PayPal Security Flaw Allows Identity Theft 212
miller60 writes "Phishing scammers are actively exploiting a security flaw in the PayPal web site to steal credit card numbers belonging to PayPal users. The scam tricks users into accessing a URL hosted on the genuine PayPal site, which presents a valid 256-bit SSL certificate confirming that the site belongs to PayPal. However, some of the content on the page has been modified by the fraudsters via a cross-site scripting technique, and victims are redirected to a spoof site that requests their account details."
No signature = No liability (Score:5, Informative)
Unless a merchant has proof that you made the transaction on your credit card, you can always refute any charge on your credit card statement and you wont have to pay it.
Re:No signature = No liability (Score:5, Insightful)
Minor hassle, 48 hours. Done. (Score:4, Informative)
Someone hand copied all the info on my car, front and back, when it was used at a restaurant.
I called the bank (Fleet, often considered big and difficult), they looked at everything that happened, I told them which ones were bogus, their fraud department confirmed the details of the transactions (location, times, names - these people were dumb enough to charge at Woolworths overseas, and paid bills for Progressive insurance, ATT and Verizon cells and Cablevision - all eminently traceable).
They reversed the charges, and said they were still subject to verification, and since they were all as I presented them. I got it all back and kept it. Most of the money was back after the next overnight, the rest was back after two overnights.
Re:Minor hassle, 48 hours. Done. (Score:3, Informative)
I dropped all my cards except those that allow online disputes for this. (for me) much easier to click the transactions, hit dispute, and forget about it until they call me Instead of 10 minutes on hold, then giving all my account details, mothers name, SSN digits... over a insecure link (any phone line, but especially my cordless phone at home, cell eats minutes) to get them to chat. Unfortunatly the only cards I have found were Discover and AME
Unless it's a debit card. (Score:5, Informative)
Or worse, a brokerage debit card. (Score:4, Interesting)
I used to have a brokerage debit card. It withdrew funds from my money market account. It was an insane risk to use that card. It would have been a jackpot if thieves got that number. And my financial life would have been in ruins for months.
Since the bubble burst, I don't have to worry about having a lot of money in a money market account.
Re:No signature = No liability (Score:5, Informative)
Re:No signature = No liability (Score:2, Informative)
Re:No signature = No liability (Score:4, Insightful)
Which is one of several reasons why linking your bank accounts directly to PayPal is a terrible idea, no matter how much they like to push it on you.
If you use PayPal at all, only link it to a credit card which you've kept at a low limit. PayPal has long shown themselves far too irresponsible to be trusted with any of your real money.
Re:No signature = No liability (Score:5, Insightful)
At this point I immediately shut down the checking account, check with my bank to see if anyone has called and tried to change account information or get more info on accounts, apply for my money back based on fraud/identity theft, log in to PayPal (_if_ I can) and change passwords (if I cannot log in to PayPal then I try and contact PayPal to have that account shut down), set up a new checking account for PayPal only, and finally - if needed - start a new PayPal account.
With a special checking account for PayPal only, and it designated as such, that makes it much easier to prove fraud/identity theft since I have NO checks for the account, NO check card for the account, NO online banking for the account, NO way to access the account other than through PayPal or by walking into or calling the bank. Sure it costs $5 per month but if you really need/want to do transactions through PayPal it is the safest way. Also, if PayPal gets a wild hair up their ass and decides to freeze your account for some reason (someone accuses you of fraud, whatever) then the only thing they tie up is that same small amount of money in an easily closed account.
Re:No signature = No liability (Score:2, Informative)
What some people don't realise is that a lot of the credit card companies will put layer upon layer of beurocracy in front of you to try and stop you claiming. Recovering stolen funds can be very time consuming.
On top of that, you have to have cards re-issued and any recurring payments set up on them have to be re-established with the new card.
For a lot of people, the fear of having their credit card details stolen is not about losing their money but the considerable amount of hasstle involved in gettin
Re:No signature = No liability (Score:5, Insightful)
-h-
Re:No signature = No liability (Score:2)
"Sorry but your fault. thanks for giving us money!"
paypal != creditcard.
in any way shape or form. never EVER link your bank accounts to paypal.
Re:No signature = No liability (Score:3, Informative)
Paypal is trying to be a bank without having ANY of the federal regulations set forth to banks. You have no insurrance on any of the money in your paypal account, which could be 'fozen' at any time. It's a total wonder to me why anyone trusts paypal enough to give them their banking information..
Re:No signature = No liability (Score:2)
Are you sure about this statement? I believe they are regulated as a bank just like a brick and mortar bank.
Re:No signature = No liability (Score:3, Informative)
You believe incorrectly. [auctionbytes.com]
Re:No signature = No liability (Score:2)
Whether this is true or not, it's meaningless in the context of the current discussion. Here's what started it:
Your irrelevant information doesn't make this statement false.
Re:No signature = No liability (Score:2)
Re:No signature = No liability (Score:3, Interesting)
They're up to no good somehow.
I made a contribution to a free overseas web service, being a good guy, supporting it, etc. Looking at the PayPal trail of breadcrumbs, they determined the exchange rate[*], rounded up, made the payment, then returned the difference to my account.
About ten days later, I get a nifty envelope from GE, managing a "PayPal Credit Service" for the amount of the exchange rate[*] with a minimum charge, deadline, service charge if it's late ($15), everything you'd expect to see f
Re:No signature = No liability (Score:2)
You have no insurrance on any of the money in your paypal account, which could be 'fozen' at any time
Which is why I keep a minimal amount in the account. And I *never* click on a link to anything having to do with money out of email. I always use a bookmark or type in the URL manually. The only problem I have with Paypal is their history download is a joke: the balance doesn't change between some transactions, only to have it be added to another transaction later. It makes balancing the account a roy
And you insist on calling it (Score:2)
What the heck is wrong with you?
Re:No signature = No liability (Score:2)
"While Paypal is not a bank and thus can't be regulated by the FDIC, it is regulated by the Federal Reserve under Regulation E and by each state government as a money transfer provider."
I'm protected from all identity theft for life.... (Score:5, Funny)
I've personally destroyed my credit so badly over the years that if someone were to steal my identity, the joke would be on them! Hell, it may actually even help my credit.
Oh sure, people laughed at me over the years...but who's laughing now?!! Ok....so they're still laughing at me...but that's beside the point.
So am I. But I went the other way... (Score:2)
I have ONE credit card left and that gets used judiciously. Its also a pay by phone type deal with security identification.
I have no credit rating because I don't WANT any (and I can afford NOT to have any.
You wouldn't believe the number of CapitalOne offers that I've put through the shredder over the years.
When
Re:No signature = No liability (Score:2)
Secondly, what else can a phisher do if they have your name and CC data? Can they bootstrap from that to further knowledge about you allowing them to actually access your credit (for loans, cars, etc.) Once they can assume your credit history the sky is the limit and your life
Re:No signature = No liability (Score:2)
If i get a chargeback and i don't have a signature to proove the transaction, i get charged $35 + the amount of money charged. Not only that, but if i get enough chargebacks, i lose my account.
Re:No signature = No liability (Score:2)
Re:No signature = No liability (Score:2)
Almost - I don't know about the terms of your card, but mine has language in it along the lines of anything that I buy, or that someone I allow to use my card buys, I'm liable for. That is, if I tell my girlfriend "sure, use my card" and she runs up a huge bill, tough on me.
That doesn't apply in this situation, of course, but it's worth remembering that you can't exploit the apparent loophole (at least, not without getting the pers
Re:No signature = No liability (Score:2)
If the merchant cannot prove that they approved the charge, the card holder gets refunded without any hassle.
Credit cards stolen? (Score:2, Funny)
Trickery and Buggery (Score:5, Insightful)
When the victim visits the page, they are presented with a message that has been 'injected' onto the genuine PayPal site that says, "Your account is currently disabled because we think it has been accessed by a third party. You will now be redirected to Resolution Center." After a short pause, the victim is then redirected to an external server, which presents a fake PayPal Member log-In page. At this crucial point, the victim may be off guard, as the paypal.com domain name and SSL certificate he saw previously are likely to make him realise he has visited the genuine PayPal web site - and why would he expect PayPal to redirect him to a fraudulent web site?
What will they think of next? I must say, I get more PayPal phishing emails than for anything else. With the profusion of them, and PayPal's constant warnings that they would never ask for such information, it's still amazing how many people will fall for this, especially as the spoofs get more slick and sophisticated.
Re:Trickery and Buggery (Score:3, Interesting)
I usually spot phishing scams based on the informal register of the language. Like, this is what I'd expect to hear in that case:
That is, when they're not totally butchering my language:
Re:Trickery and Buggery (Score:2)
Secured? Check, Paypal direct link? Check. Confirm info...ok....click click click....wait a minute...why is it asking me for a Bank PIN #?
They were a little TOO greedy for info...turns out it was residing in memory and redirecting AFTER he logged in.
Tricky bastards indeed.
Yo Grark
Re:Trickery and Buggery (Score:3, Insightful)
Re:Trickery and Buggery (Score:2, Insightful)
how?? (Score:3, Interesting)
Re:how?? (Score:5, Informative)
Re:how?? (Score:2)
Well to be fair... Pay Pal does hand out dev kits for pay pal ecommerce customers. As in... You get an upgraded account to interface your eStore into your pay pal account to directly accept credit cards.
Re:how?? (Score:3, Insightful)
Re:how?? (Score:2, Interesting)
Re:how?? (Score:2)
In this case I believe the script contains a notice that your account is locked and you need to visit some other (phishing) website to enable it again.
Re:how?? (Score:5, Informative)
What an attacker can do is craft a URL that *is* to paypal.com but contains the injected material (i.e. script) inside the URL. In short the paypal.com servers suffer from a vulnerability which allows the execution of this material (passed as an argument in the URL) -- and thus executes the script on the victim's browser. Because of this, the SSL connection is correct, but it appears that paypal is telling you that you need to go to another website to change your credentials.
You still have to get someone to click on the crafted URL for this to work though (hence why phishers are doing this, they're sending emails, or whatever.) so it's not going to work for people who don't click on the URL in phishing emails.
What I'm wondering is why someone would click on a link in a scam and then worry that the SSL certificate is genuine! Someone who knows enough to check the certificate is probably clever enough to ignore phishing scams...
Re:how?? (Score:2)
By accessing this page with a URL that uses a SCRIPT tag in the name parameter, I could inject script into this page, e.g. /page.jsp?name=%3CSCRIPT%3Ealert%28%27Hello%27%29% 3B%3C%2FSCRIPT%3E (Note: I manually encoded this, it's supposed to be this: <SCRIPT>alert('Hello');</SCRIPT>)
Re:how?? (Score:2)
Your name: <%= name %><br>
Re:how?? (Score:2)
When this data hasn't been properly filtered of validated somebody can trick you to visit a spe
Re:how?? (Score:2)
Stupidity still necessary (Score:4, Insightful)
Anybody can make a website look like another website, so it's up to a user to think. Get an email that doesn't make any sense? Think very hard about everything that it leads you to. PayPal asks for your ATM PIN? Who the fuck does that? Nobody. My bank doesn't even know what my PIN is.
Re:is it still stupidity? (Score:2, Insightful)
A few weeks ago, I would have agreed with you. More recently, I've been doing some research and found that only rarely are there obvious 'tells' like asking for a PIN.
You see, in addition to making it look exactly like the vendor's site, they now no longer ask for anything unusual. You click on the link, and are presented with the standard, expected login page. You log in, and everything works just like normal. What really happens is that you log into their server, they capture your information, and
Which Korea? (Score:5, Funny)
North? South?
As I post this, 6 out of 8 top level posts have a '?' in the subject,
now 7 out of 9.
Re:Which Korea? (Score:2)
Don't you mean: Old or Old?
Re:Which Korea? (Score:2)
Suprise? (Score:3, Insightful)
Re:Suprise? (Score:2)
I've got a fix (Score:5, Informative)
It may be convenient, but in the vast majority of cases I've found that I can navigate from the main page if I know what I'm looking for. You can do basically everything from paypal.com without following the link that takes you directly to a specific page.
Re:I've got a fix (Score:2)
The thing is, you always have a tradeoff between safety and convenience. The very point of a service like PayPal is that it is convenient. Therefore you almost have to think that it has a built in tendency towards being insecure. The trick is to get the same convenience as a link without the danger.
What sites should do, I think, is send notifications by email, but not include any URLS or even FRACTIONS of URLs (including the domain name) that could be cut and paste. Then
Re:I've got a fix (Score:2)
That's why I like my Mac Mail setup. (Score:2)
I then copy the link into a browser window but not the URL portion. I usually have NW-tools.com up on my browser and use that to check the origin of the message.
I do that with all the phony 'meds' spam I get too.
People have to be really STOOP-ID to click on a link on an email.
I don't even do that with mail purporting to be from people I know.
Re:That's why I like my Mac Mail setup. (Score:2)
Anyway, people might be stupid to click on links in e-mails, but LOTS of people do it, and spammers will continue to try this method no matter what security protocols legitimate websites develop.
Paypal is insecure (Score:2, Insightful)
So, no more paypal for me. Of course
Shouldn't be a problem (Score:5, Insightful)
This shouldn't really be a problem. It only occurs if you click on a link in the e-mail. If you ignore the link in the e-mail, go to PayPal through a bookmark of your own and proceed from there, the phisher can't inject any code. End of problem. And if what the e-mail's asking for is legitimate, you'll be able to do anything you need to do directly through PayPal without needing to use any links in the e-mail.
First rule: never trust the identity of the other party if you didn't initiate the contact yourself. When someone calls you on the phone claiming to be your bank you don't trust them, you hang up and call your bank's customer-service number yourself. When someone sends you an e-mail claiming a link will take you to PayPal you don't trust that, you fire up your browser and use your own bookmark to hit PayPal.
A few things about PayPal (Score:5, Informative)
Re:A few things about PayPal (Score:2)
Paypal site is slow. Plus, it has nagware pages everytime you log in directly. Plus, if you want to find something a few days old, it's a pain since you have to to history and hit next and remember the amount and all, and did I mention the site is slow?
It's like saying when you contact AT&T, always call the main number and carefully select the options till you get to the technical a
Re:A few things about PayPal (Score:3, Insightful)
PayPal probably loses quite a lot of money because of phishing assholes, through the human resources spent fighting the crap spewed by the phishers.
Think about it:
Re:A few things about PayPal (Score:2)
Wow, they do all that when a 3rd party tries to take my money? That's pretty good. They don't do much when an actual seller through PayPal steals from me, though. Perhaps they should focus on that first, then worry about when 3rd parties steal in their name.
And this goes for ANY online contact (Score:2)
The Cross Site Scripting FAQ (Score:5, Informative)
http://www.cgisecurity.com/articles/xss-faq.shtml [cgisecurity.com]
Just closed my account (Score:2)
Remember, you can report such fraud email (Score:4, Informative)
Educate yourself, OTHERS, and report... (Score:4)
Just as important, seriously, educate others. Don't mumble "Darwin" or "figure it out yourself" when you can help someone else protect themselves or educate themselves about security threats.
Always report PayPal phish attempts to spam@paypal.com.
There's an excellent set of resources about phishing in general - and you can report phishing attempts at: antiphishing.org [antiphishing.org].
Not to be repetitive, but the best way to make a difference (in this case) is to help others and help yourself with education.
Oops:Educate yourself, OTHERS, and report... (Score:3, Funny)
Sorry, I must have been hit with the stupid stick today.
Good news for Google (Score:3, Interesting)
I recently (re)opened an account to buy a pinball machine on eBay (Stern Stars, a cool old machine), but it is only tied to my credit card. I'm very familiar (through personal experience) with PayPal's inability to handle fraud (the reason I closed my original, bank-linked account) and their lose-lose-win schemes (on a contested purchase, the buyer loses their money, the seller loses the item, and PayPal gets the big win by keeping any contested funds). I would probably have closed the account again, but my wife wanted to purchase some baby periphenalia from a home-based business that only accepts checks or PayPal. I'm thinking this article is areminder to close my PayPal account.
Frankly, I will be very, very happy once Google's tool is available and I have a viable on-line payments alternative to PayPal.
I'd like to know... (Score:4, Interesting)
Has anyone else seen this?
Well, it's confirmed. (Score:2)
--Rob
What the hell? (Score:3, Insightful)
Is this some sort of natural outgrowth of MP3 downloading and software piracy? What are we going to pretend is "victimless" next?
Nothing new (Score:3, Interesting)
AFAIK, at least one psychopath has already argued that raping children is a victimless crime. It should be pretty hard to beat that, but I have no doubt that someone will try to.
Anyway, it's nothing new. The software pirates certainly didn't start it, they just found a niche where it's easier to convince someone that since a copy of the original was made, nothing had really been
Re:Identity "Theft"? (Score:3, Insightful)
Re:Identity "Theft"? (Score:2)
I might not identify myself by my money in my bank account or my credit rating, but I'd be pissed if it disappeared.
That's money I worked hard for, money that I set aside for an emergency, in case of job loss or accident.
While a credit rating is an artificial number, it is also a reflection of
Re:Identity "Theft"? (Score:5, Insightful)
It really grinds my gears when industry lobbyists and shills use inflammatory rhetoric to exaggerate the impact of mundane, victimless crimes.
It's a semantic point and one not even worth making. If you think that there are no victims when people's identities are assumed by others for nefarious purposes, then it has clearly never happened to you. I'd be curious to see how you felt when you had to spend countless hours of your life in aggrevation trying (perhaps futilely) to restore your credit and repair the possible damage to your reputation when some asshat overseas assumes your identity to purchase $100,000 worth of electronics and registers a kiddie-porn site in your name. These things do happen and are not at all uncommon.
In short, using the word 'theft' to describe copyright infringement is misleading, but using the word 'theft' to describe those things that are deprived to the victims of identity theft is perfectly acceptable. In the latter case there are often very real victims with very real things that are deprived them.
Re:Identity "Theft"? (Score:2)
That post was obviously made in jest as a poke at all the people that say downloading music is/isn't stealing.
Re:Identity "Theft"? (Score:2)
Heh. Actually, I think he's pointing out Slashdot hypocrisy. From the responses he's gotten, I think he was rather clever about it. (I nearly replied and put my foot in my mouth.)
Re:Identity "Theft"? (Score:2)
"Identity Theft" isn't too far off the mark semantically, but I prefer the term Identity (or Reputation) Fraud which, to my mind, seems more precise.
Schwab
Re:Identity "Theft"? (Score:2)
'Identify Theft' is not a victimless crime (you've obviously never had your identity stolen).
Re:Identity "Theft"? (Score:2)
First a little definition for you:
victim |?vikt?m| noun a person harmed, injured, or killed as a result of a crime, accident, or other event or action.
a person who is tricked or duped : the victim of a hoax. a living creature killed as a religious sacrifice.
It would seem these folks are most definately victims even if you don't consider having to clean your
Re:Identity "Theft"? (Score:4, Informative)
I almost lost the house my wife and I were buying due to so-called "identity theft". How? One part stupidity on my part (using a linked check-card/bank account to make online purchases), on part large MasterCard database hack.
Thousands and thousands of dollars of Google AdWords purchased on my card; draining my bank account completely, and into the negative even with overdraught protection. When that money goes missing days before you have to cut a certified check to the bank for your final closing costs the results are anything but mundane.
That's just a stolen credit card; you can have your financial situation ruined for months if someone starts opening up lines of credit in your name (unbeknownst to you).
Yes, you aren't liable for credit theft; but getting your money back isn't always quick process (unless your bank/card offers 24-hour turnaround on fraud)
But when someone uses your identity and opens lines of credit, with a fraudulent signature, and your SSN and other personal information; that's an even more painful process to sort out with the credit agencies (Equifax, et. al)
Just a bit of nit-picking.
Re:Identity "Theft"? (Score:3, Insightful)
By using my identity (and credit and
Copythieving also ruins the original (Score:2)
So copythieving does affect your ability to listen to songs.
- RIAA Anti Theft Squad
Half right (Score:3, Interesting)
However, you are wrong that it is a victimless crime.
For example, if I use your Slashdot username to post troll comments under your name, it will negatively affect your karma, and not mine. Same thing applies with other forms of using someone else's identity, except instead of karma, think 'credit history', 'bank account' or 'criminal record'.
Re:Identity "Theft"? (Score:4, Informative)
One day I woke up and started getting hundreds of collection calls. All my credit cards were deactivated. My bank account was frozen. Phone turned off.
I literally could not use my identity. It was like a DOS attack. I couldn't perform any financial transactions, it was a complete nightmare.
For years it was impossible to get credit.
I wish someone had infringed my identity, leaving me with my original one completely intact. But no...
Re:Identity "Theft"? (Score:2)
--Rob
Re:Identity "Theft"? (Score:2)
Even though thi
Re:Identity "Theft"? (Score:2)
The thing that made me most angry was the pure crap they bought. 8 cellphones? $500 at hot topic?
Re:Identity "Theft"? (Score:3, Insightful)
No, people's tangible and intangible personal property is stolen by means of misrepresenting identity (not always the one whose property is stolen, depending on the particular manner of identity theft.) "Identity theft" is not "theft of identity" its "theft by misrepresenting identity". And, therefore, it is theft.
Re:Identity "Theft"? (Score:2, Funny)
Re:Certificate?? (Score:2)
Re:Certificate?? (Score:2)
Uh, maybe I did read it, but still don't understand, and in typical fashion, got dogpiled by a bunch of self proclaimed experts. Typical
Re:Certificate?? (Score:2)
They didn't forge it. They used cross-site scripting to inject malicious code into the real Paypal page - in other words there is a vulnerability in the scripting used that takes information probably encoded in the URL and displays it on the page as the Netcraft write-up shows. This is then used to redirect the unsuspecting user to the fake page.
Re:hello? (Score:3, Funny)
Wow.
You are one seriously hard headed, self important fucker.
I thought that cats like you pretty much faded away with the end of the cocaine drenched 80's.
Want to point out how I'm not making any sense? Tough. You're a bone head. My point stands.
It doesn't need to be (Score:5, Informative)
The login form submits using POST over SSL - the action of the form is using an https target. Your browser therefore sends all your details securely:
<form method="post" name="login_form" action="https://www.paypal.com/
In other words, it's no wonder they haven't fixed it - nothing is broken.
Re:That's fine (Score:2)
just click on the login button. You will be redirected to a secure page
asking you to please enter you login infomation.
Re:That's fine (Score:2)