[LINK] PayPal to Safari users: 'Ditch it'

Rick Welykochy rick at praxis.com.au
Wed Mar 5 04:52:24 AEDT 2008 

Kim Holburn wrote:

> http://arstechnica.com/journals/apple.ars/2008/02/29/paypal-to-safari-users-ditch-it 
> 
> http://tinyurl.com/2fpohk
> 
>> PayPal to Safari users: 'Ditch it'
>>
>> By Jeff Smykil | Published: February 29, 2008 - 10:30AM CT
>>
>> While current browser share estimates for Apple's Safari web browser 
>> hover somewhere in the 4.5 percent range, Safari is attracting some 
>> unwanted attention from PayPal, the eBay-owned payment company. PayPal 
>> is urging its users to ditch Safari and instead use alternative 
>> browsers such as Internet Explorer 7, IE 8, Firefox 2, Firefox 3, or 
>> even Opera.

I am using Firefox 2. Their anti-phishing page is here:

http://www.mozilla.com/en-US/firefox/phishing-protection/

How does it work? By checking a blacklist of known phishing sites.
That is about as effective as the proposals to save Aussie Children
from the Internet. It simply does not work very well.

To give you a false sense of security, Firefox says that the
following URL is a phish. Try it yourself:

http://www.mozilla.com/firefox/its-a-trap.html

Similar can be said for opera and MS IE:

<http://www.opera.com/pressreleases/en/2006/12/18/>
<http://www.microsoft.com/protect/products/yourself/phishingfilter.mspx>

In addition to blacklist testing, it appears that MS IE may
use some heuristics to detect a phishing site. Hmmm.

As an aside, does anyone else notice that the MS page above
never stops loading into your browser? Is this AJAX gone mad?


>> The reason for the warning is Safari's lack of anti-phishing 
>> technology. Currently the Apple browser does not alert users to sites 
>> that could be phishing for your info, and it lacks support for 
>> Extended Validation. PayPal is, of course, a popular site among 
>> phishers in their neverending search for personal information, user 
>> IDs, and passwords.

Get with the program, PayPal. The browser ain't gonna help you much.
What can help are the following:

1. Integrated email client: when displaying HTML email, it is quite
    simple to for the client to compare the actual URL with the intended URL
    and make a reasonable guess that it is a phish. SeaMonkey does
    this quite well. Not foolproof, but then again, nothing protects
    fools from their foolishness.

2. PayPal itelf could try out some form of identity protection as used by
    Yahoo.

    <https://protect.login.yahoo.com/>

    This is a simple scheme whereby you upload an image or specify a specific
    sign-on colour, which appears on the Yahoo login page. If the image or
    colour is not present, you are on a fake Yohoo login page.



cheers
rickw


-- 
________________________________________________________________
Rick Welykochy || Praxis Services || Internet Driving Instructor

The purpose of censorware is not to Protect The Children, but to
get some people elected and keep other people employed.
      -- Daniel Rutter

More information about the Link mailing list