Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Paypal Advises Users To Stop Using Safari

Zonk posted more than 6 years ago | from the watch-where-you-click dept.

Security 362

eldavojohn writes "Over concerns for lack of an anti-phishing mechanism for Safari, Paypal is telling its Mac users to use another browser. An author from Ars Technica reveals that he has been using Camino and has fallen victim to a Paypal related phishing scam via e-mail so this story must hit home for him. 'Currently the Apple browser does not alert users to sites that could be phishing for your info, and it lacks support for Extended Validation. PayPal is, of course, a popular site among phishers in their neverending search for personal information, user IDs, and passwords. While it's not entirely fair singling out Safari (other Mac browsers like Camino also lack this support), it is perhaps at least a helpful reminder of the threat.'"

cancel ×

362 comments

Maybe Apple should... (4, Insightful)

gillbates (106458) | more than 6 years ago | (#22629560)

Tell Safari users to stop using PayPal...

Re:Maybe Apple should... (5, Insightful)

Jeremiah Cornelius (137) | more than 6 years ago | (#22629616)

C'mon.

Apple is deficient here - no doubt about it. If you want Mom & Pop to click "pay now", you don't expect 'em to be able to parse "http://www.barclays.validation.co.uk". You don't have to be an "idiot" to fall for this - just outside your area of expertise.

I have replaced Safari with FireFox on every friend and family mac I get my hands on. Re-theme it, copy and paste the icon resource, and they don't notice the change!

Except for the missing ads - thanks to Ad Block+

Re:Maybe Apple should... (2, Interesting)

goombah99 (560566) | more than 6 years ago | (#22629714)

What theme do you recommend as the most "mac-like" and minimalist in screen real estate? and what do you mean copy and paste the icon resource.

Re:Maybe Apple should... (2, Informative)

Constantine XVI (880691) | more than 6 years ago | (#22629786)

The Firefox3 betas come with a new very Mac-like theme, called Proto. I believe you can download it for Firefox2 as well

Re:Maybe Apple should... (3, Insightful)

Anonymous Coward | more than 6 years ago | (#22629954)

I tried using Firefox 3 beta 3, and after 2 painful weeks, I switched back to Safari. If you're going to make it look like a Mac application, it should behave like a Mac application.

After I tried to drag the FF3b3 window by its draggable-looking status bar for about the 3 billionth time, I gave up and went back to Safari.

Giving Firefox (with the new Mac theme) to a Safari-using friend is a good way to get your (now former) friend to insist you unbreak his Mac, and then leave him the hell alone.

Re:Maybe Apple should... (4, Insightful)

Anonymous Coward | more than 6 years ago | (#22629958)

What theme do you recommend as the most "mac-like" and minimalist in screen real estate?
Please - that's like asking for "the most Windows-like and stylish".

Minimalist use of screen real estate is not a Mac virtue: Apple's principle is that screen real estate should be used well, not minimally. That's why they've made a big deal out of having bigger icons than Windows, for example, even though that means the Dock takes up about three times as much screen real estate as Windows' taskbar. Big icons = easier to hit = more efficient for the user. You aren't wasting that space, you're trading it for your time. And I assure you, unless you flip burgers or something then your time is valuable enough that you can certainly justify buying a bigger screen if you really need more working space.

(Incidentally, I do rather wonder why, with modern Macs all having wide-aspect monitors, the default Dock position is still along the bottom of the screen, and why windows still have their toolbars along the top rather than down the side, but those are whole other cans of worms...)

Re:Maybe Apple should... (1, Interesting)

0xdeadbeef (28836) | more than 6 years ago | (#22630016)

So why is closing a Mac window harder than threading a needle? And with the close button so small, why do standard dialogs generally lack an "OK" or "Close" button, with the expectation that we use those itty-bitty buttons way up in the corner?

Oh, but it's Apple, that means the UI is good by definition!

Re:Maybe Apple should... (3, Insightful)

Anonymous Coward | more than 6 years ago | (#22630144)

So why is closing a Mac window harder than threading a needle? And with the close button so small, why do standard dialogs generally lack an "OK" or "Close" button, with the expectation that we use those itty-bitty buttons way up in the corner?


Why does Microsoft Windows have such big titlebars and buttons on all windows? Why does it always have these unnecessary 'ok' 'close' buttons everywhere? Why doesn't it have fast, easy keyboard shortcuts for most tasks?

Actually, the huge, hunking graphics in Windows is as good enough reason as any to avoid it.

Re:Maybe Apple should... (1, Troll)

Jeremy Erwin (2054) | more than 6 years ago | (#22630312)

So why is closing a Mac window harder than threading a needle? And with the close button so small, why do standard dialogs generally lack an "OK" or "Close" button, with the expectation that we use those itty-bitty buttons way up in the corner?


Are you some sort of cripple? It's a mouse. It's an extension of your hand. Just aim the cursor. Slow movements are more precise, fast movements are coarser.

And I have no idea what you could possibly mean by dialogues lacking certain buttons. Give me an example.

Re:Maybe Apple should... (1)

Jeremiah Cornelius (137) | more than 6 years ago | (#22630006)

Foxdie [mozilla.org]

iSafari Leopard [mozilla.org]

Resource? Command "I" to "get info" on Safari. Click on the Icon, and Command "C" to copy. Command "I" on FireFox to "get info". Click on the Icon and Command "V" to paste. Close all dialogues.

Re:Maybe Apple should... (1)

RiotingPacifist (1228016) | more than 6 years ago | (#22629752)

why con them, most mac users i know use firefox anyway.
Dont forget fission https://addons.mozilla.org/en-US/firefox/addon/1951 [mozilla.org] , to get rid of the status bar, although its important to change the setting so you can hover links

Re:Maybe Apple should... (1)

Jeremiah Cornelius (137) | more than 6 years ago | (#22630054)

If I don't change it they always click the damnned compass. Even when It's pulled from the dock.

Easier to camouflage than re-train! They don't complain about the difference, and say "Thanks!"

Re:Maybe Apple should... (5, Insightful)

MacDork (560499) | more than 6 years ago | (#22629910)

C'mon.

Apple is deficient here - no doubt about it.

Deficient eh? I use Omniweb. Same issues I'm sure, but I'm comfortable with it. I have something I feel is far more secure than a colored URL bar and Extended Validation box that begs for attention... I have an encrypted system wide keychain [xvsxp.com] that is not going to have a username/password for paypa|.com. I might not catch that pipe as a lower case L... I my not catch a cyrillic character that looks just like an 'a' in there, but my keychain aware browser certainly will. It won't have a password for that domain, and that will instantly alert me to the fact that something is fishy. Proceed to open a new window and manually enter the address as a test... I rely on my keychain so much, I generally don't know the password for most websites I use, so I therefore cannot be suckered into revealing it. I'm sure Safari can be configured the same way.

Instead of railing on Apple for not adopting the technologically deficient solution of other browser makers, perhaps they should instead focus on what is IMHO a superior approach to security... No dice on Windows Safari, sure, but on the Mac I have no fear of phishers.

Re:Maybe Apple should... (1)

iamacat (583406) | more than 6 years ago | (#22630032)

Apple is deficient here - no doubt about it. If you want Mom & Pop to click "pay now", you don't expect 'em to be able to parse "http://www.barclays.validation.co.uk". You don't have to be an "idiot" to fall for this - just outside your area of expertise.
And if the phishing filter doesn't alert them, do you want to encourage Mom & Pop to go ahead and enter their credit card info on an unknown URL opened from an e-mail message? I, for one, welcome our new botnets with phishing web pages running on infected desktops overlords.

I have replaced Safari with FireFox on every friend and family mac I get my hands on. Re-theme it, copy and paste the icon resource, and they don't notice the change!
Maybe they want, but people here will certainly notice that their blogs no longer benefit from Apple's built-in spellchecker for text fields. You shouldn't muck with people's machines unless there is a compelling reason. Someday they will want to educate themselves using system help or a introductory book. How easy would it be with all your customizations?

Re:Maybe Apple should... (1)

x_MeRLiN_x (935994) | more than 6 years ago | (#22630188)

How exactly would they notice that when Firefox has built-in spell checking too? I'm not agreeing or disagreeing with your main point, but I think it would be erroneous to assume the type of computer users he's talking about will ever want to learn about how computers work.

Re:Maybe Apple should... (4, Informative)

MightyYar (622222) | more than 6 years ago | (#22630118)

Let Safari/Firefox save your username/password. Then when it doesn't auto fill-in, you know something is up.

Safari is better for this strategy since it uses the secure key chain and not the - last time I checked - weak obfuscation that Firefox uses.

Re:Maybe Apple should... (3)

Jeremiah Cornelius (137) | more than 6 years ago | (#22630288)

The day I let a browser/OS save credentials to my critical, financial account information is the day Tom Cruise goes straight.

I spent five years doing pen/VA for banks and insurance companies. I take none of this crap for granted.

Physical security of your laptop becomes far too high a risk.

"Keychain" is for .Mac, not Lloyd's.

Re:Maybe Apple should... (4, Interesting)

misleb (129952) | more than 6 years ago | (#22630284)

I have replaced Safari with FireFox on every friend and family mac I get my hands on. Re-theme it, copy and paste the icon resource, and they don't notice the change!


And with Firefox 3, you don't even need a theme. They look very similar now. Firefox 3 even seems to use the Aqua style widgets.

-matthew

Re:Maybe Apple should... (2, Insightful)

catwh0re (540371) | more than 6 years ago | (#22630328)

While I agree that anti-phishing features would be a plus for Safari.(go download an extention like you do for any other browser) I think the problem should be addressed on the Paypal end. After all their website, links to ebay and methods are severly lacking as is it - even when you aren't diverted to a phishing scam there are a whole list of reasons not to use paypal.

Re:Maybe Apple should... (2, Funny)

Breakfast Pants (323698) | more than 6 years ago | (#22629622)

Paypal will have to tell phishing sites to copy this Safari warning as well, which I'm sure they will be happy to do.

Re:Maybe Apple should... (1)

Anonymous Coward | more than 6 years ago | (#22629686)

Better yet, maybe Apple and give up on Safari already and start distributing the OS with Firefox instead.

Re:Maybe Apple should... (0)

Anonymous Coward | more than 6 years ago | (#22629718)

Just testing. email me at jon_flamesfan@hotmail.com

Oh, stop whining. (5, Insightful)

Whiney Mac Fanboy (963289) | more than 6 years ago | (#22629852)

All Paypal did was have a faq [paypal.com] containing a list of anti-phishing features & browsers that support those features.

They don't recommend against Safari, they just recommend browsers that support anti-phishing features.

No doubt when Apple gets around to adding these features (pity Safari's not OSS, or it could be added easily by third parties), PayPal will add them to the list.

Re:Oh, stop whining. (1)

Osty (16825) | more than 6 years ago | (#22630210)

pity Safari's not OSS, or it could be added easily by third parties

What does that have to do with being OSS or not? Safari has an extension model just like IE, and neither are open source. Prior to IE7, several third-party extensions added anti-phishing support for IE (MSN, Google, etc), and as far as I can tell there's nothing in Safari's extension model that would prevent others from doing the same there as well. OSS vs. non-OSS doesn't even come into play here.

Re:Oh, stop whining. (1)

Whiney Mac Fanboy (963289) | more than 6 years ago | (#22630278)

What does that have to do with being OSS or not?

I'm afraid that it is an OSS issue. You see, anti-phishing functionality appeared (briefly) in Safari 3.0 betas. If Safari was OSS, you could just use that code rather than writing a completely new extension.

Re:Oh, stop whining. (1)

rubah (1197475) | more than 6 years ago | (#22630330)

pity Safari's not OSS
But Webkit [webkit.org] is.

Re:Maybe Apple should... (1, Insightful)

er3s (222316) | more than 6 years ago | (#22630104)

Lol,

It's not fair to single out Safari, why not? Apple singles out Microsoft whenever they get the chance. It sucks when your flaws are in the spot light eh? Suck it up buttercup. Maybe if Steve spent less time pulling devs from other teams to work on the iPhone, Safari might have a phishing filter. The iPhone, still not 3G and it's almost 2 year, nor a Canadian version, tisk tisk. Man, i guess you needed those 18 bucks a month from AT&T customers to make up for all that R&D.

scapegoat (2, Insightful)

Anonymous Coward | more than 6 years ago | (#22629566)

An author from Ars Technica reveals that he has been using Camino and has fallen victim to a Paypal related phishing scam via e-mail so this story must hit home for him.

Yes, blame the browser. It's certainly not because he's an idiot.

This has huge ramifications (0, Flamebait)

Anonymous Coward | more than 6 years ago | (#22629578)

Safari could lose one of its two users. Opera may have a chance to double its user share, though.

In other news... (1, Informative)

ninjapiratemonkey (968710) | more than 6 years ago | (#22629586)

Microsoft advises Windows users to stop using internet explorer, due to lack of security.

Re:In other news... (1)

calebt3 (1098475) | more than 6 years ago | (#22629676)

More like eBay advising Windows users to stop using IE. Paypal doesn't develop Safari.

Re:In other news... (0)

Anonymous Coward | more than 6 years ago | (#22629678)

Microsoft advises Windows users to stop using internet explorer, due to lack of security.


I know you are trying to be funny, but have you looked into security advisories on IE7 in protected mode (Vista)? I'll give it some more time, but they are getting close to make you eat that joke. Which is good, isn't it?

Re:In other news... (1, Funny)

Anonymous Coward | more than 6 years ago | (#22629792)

Like they say: 7th time's a charm.

Re:In other news... (1)

EvanED (569694) | more than 6 years ago | (#22630148)

I was going to post "wait, IE existed before version 4?", but then I realized that I'm pretty sure I've used IE 2.

Damn you for making me dredge up that painful, painful memory.

(Also, you're forgetting that there was also IE 5.5 in there at least, and according to wikipedia, 4.5. So more like... 9th try is the charm. Which hey, has three as a factor.)

Re:In other news... (4, Funny)

PPH (736903) | more than 6 years ago | (#22629878)

IE is perfectly secure .... as long as you stay off the Internet.

In related news (-1, Troll)

DA_MAN_DA_MYTH (182037) | more than 6 years ago | (#22629592)

Apple advises Mac users to stop using PayPal.

IE (2, Insightful)

webmaster404 (1148909) | more than 6 years ago | (#22629596)

So wait.... you shouldn't use a (decently) secure browser such as Safari that is partly open-source, while you should use a browser that is fully proprietary (though with anti-phishing) and has a track record of being insecure? Not to mention how easy it is to keylog most Windows systems have already? Honestly, I think that making sure your browser is secure is much more important then making sure your info isn't going to an incorrect site.

Re:IE (2, Insightful)

Loconut1389 (455297) | more than 6 years ago | (#22629614)

Good point- the types of people who would install/use another browser, probably already do check.

Re:IE (2, Insightful)

teh moges (875080) | more than 6 years ago | (#22629808)

This used to be a valid point, but Safari ships with OSX and a lot of users get Firefox installed by their tech-savvy friends. Still, there is a very simple way of getting around these problems:
1) No financial institution should ever ask for your email address. Ever. Not as a required field, not as an optional field. The person signing up should be informed that they are deliberately not being asked for this information either.
2) The exception to this: Reminders. These are setup WHILE logged in to the site, and the email address is stored in relation to the reminder, not the account profile (so it will be indirectly linked, but a helpdesk person won't see it when troubleshooting account information).
3) All reminder emails are plain text only, with a clear message informing the user not to trust this email or any other email and to log in to the website by typing the address into a browser only.

Like was said above, people don't need to be stupid, they just need to be out of their expertise. I'm not a security expert, but through my knowledge of computers, I know when I get sent a phishing email, I know how to surf safely. You can't expect everyone to be the same though. This is just a case of needing to inform the users, and to keep reminding them.
* The method shown above is not foolproof, in the case of DNS attacks, or websites with similar names (user types in address, typos, and is sent to another site).

That's about the size of it. (1)

gnutoo (1154137) | more than 6 years ago | (#22629680)

The Yahoo article has more information and reasoning. I link to it, quote it and give an alternate explanation here [slashdot.org] . Basically, Paypal is losing customers of all browsers but least of all from IE7 users. I think this is because IE7 users are sheep not people sharp enough to have noticed a new tool.

Re:That's about the size of it. (0)

Anonymous Coward | more than 6 years ago | (#22630042)

You're a new tool.

Uhm, no (2, Interesting)

Bryansix (761547) | more than 6 years ago | (#22630194)

Honestly, I think that making sure your browser is secure is much more important then making sure your info isn't going to an incorrect site.
This is most assuredly wrong. You see, the browser can be completely secure and if you are loging into a fake website your login will be stolen and your bank account emptied. Note that there are TWO ways to deal with this. One is anti-phishing features in browsers and the other is a stronger login mechanism like the one ING uses. ING just recently had the lowest reported incidence of ID theft of all the banks with an online presence with Bank of America being worst. The reason is that ING allows the users to KNOW that they are on the correct website through the use of a custom image of their choice. In addition the PIn keypad is randomized to prevent keyloggers from working. Paypal should implement THESE features.

not hover checking urls? (0)

Anonymous Coward | more than 6 years ago | (#22629604)

boo.hoo.

jon_flamesfan@hotmailcom (0)

Anonymous Coward | more than 6 years ago | (#22629606)

Hello. Just testing. email me. jon_flamesfan@hotmail.com

OpenDNS to the rescue (5, Informative)

bstadil (7110) | more than 6 years ago | (#22629608)

Just change your DNS to OpenDNS [opendns.com] and you are covered. OpenDNS monitors Phising sites and will not let you resolve to it. You don't need to sign up just use their nameservers at 208.67.222.222 and 208.67.220.220. It's free. If you sign up you get some additional cool features like blocking selected domain types Like Pron if that's not your thing.

Re:OpenDNS to the rescue (1)

Aegis Runestone (1248876) | more than 6 years ago | (#22629862)

Thanks for the link. This might be useful for me, and others people. :)

Re:OpenDNS to the rescue (4, Insightful)

karmatic (776420) | more than 6 years ago | (#22629864)

OpenDNS monitors Phising sites and will not let you resolve to it.
That's assuming, of course, that it's using a unique DNS name. For pages hosted on SourceForge, Geocities, etc. it won't do anything at all, and may provide a false sense of security.

Furthermore, it's really easy to create phishing pages that will only show their contents to humans, and not spiders.

Re:OpenDNS to the rescue (1, Informative)

Anonymous Coward | more than 6 years ago | (#22630130)

It's free. If you sign up you get some additional cool features like blocking selected domain types Like Pron if that's not your thing.

oh, and you also get some other cool features, like having any email, ssh, IM, or well, all, of your network connections go to OpenDNS servers when connecting to broken, mistyped, or if-they-just-feel-like-it, domains.

Re:OpenDNS to the rescue (5, Funny)

fm6 (162816) | more than 6 years ago | (#22630156)

OpenDNS monitors Phising sites and will not let you resolve to it.
OpenDNS monitors known phishing sites. Phishers really should update the database when they start a new site, but for some strange reason, they rarely bother.

What nonsense. (5, Informative)

gnutoo (1154137) | more than 6 years ago | (#22629610)

IE over Safari? Really? I can understand wanting a good free browser like Firefox on OSX but IE? Do they even have IE 7 for OSX yet? The article Ars points to [yahoo.com] says that this is driven by IE7 users not quiting PayPal. The fishing stuff is pure speculation and not even Microsoft thinks IE7 fishing protection is effective:

Last year, researchers at Microsoft and Stanford University published a study showing that, without training, people were unlikely to notice the green address-bar notification provided by EV certificates.

Barrett says data compiled on PayPal's Web site show that the EV certificates are having an effect. He says IE 7 users are more likely to sign on to PayPal's Web site than users who don't have EV certificate technology, presumably because they're confident that they're visiting a legitimate site.

Over the past few months, IE 7 users have been less likely to drop out and abandon the process of signing on to PayPal, he said. "It's a several percentage-point drop in abandonment rates," he said. "That number is... measurably lower for IE 7 users."

Rather than percieved security, I think the reason they see more IE7 users still logging in is because IE7 users are the kind of sheep that move along when prodded. They are using Windows, right? Like sheep to the slaughter, every day.

I've got a paypal account. I don't use it much because I don't use Ebay much. I would never use an emailed link to visit the site because it's just as easy to find the right page through Paypal itself. If they make it hard, they don't deserve my business.

Re:What nonsense. (2, Informative)

Knara (9377) | more than 6 years ago | (#22629664)

AFAIK there will never be an IE7 for OS X

Re:What nonsense. (1)

VirusEqualsVeryYes (981719) | more than 6 years ago | (#22629702)

Do they even have IE 7 for OSX yet?
Barring a freak reversal of market share, nothing beyond IE 5.5 will ever be released for Macs.

Yahoo article from Infoworld vanished. (1)

gnutoo (1154137) | more than 6 years ago | (#22629816)

Infoworld still has the original article [infoworld.com] , but I can understand wanting to pull a story like that.

Now it's back. (1)

gnutoo (1154137) | more than 6 years ago | (#22629850)

Has Yahoo moved to Server 2007 or something? Weird.

Re:What nonsense. (1)

Gerhardius (446265) | more than 6 years ago | (#22629934)

Insightful comments, especially the sheep one. I have met more sheep in the IT field than any where except anyone involved with supply in the Army. Just like the sheep who pay sticker price; the sheep who buy "this season's" fashions; the sheep who grovel at the feet of MS, Google or Apple; the sheep who bleat about paying for anything; the sheep who think some flavor of *nix will save the world; folks who imbue anything with the prefix "i" as being a product of genius. The world is full of them.

Re:What nonsense. (0)

Anonymous Coward | more than 6 years ago | (#22630056)

Rather than percieved security, I think the reason they see more IE7 users still logging in is because IE7 users are the kind of sheep that move along when prodded. They are using Windows, right? Like sheep to the slaughter, every day.
You're on slashdot, panning MS in a thread that has nothing to do with MS, because someone pointed out that an Apple product is missing a security feature. You, sir, are a sheep.

here phishie phishie (3, Insightful)

themushroom (197365) | more than 6 years ago | (#22629612)

Look, if you're not checking what's in the URL of your browser, or are in the habit of clicking on links in email blindly, you get the phishing you deserve. The best protection mechanism in any browser against phishing is your eyes, looking at the address bar.

snark: And Safari users are advised to stop using PayPal.

Re:here phishie phishie (4, Insightful)

Niten (201835) | more than 6 years ago | (#22629802)

Look, if you're not checking what's in the URL of your browser, or are in the habit of clicking on links in email blindly, you get the phishing you deserve.

I'm all for exercising personal responsibility, but I'd never argue that anybody 'deserves' to fall victim to a phishing scam.

The fact of the matter is that there are some people (my grandparents, for example) who like to use the Web, but who are perhaps just a little bit senile and might one day fall for this sort of thing. If even an Ars Technica writer can fall for it, how can we expect an 80+ year-old to constantly exercise due vigilance?

I'm actually quite OK with this PayPal advisory: the kind of people who will act upon it -- computing amateurs, basically -- probably should be using a browser that raises a big fat red flag when it hits a known scam site, and I'd recommend that such people use Firefox, Opera, or even IE 7 rather than Safari. The rest of us, those who are clueful enough to know how to protect themselves, aren't really the ones that PayPal is addressing here.

Re:here phishie phishie (1, Insightful)

VirusEqualsVeryYes (981719) | more than 6 years ago | (#22629846)

Look, if you're not checking what's in the URL of your browser, or are in the habit of clicking on links in email blindly, you get the phishing you deserve.
You're an ass.

If you are not in the habit of checking all open ports and immediately downloading updates, would you deserve the theft of your ID private information and loss of data that could ensue?

If you are in the habit of leaving your doors unlocked, would you deserve the devastating destruction and theft that could ensue?

If you are in the habit of not getting your brakes checked, would you deserve the highway pileup that could ensue?

If you are not in the habit of meticulously checking your condoms for poked holes, would you deserve the unwanted baby and life-ruining court battles that could ensue?

As they say, the loudest critics are usually the worst offenders. I'm sure a few scenarios could knock some perspective into your thick skull.

Re:here phishie phishie (1)

dutin (890499) | more than 6 years ago | (#22630168)

The only items you've pointed out that is unrealistic is the condoms and port checking analogy. The rest are what you get when you're an ass. If you leave your keys in the car and it gets stolen in most states, YOU get a ticket as well as the person who is arrested for auto theft. If you're a moron, you get what you deserve. It's not hard to lock your house or car, get regular maintenance on your car, or not click links in email you didn't know you were getting.

Re:here phishie phishie (0)

Anonymous Coward | more than 6 years ago | (#22630338)

If you are not in the habit of checking all open ports and immediately downloading updates, would you deserve the theft of your ID private information and loss of data that could ensue?
Yep.

If you are in the habit of leaving your doors unlocked, would you deserve the devastating destruction and theft that could ensue?
You bet.

If you are in the habit of not getting your brakes checked, would you deserve the highway pileup that could ensue?
You better believe it.

If you are not in the habit of meticulously checking your condoms for poked holes, would you deserve the unwanted baby and life-ruining court battles that could ensue?
Um, what? How about "if you're in the habit of having sex so much with crappy condoms, do you deserve the baby that's the logical result of having sex?" The answer, of course, is yes.

Of course, no one gives a shit about being responsible anymore, it's always someone else's fault, isn't it? Get over it. If you get phished, it's your own fucking fault.

Re:here phishie phishie (2, Interesting)

99BottlesOfBeerInMyF (813746) | more than 6 years ago | (#22629976)

Look, if you're not checking what's in the URL of your browser, or are in the habit of clicking on links in email blindly, you get the phishing you deserve.

On this I must disagree. Right now the best solution probably is double checking URLs, but that is realistically not a good solution for the majority of people. Apple (and every other browser developer) should be working on a a URL whitelist/greylist/blacklist detection and warning technology. I'm not sure, however, that they should rush to deploy such technology. It might be better to wait until it is reliable enough to provide real benefit without providing a false sense of security. Right not IE has such a technology, but reviews show it to be of little, practical use. I know Apple is working on such technology and depending upon how effective it seems to be, it might be best that they have not rolled it out for Safari yet. I do think there s a real demand for this type of technology and developers should be trying to fill that need.

snark: And Safari users are advised to stop using PayPal.

Well... I might say all security minded users might be well advised to stop using Paypal. We have Google Checkout now who would want to use Paypal?

Re:here phishie phishie (1)

Sir_Lewk (967686) | more than 6 years ago | (#22630306)

Why is double checking the URL not a good solution for most people? Are they blind? If they cannot preform such a simple operation then they should not be using the internet. If you want a car analogy, "If I can't be relied on to observe traffic around me while driving, then I should not be driving, regardless of how necessary society says driving is."

Re:here phishie phishie (1)

sabernet (751826) | more than 6 years ago | (#22630322)

I remember a well publicized phishing site with the name paypa1.com

Yes, that last letter was the numeral 1. pretty hard to tell, huh? Especially if the font wasn't serifed.

How about those sites which used the multilingual capabilities of certain browsers like firefox to list non-anglo-roman characters into the address bar which looked similar or identical to the literal versions of those letters?

The fact is, the phishers are crafty, generally more crafty then your Average Joe when it comes to internet trickery.

Oh boy (-1, Flamebait)

pembo13 (770295) | more than 6 years ago | (#22629630)

The Apple fan boys aren't going to like this story.

Re:Oh boy (0)

Anonymous Coward | more than 6 years ago | (#22629784)

The Apple fan boys aren't going to like this story.
Nope. Didn't take long for several posts to start calling IE7 uses sheep. So ironic that it is funny as hell.

Re:Oh boy (1)

Gewalt (1200451) | more than 6 years ago | (#22630146)

Actually, we love this kind of stuff.

All Apple users are fan boys (0)

Bryansix (761547) | more than 6 years ago | (#22630298)

This is proved by the fact that the OP got his post modded flambait. This fact is in direct conflict with Windows users who also hate Microsoft just as much but realize that the software is always written for the OS with the market share and so use it in spite of their hatred.

Phishing protection? Really? (4, Insightful)

SanityInAnarchy (655584) | more than 6 years ago | (#22629634)

The kinds of people who fall for phishing scams aren't likely to pay attention to what PayPal advises them to do.

So why not cut the middleman and just advise them to not fall for phishing scams -- that is, to always verify https://www.paypal.com/ [paypal.com] in the URL?

Re:Phishing protection? Really? (5, Funny)

Mesa MIke (1193721) | more than 6 years ago | (#22629826)

DON'T CLICK ON THAT LINK!

It might be a phishing scam!

Maybe in Safari 3.1? (1)

Christopher Rogers (873720) | more than 6 years ago | (#22629646)

Apparently Safari 3 was supposed to have anti-phishing technology when it was released alongside Leopard but it got cut. Perhaps this will push Apple to complete it for the next (hopefully soon) release of Safari.

How good Ars Technica writers at tech and reviews (1, Troll)

Blahbooboo3 (874492) | more than 6 years ago | (#22629652)

Ars technica just dropped in my book. The writer couldn't pay enough attention to avoid a phishing scam?? Wonder how much attention he gives to his reviews and news items...

Re:How good Ars Technica writers at tech and revie (5, Insightful)

Niten (201835) | more than 6 years ago | (#22629860)

I'm very happy for you, that you've never made a single careless mistake in your life. However, please do try to have a little mercy on those of us who are merely human, especially when we're honest enough to admit it.

Re:How good Ars Technica writers at tech and revie (2, Insightful)

Dachannien (617929) | more than 6 years ago | (#22629988)

Step 1: Assume that any e-mail you get is a phishing attempt.
Step 2: There's no step 2. There's no step 2!

It's not exactly rocket science.

Re:How good Ars Technica writers at tech and revie (1, Insightful)

Anonymous Coward | more than 6 years ago | (#22630166)

Ars technica just dropped in my book. The writer couldn't pay enough attention to avoid a phishing scam?? Wonder how much attention he gives to his reviews and news items...

He said it was late and he was tired. However, he also said this,

At least I was lucky enough to realize I screwed up and was able to change my login information on that, and other sites, right away.
Which seems to mean he was using the same password on multiple sites. This is a very bad idea, especially when on of the sites involves money.

Every browser has and anti-phishing mechanism (4, Interesting)

edalytical (671270) | more than 6 years ago | (#22629666)

It's called the address bar. It's very easy to use, just type where you want to go and press return. Before entering sensitive information into a browser window check the address bar and make sure you are where you think you are. I know your mom and my mom might not fully understand the address bar, but I think it would be easier for them to learn about it than installing a new browser.

Re:Every browser has and anti-phishing mechanism (1)

Drogo007 (923906) | more than 6 years ago | (#22629884)

And just hope and pray that http://en.wikipedia.org/wiki/DNS_cache_poisoning [wikipedia.org] hasn't happened, or your simple little fix is worthless

Re:Every browser has and anti-phishing mechanism (1)

edalytical (671270) | more than 6 years ago | (#22629998)

That is beyond simple phising...I'm not an expert, but I think it's called pharming...it's also less inconspicuous to law enforcement and technically more difficult.

Re:Every browser has and anti-phishing mechanism (3, Insightful)

mikael_j (106439) | more than 6 years ago | (#22630036)

But DNS cache poisoning isn't really a browser issue, is it? (although I suppose a browser exploit could be used to pollute the local DNS cache on a user's machine)

/Mikael

Re:Every browser has and anti-phishing mechanism (1)

CannonballHead (842625) | more than 6 years ago | (#22630172)

Of course, in the case of a really neat phishing where the address is really close, this may not work all the time. Do you actually check every link you follow to make sure it's correct? maybe, say, if it was e-mailed from a personal friend or something?

I'm sure a lot of doctors would say that if people just washed their hands more, you wouldn't get as sick... but if you DO get sick, they don't just tell you "Pft, too bad, you should have washed your hands. Next."

Besides... if it's possible for a browser to be *gasp* more secure than it is now, at no "freedom" loss, shouldn't we be all for it? May as well start arguing that Linux is worse than Windows because Linux is TOO secure and encourages carelessness in users' activity. You really should have to check all your ports, they should all default to open so you can get into the habit of checking what ports are open... or something. :)

I hate to say it. (1)

Higaran (835598) | more than 6 years ago | (#22629700)

But I really hate the mac commercials where they talk all that crap. "I guess that mac's aren't way more secure than pc's." But then again it's all about how stupid the user is, it's doesn't have that much to do about the system at all.

Re:I hate to say it. (0)

Anonymous Coward | more than 6 years ago | (#22629872)

Safari isn't anymore insecure than IE because it doesn't highlight the url field green when matching against the EV cert. EV certs are a scam anyway, you're already paying $200-$300 a year for an SSL cert and now they want you to pay $500+ for another cert. The companies that can truly benefit from them are priced out anyway...

The problem isn't that Macs are less secure than Windows. The problem is the stupid windows users going to the Mac side because they don't understand the technology that they use daily. Would you hand someone a chainsaw without them ever using one? Probably not. Why shouldn't people understand that before you enter information, check to make sure you know who you're giving it to. Are these the same people who give their SSN out to random callers on the telephone?

You can't efficiently program away stupidity, just like you can't legislate security.

Re:I hate to say it. (1)

Gerhardius (446265) | more than 6 years ago | (#22630012)

Hilarious fanboy logic: Windows users going to Macs are at fault...right.

i've gotten those scam e-mails before... (2, Interesting)

kesuki (321456) | more than 6 years ago | (#22629744)

http://www.fightidentitytheft.com/paypal_scam.html [fightidentitytheft.com]

mine was similar, only it claimed they were doing a fraud investigation about fraudulent use to my account.

they use the images and everything it looks exactly like a paypal e-mail, only the hyper link when you hover over it says a different website than in the email message. (they're doing a simple html trick, which is always the first thing i look for)

I've seen them do the same thing with say, yahoo mail login sites, etc. one of my less savvy friends got her IM name stolen for use sending IM spam.

safari is bass acwards to not show the real url on a tool bar! i couldn't live a day without that feature.

Re:i've gotten those scam e-mails before... (1)

aesiamun (862627) | more than 6 years ago | (#22629922)

I'm confused, Safari does show the REAL url on the toolbar.

Maybe you're the confused one.

Re:i've gotten those scam e-mails before... (3, Insightful)

Gewalt (1200451) | more than 6 years ago | (#22630184)

You mean the status bar, and safari hides that by default because it can be erronously updated with javascript. In other words, if you're relying on the status bar, you're your own worst enemy.

Re:i've gotten those scam e-mails before... (1)

kesuki (321456) | more than 6 years ago | (#22630228)

ahh well, i also have a firewall that blocks all the badies, i didn't say i relied on it, i said i couldn't live without it. people on slashdot often times have very long urls that hide say goatse links. and last i checked, yahoo mail doesn't run javascript. they also (optionally) block the loading of say 1x1 pixels in e-mails, or all loading of pictures from urls etc.

Browsers cannot help (2, Insightful)

wardk (3037) | more than 6 years ago | (#22629748)

those too ignorant to leave URL's in emails ALONE

the headline could have also just said "Paypal tells idiots to stop clicking on paypal emails"

but that would potentially stop the 1 in 1000000 clicks that are legit and paypal would not want that transaction to not happen, so it's message to us is to stop using Safari.

isn't anything going on worth reporting? this is filler...

They've had it too good for too long... (5, Funny)

SterlingSylver (1122973) | more than 6 years ago | (#22629796)

Well, if there's group of users that has been told repeatedly that their computer is safe from viruses, that it "just works," and that they don't need to be concerned with computer threats of any kind...it's Apple users. Sitting in their offices, wearing their turtlenecks and sipping their lattes, the only thing about phishing they've heard about is that it happens to other people. Uglier people. They're not used to having to defend themselves, not like Windows users. Windows users have a battle-scarred paranoia...they've seen worms that can rewrite their BIOS, steal their credit cards, and kidnap their firstborn. Their 50 yard stares have been earned by fixing their mom's computer for the eighth time this month, and damnit if they're going to lose another computer to some Ethiopian scammer...not after the last time. Their nightmares are the stuff of Steven King novels, the earlier stuff with lovecraftian clowns and superplagues that are the start of apocalyptic battles between good and evil. Their best days on the internet involve life and death struggles against the next pop-up, because it might be their last. Ironically, Mac users have never had to live with the terror that clicking on that "win a free iPod" might just cause their computer to explode, spamming their grandmother with anal tranny porn on its way out. Maybe it's time they should... ...wait, what the hell was I talking about?

don't blam Safari (1)

twotailakitsune (1229480) | more than 6 years ago | (#22629828)

PEBKAC.
Yes Safari could do better, but lighting does not strike twice. Apple did good by going to OS10, but don't think they will do a lot more.

The user has to tell the different from bad sites and the real site.

If a girl called you saying they are from your bank asking for the numbers on your Bank card would you give it to her? ... okay, lets try it this way. would a person with a IQ above room temp; in Celsius? ... Is there anyone who would not fall for that?

Re:don't blam Safari (1)

dgatwood (11270) | more than 6 years ago | (#22630308)

If a girl called you saying they are from your bank asking for the numbers on your Bank card would you give it to her?

I think I speak for almost all of Slashdot when I say, "Is she cute?"

Use IE? One problem... (4, Insightful)

Myrkridian42 (840659) | more than 6 years ago | (#22629906)

There is *NO* Internet Explorer for Mac!

Microsoft stopped making (and supporting) IE for Mac in 2003. See for yourself [wikipedia.org] .

Link? (1)

tehniobium (1042240) | more than 6 years ago | (#22629912)

I can't seem to find this "advice" anywhere on their page...(using safari (win) of course)

Anyone care to lend a link?

clicking links in email = bad (1)

MoFoQ (584566) | more than 6 years ago | (#22629942)

ummm...doesn't paypal's parent company eBay advise users not to click on links in email? And that they should manually type in the address (www.ebay.com) then go about their business? (eBay's security tip about email [ebay.com] )

Legalize marijuana 2008 - here's how! (0)

Anonymous Coward | more than 6 years ago | (#22630014)

On January 24th, the California Supreme Court ruled that employers can fire workers who use medical marijuana even if it was legally recommended by a doctor.

  We knew this was going to happen because Oregon did the same thing right at the time we were finishing up the wording for the California Cannabis Hemp & Health Initiative 2008 (CCHHI). We addressed this problem in our initiative under section 5(b). Here is the wording we have included: ..
5(b): "Testing for inactive and/or inert residual cannabis metabolites shall not be required for employment or insurance, nor be considered in determining employment, other impairment, or intoxication." ..
Now all we have to do is get this initiative on the ballot to fix this problem. We need everyone's help with this. Please visit http://www.calhemp08.org/ [calhemp08.org] for more information on how you can help.
The only way to reverse the Greenhouse Effect is with Cannabis Hemp. It makes the best fuel on Earth, as well as the best paper, fiber, food and medicines. Californians are smart to use this wonderful plant and should not be threatened with losing their jobs for it.

The average lifespan in the United States is 76 for a man and 78 for a woman. But if you smoke pot morning, noon and night, you will live an average of two years longer than if you don't. People who smoke pot but don't smoke cigarettes or drink alcohol will live approximately 8 to 24 years longer than those who do smoke cigarettes and drink alcohol. This was proven in studies done by Dr. Vera Ruben on Rastafarians in Jamaica from 1968 to 1974. The Rastafarians lived up in the hills and were the poorest people in Jamaica. Everyone expected them to have the shortest lives but instead they had the longest lives. They smoked pot morning, noon and night. This study cost $6,000,000.00 and was an extremely comprehensive study. If the same study was done today it would cost approximately $125,000,000.00.

We can do something about this if we have all of you helping us. We only have until the middle of April so let's get to work!!! Thanks!

Save the world for 24 bucks -
12 bucks if you dont have 24

If we legalize Cannabis Hemp in California this year, just imagine what life will be like a couple of years from now. Almost everything we use in our daily lives will be made from hemp.

  We won't have to feel guilty about going to places like McDonald's or Burger King anymore because the packaging will be made from hemp (not trees). You'll have your choice between a cow burger and a hemp burger. Cheese too. Hempseed is the finest food on the planet, bar none. It helps clean out your arteries. And it tastes great. It can be made to look and taste like just about anything you want it to. You can have hemp ice cream for dessert!

No more smelly exhaust fumes coming out of our cars. We'll be using the finest fuel in the world and we won't have to shoot anybody for it. The CO2 levels will be drastically reduced. The only way to reverse the Greenhouse Effect is by growing hemp all over the globe and leaving all trees and fossil fuels (gas, oil and coal) in the ground.

Our cars will be made of hemp too! Henry Ford built a car made of hemp right before World War II. He predicted that all cars in the future would be made from hemp or other plants. There's a little video on YouTube showing him hitting the back of the car with a sledgehammer to demonstrate how strong it is and how it wouldn't make a dent.

Our houses will be made almost completely from hemp. It is a non-toxic replacement for cement, lumber, sheetrock, plaster, insulation and acoustic tiles. Because of its strength and flexibility, it makes an ideal construction material for areas susceptible to earthquakes, tornadoes and hurricanes. It is non-flammable, fungicidal, antibacterial, waterproof and inedible by rodents and termites.

Just about everything inside our houses will be made from hemp, too, including carpets, drapes, furniture upholstery, paints, varnishes, shampoo, conditioner, soap, lotions and creams. Also, anything made out of plastic, including computers, speakers, DVD holders, window blinds, food packaging, etc.

All of our clothing can be made from 100% hemp or hemp blended with other fabrics like organic cotton or silk. You can even make fake fur out of hemp! And no pesticides are required to grow it, unlike non-organic cotton. Fifty percent of all poisons used for agricultural crops in the United States are used just on non-organic cotton.

We won't be killing ourselves with pharmaceuticals anymore. We'll be using natural cannabis for most of our ailments. It's the best thing for Alzheimer's, multiple sclerosis, migraines, ALS (Lou Gehrig's disease), Parkinson's, sickle cell anemia, attention deficit disorder, nausea, cancer, fibromyalgia and countless other problems.

Cannabis Hemp can cure Parvo in dogs, get song birds to sing, and is the best bait for fish. Horses love it, too.

Isn't it strange - doesn't it make you mad as hell - that the number one food of all time for most birds, fish, horses, humans, and life in general, is illegal to have naturally and healthfully in the United States of America, as ordered by the Nazi/Gestapo-like Amerikan Drug Enforcement Administration and, through them, the USDA?

Only California voters can vote for this initiative, but people all over the world can donate and help make it a reality. Let's show the government who's really in charge...WE THE PEOPLE! Please send this message to your friends all over the world. Tell them California needs your money now so we can get this on the ballot. We only have about 80 days left so please repost, repost, repost! And then follow up on it. I've never asked for money before but I'll be 69 years old this year and would like to see this done in my lifetime!

Fish all you want... (5, Informative)

cybereal (621599) | more than 6 years ago | (#22630026)

I bought the $5 keyfob for paypal and ebay, (plus it works on my verisign openid provider) and this phishing problem is no longer an issue for me.

They can get my paypal username and password, but they still need the electronic key that only *I* have. I suggest anyone who actually uses paypal get one of these, they are trivial to use and paypal is selling them incredibly cheaply.

Re:Fish all you want... (1)

aitala (111068) | more than 6 years ago | (#22630270)

I got one as well. I find it very useful for eBay and PayPal....

Eric

PayPal/eBay vying for Microsoft bid? (1)

catmistake (814204) | more than 6 years ago | (#22630092)

PayPal & eBay, with a one-two punch, get you coming and going. With all their delicious revenue, the best they can do to proect their users is to attempt to shuck the blame on the little guy. That is information technology genius. Forget spending thousands on security analysis... they keep your private info safe with a single finger.

Whew!! (1)

spungebob (239871) | more than 6 years ago | (#22630100)

For a minute there I thought this was about Safari [oreilly.com]

Nevermind...
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...