Paypal warns buyers to avoid Safari browser from Apple

[Erwin-Br]

Um, is it me or are the fanboys having double standards now? I mean, blaming Microsoft for being insecure and now it's suddenly not Safari's responsibility to protect us from phishers? Why would it be Microsoft's responsibility to protect users from viruses, Trojans and other malware, huh?

I'm a Safari user myself, and quite worried about this issue.

And what's got PayPal's service to do with it, for heavens sake?

--Erwin

 

[Phil A.]

Wirelessly posted (iPhone 16GB: Mozilla/5.0 (iPhone; U; CPU like Mac OS X; en) AppleWebKit/420.1 (KHTML, like Gecko) Version/3.0 Mobile/4A102 Safari/419.3)

Whilst Safari should get up to date, the biggest problem with anti phishing tech is that unless it's 100% accurate it can do more harm than good: it can make users lazy in that if the browser says the site is OK then it must be.
In those circumstances, any failure to identify a site by the browser could be disastrous.

 

[kkat69]

Um, is it me or are the fanboys having double standards now? I mean, blaming Microsoft for being insecure and now it's suddenly not Safari's responsibility to protect us from phishers? Why would it be Microsoft's responsibility to protect users from viruses, Trojans and other malware, huh?

I'm a Safari user myself, and quite worried about this issue.

And what's got PayPal's service to do with it, for heavens sake?

--Erwin

As far as I'm concerned it's not Microsoft's responsibility to include virus software nor push it on anyone. Neither is it Apple's responsibility to include it. HOWEVER, it IS a selling point on Apples side that it's more secure and more immune (notice I didn't say 100% immune) than Windows due to it's architecture.

Microsoft does have a responsibility same does Apple to code it's kernel/base so that it IS secure. Heck, our government as well as other countries depend on this code being secure. However any virus's contracted aren't MS or AP's fault.

I'm trying to figure out who these fanboi's are that you mentioned. No one here sounded like a fanboi, or are you the fanboi trying to sound like your not.

Personally I'm not saying it's REQUIRED to be included, it IS however a selling point/feature. If Apple wanted more people to use Safari then maybe they need to add it. No one is forcing them to add it, there's no ISO that says all browsers should have it. Any yahoo with resonable programming skills can write a web browser but phishing code isn't a required item to get it working.

Personally I don't give a **radio edit** if they add it or not since I don't use it. But if they wanted more people to use their browser then they probably should add it. Again, it's a selling point.

And don't confuse the word "selling" in "selling point" as they're charging people for it, we all know Safari is free and "selling point" is just a phase similar to "consumer desired feature"

 

[gr8tfly]

If you receive an email that even looks suspicious, just hover (don't click) the mouse over the link and see if it's legit. If it's phishing, it will be obvious the URL doesn't go to Paypal (or eBay, or "your" bank, or.....).

Both Paypal & eBay constantly tell customers they do not send these types of emails.

I agree, something needs to be done about the problem, but no matter what's done in the browser, they won't be able to keep up with the different attempts. Even if they [Apple] implements some kind of filtering, it's not going to free me from my responsibility to check out an email before following its links.

 

[clevin]

it can make users lazy in that if the browser says the site is OK then it must be.

I dislike that logic, first and foremost, above mentioned effect really have not been proved by any study.

And where does "lazy" come from anyway? what do you think a normal users should do that is "not lazy" when surfing?

Also, every technology makes people lazier and lazier, and we all agree they are improvement. Driving car, taking flight, having vaccine, windows AV apps, etc, etc

I don't think other browsers would ALL have this, if there are more harm than benefit. It jut doesn't make sense.

 

[Phil A.]

Wirelessly posted (iPhone 16GB: Mozilla/5.0 (iPhone; U; CPU like Mac OS X; en) AppleWebKit/420.1 (KHTML, like Gecko) Version/3.0 Mobile/4A102 Safari/419.3)

it can make users lazy in that if the browser says the site is OK then it must be.

I dislike that logic, first and foremost, above mentioned effect really have not been proved by any study.

And where does "lazy" come from anyway? what do you think a normal users should do that is "not lazy" when surfing?

Also, every technology makes people lazier and lazier, and we all agree they are improvement. Driving car, taking flight, having vaccine, windows AV apps, etc, etc

I don't think other browsers would ALL have this, if there are more harm than benefit. It jut doesn't make sense.

I wasn't saying apple shouldn't include it, just expressing caution over viewing it as a magic bullet. Even with anti phishing tech, users will have to exercise the same caution they should now to be safe, so how much real benefit does it bring?
If people become too reliant on Anti-Phishing tech (i.e. being lazy about exercising caution when browsing), then it could have a negative effect: having browsers that catch "most" phishing attacks may make the Internet safer, but not 100% safe, and if people think it does then they could be in trouble.

 

[ntrigue]

PayPal sucks horribly. The mere fact that money is held by PayPal is more of a threat to the money's safety than Safari could ever be.

Alternatives? I DO NOT see Google Checkout as much as I would like.

 

[LizKat]

Is it just me or is the grammar in that quoted bit absolutely atrocious? I mean, come on. I understand it's PayPal, but I don't think anything actually PUBLISHED would have sentences so unreadable. The misplaced commas alone are enough to drive a person insane!

Actually the quoted stuff is from an interview with Paypal's chief information security officer. It didn't read like quotes from any email they would send out, so I went to read the piece and discovered it's bits from an interview.

So now we know he's a geek and that he should have written his opinion on a piece of paper for Paypal's public communications office to clean up and issue as a PR.

The only thing I've received from Paypal in the past six months is a warning that credit card info I had once given them was now invalid and that I should get onto my account and fix it up sometime. I don't think that email even included any links. The info in their mail to me sounded right but I didn't go fix it up since I don't think I am going to use Paypal any more. Nor do I usually use Safari, except once in awhile when some site I just want to look at goes bonkers in Firefox.

I do like how the Safari in-page search works. But, I am leery of malicious scripting and so usually stick to Firefox with NoScript added on, to have a little more control over who gets to do what.

I would like to use virtual credit card numbers (throwaways) for transactions online, but the last time I checked, my card issuer still did not have that option for Macs... sigh....

 

[todd2000]

I was gonna post basically what gr8tfly said. I have said it before and I'll say it again. If you fall for a phishing email from PayPal, eBay, your Bank etc, then too bad. I don't mean to sound mean, but if your going to use these kind of site take a little time to educate your-self on how "phising" works. Take this email I got from eBay.

(click to enlarge)

It's obviously a scam

First, I wasn't selling a Panisonic TV on eBay, that should be the end of it right there, if you want more evidence, notice how I hover over the link, and it was going to "myuseridis.front.ru" Obviously NOT eBay. All you have to do is educate your-self a little. PayPal, eBay etc. have lots of info telling you how to avoid these scams. Why should it be Apple's responsibility to protect you from user stupidity? Once again Im not trying to sound mean, but use some common sense people.

 

[clevin]

I was gonna post basically what gr8tfly said. I have said it before and I'll say it again. If you fall for a phishing email from PayPal, eBay, your Bank etc, then too bad.

the realistic problem is, can you make this education to each one of the millions of safari users ?

its never a problem of what users should do. its always been a problem of how browser makers can help even if users are not prepared. which vast majority of them normally are.

you dont let ppl lose money just because they are not prepared enough, especially when you can actually help!

 

[dejo]

the realistic problem is, can you make this education to each one of the millions of safari users ?

It's not about one person educating millions of users. It's about millions of users educating themselves. If you choose to go online and sign up for things like eBay, PayPal, etc., it is also your responsibility to educate yourself as to the risks of such activities. Personal responsibility: where is it these days? I wouldn't be surprised if someday someone sues their browser manufacturer because it didn't protect them 100% from phishing and they lost money because of it.

 

[mac-er]

Not having anti-phishing as a reason for Paypal to not recommend Safari is pretty lame, and it makes me wonder what they actually know about the web.

Maybe if they would recommend that dumbasses not click on links in emails they receive from people they don't know....that might be a better idea.

Anti-phishing is a gimmick and EV is a gimmick.

 

[clevin]

I Personal responsibility: where is it these days?.

i have no problem with promoting personal responsibility.

but, we also need to face the reality. it is not there. not to mention phishing ID is not a simple. easy task for the masses.

its not up to one browser maker to regulate personal responsibility.

its a simple thing. apple tried with safari before. unsuccessfully. they can just try again, easily. if it helps one user from losing $100, thats good enough for me

 

[todd2000]

not to mention phishing ID is not a simple. easy task for the masses.

That's just the thing, it really is a simple easy task, if you know a few things to look for. It's really not all that complicated.

 

[clevin]

That's just the thing, it really is a simple easy task, if you know a few things to look for. It's really not all that complicated.

think about the zillions of page view everyday on internet, and think about the all kinds of billions of users, situations.

The "easy few things" might not be that easy for masses in every cases.

 

[dejo]

its a simple thing. apple tried with safari before. unsuccessfully. they can just try again, easily.

The "easy few things" might not be that easy for masses in every cases.

So, it's a simple thing for the browser but not for the masses?

The problem to me is that anti-phishing tech is just masking the symptom rather than trying to promote an end to the cause.

 

[clevin]

So, it's a simple thing for the browser but not for the masses?

The problem to me is that anti-phishing tech is just masking the symptom rather than trying to promote an end to the cause.

yes, its much easier for browser to get this feature than educating billions of users. Why do you think all other browsers have this?

promote an end to the cause? its technically correct, but anybody here really believe thats what apple is trying to do here?

 

[dejo]

promote an end to the cause? its technically correct, but anybody here really believe thats what apple is trying to do here?

I don't think Apple is trying or not trying anything here really. Why do you, clevin, think that Apple is leaving this out of Safari? I'm interested to hear your thoughts.

 

[phiberglass]

Yes, IE should definitely not be there.

I'm getting tired of Paypal.

 

[applebum]

Yeah, here is how hard it is to educate yourself or someone else to avoid phishing from PayPal:

This one is easy. We will never ask you for the following personal information in any PayPal email:
Your full name
Your password
Driver's license number
Social Security number
Credit and debit card numbers
Pin numbers or bank account numbers

Straight from their website under security and then the Phishing challenge. Most sites have something very similar to this. Educating someone is as easy as telling them that no legitimate bank, retailer, etc is going to ask for personal info in an email - ever.

 

[Rodimus Prime]

Yeah, here is how hard it is to educate yourself or someone else to avoid phishing from PayPal:


Straight from their website under security and then the Phishing challenge. Most sites have something very similar to this. Educating someone is as easy as telling them that no legitimate bank, retailer, etc is going to ask for personal info in an email - ever.

Not from the web site but another thing to add to your list.

When those companies do send you an legit emails if you noticed almost always they use your name and never your user name.

Like
Mr. John Smith,
Blah blah blah.


As for attack on safari. I personally thing Apple deserves this one. They are the only major browser who lacks the protection. This goes double for a company that claims to be a very secure OS and advertises as such all the time.

Apple general good at putting in idiot protection into there stuff. Just this time they lag pretty far behind on a very basic one. I do not think apple should be forgive on this one.

 

[clevin]

I don't think Apple is trying or not trying anything here really. Why do you, clevin, think that Apple is leaving this out of Safari? I'm interested to hear your thoughts.

My guess
1. apple does not want to cooperate with 3rd party security info providers such as VerySign, google etc. Maybe partly because the privacy concerns. But I think also partly because apple didn't want to be constrained by 3rd party in its own developing.

2. webkit project wants to keep webkit/safari as simple as possible. Which I applaud, however, there is ALWAYS a balance of light-weight and more functions, if recent webkit nightly can be as bloated as it is (60MB after decompression, bigger than any other browsers), I don't see why balance shouldn't be re-evaluated.

3. Webkit developers are extremely squeezed by apple to keep pace with apple's OSX developing schedule, that they have other priorities that need to be done first.

I think #3>#1>#2. I dont think webkit is on a healthy road as of now.

 

[Erwin-Br]

I was gonna post basically what gr8tfly said. I have said it before and I'll say it again. If you fall for a phishing email from PayPal, eBay, your Bank etc, then too bad. I don't mean to sound mean, but if your going to use these kind of site take a little time to educate your-self on how "phising" works. Take this email I got from eBay.

(click to enlarge)

It's obviously a scam

First, I wasn't selling a Panisonic TV on eBay, that should be the end of it right there, if you want more evidence, notice how I hover over the link, and it was going to "myuseridis.front.ru" Obviously NOT eBay. All you have to do is educate your-self a little. PayPal, eBay etc. have lots of info telling you how to avoid these scams. Why should it be Apple's responsibility to protect you from user stupidity? Once again Im not trying to sound mean, but use some common sense people.

The same could be said about obtaining a virus on a PC! Yet one of the major selling points of Apple is that it's safer than Windows! -- Safer my ass!

--Erwin

 

[::Lisa::]

The only list IE should be on is the "Do Not Use" list.

I agree with you there. But it has to be said there are sooo many Windows users out there that just don't know better and use it. My mother for one. I keep telling her but she's so computer illiterate she just doesn't get it. I know that she used to get these phishing emails too. She used to ask me what to do. I said ignore them. If you want to know if they're real, login on ebay.co.uk and check your messages on there. So easy, so simple. That goes with everything. eBay, PayPal, bank accounts etc.

PayPal sucks horribly. The mere fact that money is held by PayPal is more of a threat to the money's safety than Safari could ever be.

I agree with you there. That is the reason why I remove my money straight to my bank account as soon as I receive money. I'd close my PayPal account straight away if there was an alternative. Problem is if you don't accept PayPal on eBay nowadays it drives the end price down.

Agreed. I think, ultimately, it is the end user's responsibility. And if they are educated properly, they can be vigilant on their own, rather than rely on some tool that phishers will try to find a way around.

I agree 100%. It only takes 2 seconds to tell if the email is fake. You don't even have to send it to spoof@paypal/ebay.com to tell and wait 15 days for a reply. 2 seconds! If it were real it would state everything in the email. Actual account numbers, full names, ID's etc. Not the pathetic stuff it says and most of them spoof emails have terrible grammar too.

I was gonna post basically what gr8tfly said. I have said it before and I'll say it again. If you fall for a phishing email from PayPal, eBay, your Bank etc, then too bad. I don't mean to sound mean, but if your going to use these kind of site take a little time to educate your-self on how "phising" works. Take this email I got from eBay.

<img snip>
(click to enlarge)

It's obviously a scam

First, I wasn't selling a Panisonic TV on eBay, that should be the end of it right there, if you want more evidence, notice how I hover over the link, and it was going to "myuseridis.front.ru" Obviously NOT eBay. All you have to do is educate your-self a little. PayPal, eBay etc. have lots of info telling you how to avoid these scams. Why should it be Apple's responsibility to protect you from user stupidity? Once again Im not trying to sound mean, but use some common sense people.

I agree again. As I said above it takes 2 seconds to tell. And again as you stated. It's so easy. Yet so many people fall victim of this and blame it on their computer illiteracy. I think what is really to blame is those that are complete computer newbies and are completely unaware what spoof is and think it's real and don't know about checking or how to check, and those that are ignorant and think it won't ever happen to them.

 

[Eraserhead]

I think that Safari should have protection:

However: Internet Explorer is bad too, especially if it only relies on its local list. (source)

And also given that a redirect foils the phishing filter (source) the current implementations leave much to be desired.

Basically user-beware is the name of the game here.