pleading not guilty, seeing a prosecutor). I have written my representative, Brian McCall, and he does seem to give a shit that the system is broken and simply said he regrets my troubles. I have asked DPS to put a warning on my DL to no avail. I am actually considering legally changing my name as I really don't know what else I can do to prevent this from occurring again. It's totally frustrating to know that it will probably happen again and that the authorities are unable to prevent it. ... and yes I have tried to get the police to find whoever is behind this but they are totally uninterested.

Re:Identity "Theft"? (0)

Anonymous Coward | more than 7 years ago | (#15549421)

Okay, your use of the word "victimless" leaves me in no doubt that you're trolling (or you have a fantastically understated sense of humour) but for anyone that might think otherwise:

Using the right sequence of moves, it's possible to start with a small number of stolen documents and work up until you have a passport, drivers license and birth certificate in someone else's name, and you've cancelled or destroyed the originals. At that point you really have stolen their (legal) identity. Officials are now more likely to believe your story than theirs. Of course your victim still has his identity in the philosophical sense, but since everybody uses documents as proxies for that, as far as the state is concerned you really have stolen his identity.

That said, you're right when you say this isn't identity theft. It's fraud. If you were *really* clever you might be able to use it as a basis for identity theft, but I doubt it. It doesn't give the fraudster access to any physical identity documents.

Re:Identity "Theft"? (1)

tehcyder (746570) | more than 7 years ago | (#15549461)

victimless crimes
I don't think you'd be saying that if it had happened to you, and you'd had to spend a lot of your time and probably some of your money putting things right.

Certificate?? (-1)

Sebastopol (189276) | more than 7 years ago | (#15548890)

How in the heck did they forge a 256 bit SSL certificate?!

Can't this just be revoked or traced back to the owner?

Please to be 'splainin', Luuuucyyy...

Re:Certificate?? (1)

ruiner13 (527499) | more than 7 years ago | (#15548939)

Not only did you not RTFM, you didn't even read the fucking summary... it was a valid PayPal site with elements from a different site that recorded what you did on the legit site.

Re:Certificate?? (1)

Sebastopol (189276) | more than 7 years ago | (#15549277)


Uh, maybe I did read it, but still don't understand, and in typical fashion, got dogpiled by a bunch of self proclaimed experts. Typical /. snobbery.

Re:Certificate?? (1)

uglyduckling (103926) | more than 7 years ago | (#15548972)

How in the heck did they forge a 256 bit SSL certificate?!

Can't this just be revoked or traced back to the owner?

They didn't forge it. They used cross-site scripting to inject malicious code into the real Paypal page - in other words there is a vulnerability in the scripting used that takes information probably encoded in the URL and displays it on the page as the Netcraft write-up shows. This is then used to redirect the unsuspecting user to the fake page.

Credit cards stolen? (2, Funny)

GonzoTech (613147) | more than 7 years ago | (#15548894)

... Oh my God! How will the masses be able to buy gold for Wold of Warcraft? Something has to be done... GonzoTech

Trickery and Buggery (4, Insightful)

Billosaur (927319) | more than 7 years ago | (#15548895)

When the victim visits the page, they are presented with a message that has been 'injected' onto the genuine PayPal site that says, "Your account is currently disabled because we think it has been accessed by a third party. You will now be redirected to Resolution Center." After a short pause, the victim is then redirected to an external server, which presents a fake PayPal Member log-In page. At this crucial point, the victim may be off guard, as the paypal.com domain name and SSL certificate he saw previously are likely to make him realise he has visited the genuine PayPal web site - and why would he expect PayPal to redirect him to a fraudulent web site?

What will they think of next? I must say, I get more PayPal phishing emails than for anything else. With the profusion of them, and PayPal's constant warnings that they would never ask for such information, it's still amazing how many people will fall for this, especially as the spoofs get more slick and sophisticated.

Re:Trickery and Buggery (1)

Slashdot Junky (265039) | more than 7 years ago | (#15549124)

I too wonder why people believe every freekin' message that hits their inbox. It doesn't matter what the subject matter is. Although you and I may not be, people in general are very naive.

Later,
-Slashdot Junky

Re:Trickery and Buggery (2, Interesting)

happyemoticon (543015) | more than 7 years ago | (#15549137)

I usually spot phishing scams based on the informal register of the language. Like, this is what I'd expect to hear in that case:

We suspect that your account information has been compromised, and have disabled your account as a security precaution. You will now be redirected to the Resolution Center to verify your information.

That is, when they're not totally butchering my language:

Sir apologies you to! We is suspects that hackers been gotting into your account and disabled fraud! Please give to your credit card details us!!! All your base are belong to them!!!

Now, what these dirt-poor third-world phishers need is the opportunity to work with an English major from an American university! I see a lucrative business opportunity for both them and my cohorts, who are universally working at theaters and coffee shops.

Re:Trickery and Buggery (1)

sseaman (931799) | more than 7 years ago | (#15549161)

With the profusion of them, and PayPal's constant warnings that they would never ask for such information it's still amazing how many people will fall for this

The profusion meaning that more people are getting these, which explains why more people are falling for them.

You'll only read the constant warnings if you're a frequent PayPal user. I assume that most of the people who are caught in these schemes are infrequent PayPal users, like myself, who only created a PayPal account to buy a certain item off of eBay.

I don't get much spam, but I did start getting these phishing e-mails last year, and the first time I got one I admit I was taken: I was told that my PayPal account username had been repeatedly used with the incorrect password, and that I should log in for some reason (obviously, I wasn't thinking). Fortunately, a few things prevented me from actually giving away any useful information: the credit card that I had originally registered with PayPal was from a bank that I no longer use, and I completely forgot my username and password (and the Hotmail account I had used when I registered needed to be re-activated, so it took me a few days before I was able to access my account directly through the site.

It was a close call, and I felt pretty stupid, but it was mostly due to the fact that I really never received any spam through that e-mail account. All that account seems to receive, spam-wise, is PayPal phishing scams and bogus stock tips. Must be some flaw in the university spam filter.

especially as the spoofs get more slick and sophisticated.

So it's really not so amazing that people fall for this when the spoofs are slick and sophisticated.

how?? (3, Interesting)

zimsters (978940) | more than 7 years ago | (#15548896)

"by tricking users into accessing a URL hosted on the genuine PayPal web site" How are hackers injecting this code into a legitimate paypal website?? Don't you have to modify the source code on the paypal servers themselves?

Re:how?? (0)

Anonymous Coward | more than 7 years ago | (#15548927)

Cross-Site Scripting.

Re:how?? (1)

zimsters (978940) | more than 7 years ago | (#15548966)

Yes, I read that. but for e.g. to have "cross site scripting" to hack into, say, /., you'd need access to modifying the files that are located physically on the ./ server, no? How else do you intercept data!

Re:how?? (1)

baadger (764884) | more than 7 years ago | (#15549470)

Unsanitised input. POST (submitting forms, uploading files via your browser) or GET (normal webpage viewing) requests are ways in which you as the visitor or user of a website send and receive data to and from that website. Sometimes, web applications (programs running on the server side) return this data back to to your browser, for example when validating forms you may see messages such as " is an invalid name".

When this data hasn't been properly filtered of validated somebody can trick you to visit a specific URL which contains malicious embedded HTML or Javascript. When the vulnerable web application returns this injected data back to the user's browser it looks like it's coming from the source. Because the malicious party has introduced their exploit through YOU the secure channel between you and the vulnerable application (in this case Paypal) has never been compromised.

Injected javascript for example to hook into the credit card entry box and some XMLHttpRequests calls to submit that data to a 3rd party where it is logged is one possibility.

In short, don't click links from untrusted websites going to websites like Paypal, or if you do check the URL very carefully. Oh and don't use Internet Explorer, thanks to this little vulnerability [secunia.com] it looks like open season on your private information.

Re:how?? (2, Insightful)

MankyD (567984) | more than 7 years ago | (#15548992)

How are hackers injecting this code into a legitimate paypal website??
Cross-Site Scripting.
You're missing the grandparent post's question. If I visit http://paypal.com/ [paypal.com] how does the phisher get their script to run?

Re:how?? (2, Interesting)

serial_crusher (591271) | more than 7 years ago | (#15549026)

Maybe they have some kind of bad forwarding system set up? At my company you could do the equivalent of: http://www.paypal.com/redirect.php?NEXT_PAGE=%5Bht tp://10.6.6.6/hackers%20fake%20page.html%5D [paypal.com] Our stuff does internal redirection to make things faster, so to the user it'll still look like he's seeing something on paypal.com.

Re:how?? (1)

ifoxtrot (529292) | more than 7 years ago | (#15549192)

It's not quite like your example, although the principle is similar. The site isn't forwarded, it is the actual Paypal site that displays some rogue information, but it's because Paypal allows some script to be submitted as part of the URL and then (without checking it) executes it in one of their pages.

In this case I believe the script contains a notice that your account is locked and you need to visit some other (phishing) website to enable it again.

Re:how?? (4, Informative)

ifoxtrot (529292) | more than 7 years ago | (#15549142)

To answer your question, in short the attack doesn't work if you visit http://paypal.com/ [paypal.com] manually.

What an attacker can do is craft a URL that *is* to paypal.com but contains the injected material (i.e. script) inside the URL. In short the paypal.com servers suffer from a vulnerability which allows the execution of this material (passed as an argument in the URL) -- and thus executes the script on the victim's browser. Because of this, the SSL connection is correct, but it appears that paypal is telling you that you need to go to another website to change your credentials.

You still have to get someone to click on the crafted URL for this to work though (hence why phishers are doing this, they're sending emails, or whatever.) so it's not going to work for people who don't click on the URL in phishing emails.

What I'm wondering is why someone would click on a link in a scam and then worry that the SSL certificate is genuine! Someone who knows enough to check the certificate is probably clever enough to ignore phishing scams...

Re:how?? (1)

NetPoser (266960) | more than 7 years ago | (#15549006)

FTA

"The server currently running the scam is hosted in Korea and is accessed via a hex-encoded IP address."

Re:how?? (0)

Anonymous Coward | more than 7 years ago | (#15549055)

It is probably something like greasemonkey does.

They could modify the source codes on paypal serves but in this case they are exploiting your browser and inserting code on it to display additional contents once you visit paypal.

So I guess paypal can't do much to prevent this from happening

Re:how?? (1)

SirTalon42 (751509) | more than 7 years ago | (#15549085)

Actually its the reverse. Theres a problem in the PayPal code that lets them insert extra data on to the page (or doing transparent forwarding or anything else really).

Stupidity still necessary (4, Insightful)

Draconnery (897781) | more than 7 years ago | (#15548975)

This extremely detailed and thorough (~3 paragraphs long) article does sound like PayPal has a problem to take care of, but the flaw described doesn't remove the burden of stupidity from the phishing equation.

Anybody can make a website look like another website, so it's up to a user to think. Get an email that doesn't make any sense? Think very hard about everything that it leads you to. PayPal asks for your ATM PIN? Who the fuck does that? Nobody. My bank doesn't even know what my PIN is. ... sorry, I just live in a college town where the newspapers report bank fraud once a month because some stupid student fell for the 23 emails they received about suspicious activity concerning their bank account. Annoying.

Sort of, but not quite (0)

Anonymous Coward | more than 7 years ago | (#15549329)

The exploit uses the concept of cross-site scripting (XSS, not CSS). XSS can work in some interesting ways to trick users. It's certainly more sophisticated than your typical "www.somerandomsite.com/ebay/login.cgi" phishing schemes you see.

You can read some more about XSS [cgisecurity.com] .

Re:is it still stupidity? (2, Insightful)

thePowerOfGrayskull (905905) | more than 7 years ago | (#15549352)

A few weeks ago, I would have agreed with you. More recently, I've been doing some research and found that only rarely are there obvious 'tells' like asking for a PIN.

You see, in addition to making it look exactly like the vendor's site, they now no longer ask for anything unusual. You click on the link, and are presented with the standard, expected login page. You log in, and everything works just like normal. What really happens is that you log into their server, they capture your information, and redirect the login to the actual vendor. You never receive a hint that you were duped until the charges start showing up.

These days, a suspicious URL in your browser is often the only clue you'll get -- and if you don't have the latest patches for the popular browsers, the URL can be disguised.

This isn't to say that there is no stupidity factor. People still fall for the old style phishing scams like you described, or "validate your credit card numer" scams with startling regularity. Most people fail to realize that a simple precaution can make you essentially immune to phishing attempts (like disabling HTML in emails).

However, the newest round of phishing is a lot more sophisticated, and a lot more convincing. As it becomes more prevalent, expect mass stupidity to be less of a factor in its success.

Which Korea? (4, Funny)

ch-chuck (9622) | more than 7 years ago | (#15548980)

The server currently running the scam is hosted in Korea

North? South?

As I post this, 6 out of 8 top level posts have a '?' in the subject,
now 7 out of 9.

Korea is commie either side (-1, Troll)

Anonymous Coward | more than 7 years ago | (#15549334)

Korea is commie either side, only on one side they die in the streets and maybe get a once-over look, and on the other side, no one looks at all.

Suprise? (3, Insightful)

theaddkid.com (983011) | more than 7 years ago | (#15549017)

I don't know how this is a surprise to anyone "cross-site scripting techniques" are so common now there writing magazine articles about them go look at the last 2600 and you will find out how to do it and that you can start with myspace.com.

Re:Suprise? (1)

DragonWriter (970822) | more than 7 years ago | (#15549179)

I don't know how this is a surprise to anyone "cross-site scripting techniques" are so common now there writing magazine articles about them go look at the last 2600 and you will find out how to do it and that you can start with myspace.com.
The people that this is a surprise to are probably not people who read 2600.

hello? (0, Troll)

dbucowboy (891058) | more than 7 years ago | (#15549040)

Sorry, but if you are dumb enough to still fall for the "Update your account" email then you deserve to have your identity stolen.

Re:hello? (1)

theaddkid.com (983011) | more than 7 years ago | (#15549121)

Sorry, but if you are dumb enough to still fall for the "Update your account" email then you deserve to have your identity stolen.
Um where in the article did it say it was another email scam? Oh wait it didn't It has nothing to do with email it has to do with "they are presented with a message that has been 'injected' onto the genuine PayPal site" via a cross-site scripting technique.

Re:hello? (1)

dbucowboy (891058) | more than 7 years ago | (#15549176)

Regardless of what the article says, my point stands...

Re:hello? (3, Funny)

Anonymous Coward | more than 7 years ago | (#15549296)

I also believe that children that don't learn to swim by the age of 4 should drown. Forget that the ARTICLE THAT THIS DISCUSSION IS BASED ON has nothing to do with children drowning, those dirty little swimless fuckers need to drown.

Wow.

You are one seriously hard headed, self important fucker.

I thought that cats like you pretty much faded away with the end of the cocaine drenched 80's.

Want to point out how I'm not making any sense? Tough. You're a bone head. My point stands.

Re:hello? (1)

theaddkid.com (983011) | more than 7 years ago | (#15549389)

ROFL I dont care who you are thats funny right there.

I've got a fix (5, Informative)

Dixie_Flatline (5077) | more than 7 years ago | (#15549080)

Never follow a link in an email.

It may be convenient, but in the vast majority of cases I've found that I can navigate from the main page if I know what I'm looking for. You can do basically everything from paypal.com without following the link that takes you directly to a specific page.

Re:I've got a fix (1)

hey! (33014) | more than 7 years ago | (#15549311)

It's not a very good fix though.

The thing is, you always have a tradeoff between safety and convenience. The very point of a service like PayPal is that it is convenient. Therefore you almost have to think that it has a built in tendency towards being insecure. The trick is to get the same convenience as a link without the danger.

What sites should do, I think, is send notifications by email, but not include any URLS or even FRACTIONS of URLs (including the domain name) that could be cut and paste. Then when the referrer header shows the user is browsing from outside the site, automatically display the action the user should take in a prominent location.

Re:I've got a fix (1)

Sancho (17056) | more than 7 years ago | (#15549464)

That'd be great, but your average sheeperson would still click links if they were sent them. The bad guys would be under no impetus to abide by PayPal's rules, and your average person wouldn't be observant enough to know that PayPal won't send the URLs. Probably even if PayPal put up a huge banner on their site saying, "We will never send you URLS", many people would still click or copy/paste.

Paypal is insecure (1, Insightful)

Nightspirit (846159) | more than 7 years ago | (#15549092)

I rarely use paypal, checked my bank statement one day, and realized 2k was missing from my bank courtesy of paypal. I have never clicked on a paypal email, and so the only explaination I could think of is either gross incompetance at paypal, or a keylogger was on my system (which was doubtful). Of course, I run all the major spyware/adware/virus/rootkit detectors and nothing (and yes, I do have a firewall, do not use wireless on this computer, and have a good password).

So, no more paypal for me. Of course I eventually got my money back, but it was a major hassle. For now on I am creating accounts using temp credit card numbers.

Shouldn't be a problem (4, Insightful)

Todd Knarr (15451) | more than 7 years ago | (#15549098)

This shouldn't really be a problem. It only occurs if you click on a link in the e-mail. If you ignore the link in the e-mail, go to PayPal through a bookmark of your own and proceed from there, the phisher can't inject any code. End of problem. And if what the e-mail's asking for is legitimate, you'll be able to do anything you need to do directly through PayPal without needing to use any links in the e-mail.

First rule: never trust the identity of the other party if you didn't initiate the contact yourself. When someone calls you on the phone claiming to be your bank you don't trust them, you hang up and call your bank's customer-service number yourself. When someone sends you an e-mail claiming a link will take you to PayPal you don't trust that, you fire up your browser and use your own bookmark to hit PayPal.

A few things about PayPal (4, Informative)

XxtraLarGe (551297) | more than 7 years ago | (#15549104)

I don't know how people fall for these scams. PayPal tells you exactly how to avoid them:
  • PayPal will always include your full name in any e-mail correspondence, not "Dear PayPal Member/User/etc."
  • PayPal tells never to click on a link to log in to their site. They say always type the url: https://www.paypal.com/ [paypal.com]
Additionally, you should report all spoof e-mails to spoof@paypal.com. Hopefully PayPal will be able to track these online criminals down with the help of users.

Re:A few things about PayPal (1)

electronerdz (838825) | more than 7 years ago | (#15549369)

Most email programs automatically create links. So the email could still say that, but would rather just click on the link that is available for them via Outlook Express. It is just like your message. It says to TYPE the URL, but it's a link.

Re:A few things about PayPal (1)

Lactoso (853587) | more than 7 years ago | (#15549388)

I, for one, have received phishmails WITH my real, full name in them. Only my superior intellect and proper personal hygiene have allowed me to recognize them for what they were.

They all used the tactic of showing a 'confirmation' of a recent purchase for an iPod, a digital camera, a cellphone, etc.. with a convenient link to dispute this transaction.


As for typing the URL, I wholeheartedly agree. In fact in my browser I have a bookmark tab set up called 'Manage', under which I have all my financial account links (online banking, PayPal, etc.). The easier you make it to properly and securely access your account, the more likely you'll be to do so instead of clicking on a link.

HUH (1)

theaddkid.com (983011) | more than 7 years ago | (#15549163)

Um where in the article did it say it was another email scam? Oh wait it didn't It has nothing to do with email it has to do with "They are presented with a message that has been 'injected' onto the genuine PayPal site" "via a cross-site scripting technique." It has nothing to do with email. RTFA

Just closed my account (1)

rbanzai (596355) | more than 7 years ago | (#15549181)

I hardly ever use it and PayPal is too big a target with too poor security, and almost nonexistent procedures for recovery after fraud.

That's fine (1, Interesting)

tzanger (1575) | more than 7 years ago | (#15549237)

Paypal's main site (http://www.paypal.com) does *NOT* do a permanent redirect to https://www.paypal.com, so if you hit www.paypal.com you give your paypal login and password in the clear. I've emailed them several times on this and have finally given up, as they don't bother to respond.

So if you can get inbetween Paypal and your target, you don't even need to fool anybody.

Re:That's fine (1, Informative)

Anonymous Coward | more than 7 years ago | (#15549320)

Sorry, but you're wrong. If you look at the source code you'll see that the login form is submitted to a secure url (via https). You can have secure forms on an unsecure page.

NEVER click a PayPal link in email. (1)

Short Circuit (52384) | more than 7 years ago | (#15549401)

Never. If it's important, you can go to PayPal's website manually, through a different tab or browser window, and check for yourself.

Always Browse From the Source (1)

Temujin_12 (832986) | more than 7 years ago | (#15549420)

If the email doesn't give you instructions on how to NAVIGATE to a section of their webpage then don't follow the link. No matter how smart we all think we are, we can be tricked. The best thing to do is always start from the company's main page, then browse from there. That way if anything happens, you can blame it on their site.

That's what I tell my wife, who gets lots of phishing emails, and it seems to work. It doesn't matter if your bank says they're going to shutdown your account, if they can't take the time to call you personally, have you call them personally, have you visit personally, or tell you how to navigate to a portion of their site then it isn't that important.

I tell people the same thing with scam emails that purport to be from the police/FBI/etc. I figure if the authorities really need to get a hold of me they can to do it in person.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>