PayPal threatens to cut off Safari

 

Gallery

Posted on 18 Apr 2008 at 11:28

PayPal is considering banning web browsers that don't provide anti-phishing protection, and that includes Safari.

The eBay-owned web payments service has published a white paper outlining changes proposals to tackle phishing, which not only exposes customers to the risk of fraud but is also an expensive problem for PayPal, as it fully reimburses users their accounts are accessed by a fraudster.

One of these proposals outlines methods for blocking phishing sites that users are typically directed to by a fraudulent email. Certain browsers, which PayPal refers to as "safe browsers" include technologies for identifying such sites, comparing them to centralised blacklists and, more recently, employing Extended Validation Certificates.

But Safari has neither and without being named in the white paper, falls squarely into PayPal's "unsafe browsers"category.

Michael Barrett, PayPal's chief information security officer, says that PayPal cannot continue to permit access to online payments using such browsers.

"In our view, letting users view the PayPal site on one of these browsers is equal to a car manufacturer allowing drivers to buy one of their vehicles without seatbelts,"he says in the document.

"We argue that it's critical to not only warn users about unsafe browsers, but also to disallow older and insecure browsers."

PayPal's plan is to begin warning users of "unsafe browsers"before blocking from accessing the site from the most unsafe, which it says will usually the oldest, little used browsers, such as early versions of Internet Explorer.

Apple has yet to comment and makes little mention of phishing on its website. The one support article concerning the problem details how to identify phishing emails, which are, after all, the root of the problem

Asa Dotzler, community coordinator for Firefox marketing projects, backs PayPal's approach.

"PayPal takes social engineered threats as seriously as encryption or code flaws. It has to,"he wrote in a blog post. "Phishing is so much easier to pull off than cracking a browser or an encrypted client server session. Even lowering their exposure to these kinds of attacks by a fraction of a percent is a huge win for them, both financially and strategically. I think that PayPal is absolutely right to let its users know how to do the most they can to stay safe and secure online."

PayPal's proposals are outlined in A Practical Approach
to Managing Phishing.

Author: Simon Aughton