PayPal to Ban "Unsafe" Browsers

PayPal is one of the most spoofed entities in these attacks, and it has released a white paper called A Practical Approach to Managing Phishing (.PDF). In the paper, Michael Barrett, Chief Information Security Officer and Dan Levy, Senior Director of Risk Management at PayPal, discussed how they have made a dent in phishing and how they intend to go further.

Some of the biggest contributors to the phishing problem, according to PayPal, are "unsafe" browsers. Unsafe browsers are those that do not have built-in phishing detection or support for EV SSL (Extended Validation Secure Sockets Layer) certificates. As they say in the white paper:

The alarming fact is that there is a significant set of users who use very old and vulnerable browsers, such as Microsoft’s Internet Explorer 4 or even IE 3. Inevitably, this set of users is a subset of the passive group. We argue that it’s critical to not only warn users about unsafe browsers, but also to disallow older and insecure browsers.

At PayPal, we are in the process of re-implementing controls which will first warn our customers when logging in to PayPal from those browsers that we consider unsafe. Later, we plan on blocking customers from accessing the site from the most unsafe – usually the oldest – browsers.

Although they point out really out-of-date browsers in their white paper, PayPal would have to also include Safari in any such ban, since it offers no phishing protection and does not support EV SSL certificates.

So, although Apple always touts its products as more secure than Microsoft's, in this case Safari would be considered "unsafe" and even possibly banned. Since PayPal is a payment option for iTunes, perhaps they should look into fixing this "hole."

Source: by Tech Ex