safari unsafe? paypal thinks so.

| 29 Comments

There's been a lot of coverage of the PayPal Safari kerfuffle over the last few days.

Dear PayPal, Safari Isn’t The Security Problem, Dear PayPal, Safari Isn’t The Security Problem, Paypal and Safari, PayPal excludes Safari from "Safer Browsers", PayPal is not making me feel safe, PayPal not an Apple fanboy, discourages use of Safari, PayPal On Security?, Paypal says avoid Safari, Paypal says avoid Safari browser, PayPal says NO to Safari, PayPal Says NO to Safari: We Say Take Responsibility for Your Actions, PayPal Says: Safari Is Not Secure, PayPal to Safari users: 'Ditch it', Paypal to Safari Users: Switch Browsers or You'll be a Victim of Fraud, Paypal warns buyers to avoid Safari browser from Apple, PayPal Warns Safari Users, PayPal: “Safari not safe” Huh?, PayPal: Safari is a little phishy, PayPal: Safari Open To Online Fraud, PayPal: Steer Clear of Apple's Safari, PayPal: Steer clear of Apple's Safari, Safari "lagging behind" on security, Safari browser does not get PayPal's stamp of approval, Safari Excluded from Paypal’s “Safer Browsers”, Safari Not Safe Enough For PayPal, Safari not secure against phishing, says PayPal, Safari unsafe for PayPal, Who's responsibility is security?, PayPal warns against using Safari because of its lack of anti-phishing technology

My take is that PayPal is just about right.

PayPal is probably the number one or number two target for phishing online (I'm basing this on the contents of my email spam folder) and so I can see where they'd want their users to have the best possible protection against phishing. Firefox 2 and IE 7 offer built-in, and in the case of Firefox, highly effective, phishing protection. Firefox 3 will offer major improvements in the usability and discoverability of site identity information, including but not limited to EV Certificate support. The combination of phishing protection and easier to discover and use site identity information is a powerful weapon against social engineering attacks like phishing.

Some folks have disputed the value of these tools to users. A few have even suggested that social engineering attacks like phishing aren't something a browser should attempt to thwart or mitigate -- that less sophisticated Web users deserve what they get. I couldn't disagree more with both of these points.

Jeremiah at his eponymous blog says "Phishing attacks are attacks on visitors, not technology. The solutions aren’t likely technical."

Brian Reilly at his "other" blog, says "I think you need to be more vigilant yourself rather than planning for Microsoft to save you by fixing their browser. Phishing is easy to spot if you pay attention. I don’t think I want to rely on my browser for that anyway."

Kevin Williams over at Almost Serious says, "I have to throw the sacred plaid Bullshit flag on this one. IE making the address bar turn green only serves to prove to me that IE developers can tell green from red or blue. Big flipping deal. Do they really expect me to believe that stupid IE users who blindly log in to anything that looks like a PayPal login page proves that IE is more secure? If anything, it tells me it is less secure, and used by idiots. Is there a web standard here, or is this a little bit of Tony Soprano at work?"

Mr. Mayor at Mactropolis said, "I think I can sum this whole argument up by simply saying… It’s time for all of us to take responsibility for our actions on the net. It’s true, unfortunately there are a lot of criminals out there ‘phishing’ for your paypal/bank logins out there… Gleaning private login info and stealing hoards of $$$ from the innocent. That’s awful and it sucks… But if we can step-up our own accountability and responsibility on this issue… There will be fewer victims and we’ll all be in a better place."

Jay Melton at his blog, scholar.jklmelton.net says, "Sorry PayPal, the problem lies in how people deal with email, not with the browser. Anyone clicking on any link in an email message is asking for trouble. If you need that link, copy it, paste it, and then read the URL carefully. If you don’t recognize the domain or the directories after it, don’t use it. You can get to the site using your bookmarks to be safe."

Tom Stovall at his blog, stovak.blogspot.com asks, "Who's responsibility is security? The expectation that a car manufacturer would build a car that would tell you when you're going to be car-jacked seems a bit far-fetched.... I understand too well how unreasonable the uneducated computer using hoards (READ 'windows users') can be.... If you're stupid enough to give your login information away, that's just darwinism in action. You are the slow antelope of the herd and as such, have been selected by nature for extinction."

The Phishing Protection feature in Firefox has already saved countless numbers from online fraudsters. I've seen this personally with friends and family and I've seen scores of blog posts from people thanking Firefox for saving them from scams -- many related to PayPal phishing.

To those who doubt the efficacy of EV certs based on a study of IE 7's current UI, are also pushing flawed information. Just because IE's implementation is less than ideal doesn't mean that Firefox's will be or that we won't see all browsers advancing the usefulness of EV cert features. And, in addition to the EV information, Firefox is also adding quite a bit more, easy to find and use, information about websites that will help people determine if they're at a legitimate or a phishing destination.

Finally, to those who say that less sophisticated users deserve what they get for not being more advanced, I say go jump in a lake. Not everyone out there spends the kind of time online that you do. Not everyone out there understands the details of the URI specification as well as you do. Not everyone out there is capable of understanding that even bad guys can buy a lock icon for less than $100 these days.

Just because you can spot a phishing attack doesn't mean that everyone else can or should and it is absolutely the job of the browser to correct the flawed "lock means you're safe" perception and the silly "learn how URIs are constucted" meme, with better site identity information and features like phishing and malware protection.

Now, back to PayPal. PayPal takes social engineered threats as seriosly as encryption or code flaws. It has to. Phishing is so much easier to pull off than cracking a browser or an encrypted client server session. Even lowering their exposure to these kinds of attacks by a fraction of a percent is a huge win for them, both financially and strategically. I think that PayPal is absolutely right to let its users know how to do the most they can to stay safe and secure online.

The Web has become a necessary part of the lives of more than a billion people worldwide. Web browser makers can and should be in the business of making the Web not just more "secure" but actually safer.

29 Comments

i'll just copy/paste what I already wrote over on the Ars board:
as far as I'm concerned, phishing protection needs to be stepped up at the email client level, not at the browser level. I use gmail exclusively, and I don't get very many phishing messages, so I can assume that 1) they simply aren't mailed to me, or 2) gmail does a decent job of filtering them.
But as often as once a week, or once every two weeks, a phishing message does make it into my inbox, and some of them are embarrassingly bad. It's like they don't even try. The whole body of the message is something like

"Your paypal account information needs to be verified. Click here to verify"

and the "click here" URL will be something like http://47.56.24.778/paypal/verify/cgi.html

Gmail couldn't catch that? Really? I always report them when they come in, but I have seen little progress from Gmail over the past year or so on this front.

Well, said. I like to think myself capable enough to avoid all or at least the majority of phishing scams. But it's always nice to have some extra protection at little overhead.

However my parents, both now just about in their 60's, I'm not so confidant about.

They are clever people just not the most savy in the particular field of internet usage. Yet they do need to use it. They don't deserve to labelled as some sort of morons when in many ways they are wiser than you or I. I'm glad Firefox (In their case.) is helpping protect them and me.

As for comparing it to Darwinism. You could say that about the activities of all sorts of fraudsters. Murderers too? However we're happy to have law's against their actions or alerts when such people are operating near us in some way.

We're human because we don't build society solely upon basic premises of nature. Because there's more to us than natural urges and we don't all/always say, "I don't care about you as long as I'm ok".

All the commentary espousing the need of users to protect themselves certainly raises valid points and people should try to be aware as possible. However the tone of a lot of it (Going by the quotes.) is elitist and off putting.

All that said I don't think Safari or any browser should have to have any specific feature set. I personally would be happy enough to use a browser like Safari without phishing protection. It's not a priority for me but I am for it.

Users will decide what they consider an important feature and browsers will follow.

I also agree with Joe above that that one area there needs to be more improvement is in email. If the Browser can sniff out phishing sites so could the email client/service.

Paul and Joe, I agree on the email front. That is the entry point for most phishing scams. Thunderbird has rudimentary phishing protection that could definitely be improved and webmail should absolutely improve. But for social engineering attacks, I think more layers of defense is always better and ultimately it's in the browser that the user gets harmed so browsers should absolutely do what they can to help users out.

I find it very telling how so many of these "pro-Darwinian" bloggers say it up to "us" to be more responsible with web browsing, as though their audience includes the non-technical folks like my aunts and uncles who are the most likely victims of such attacks. I'm talking about otherwise intelligent people who just happen not to have anything close to expertise when it comes to computers. And that's supposed to sentence them to identity theft and spyware? Not knowing what the phrase "URL" means or how to parse one? It's a disgusting attitude to have, and I'm grateful to the Firefox team and its community for helping make the typical technology consumer be safer online.

I still don't think EV certificates are the panacea they're being promoted as. Consider Netcraft's article earlier this week about XSS attacks on EV sites. EV certs tell you a little bit more than a standard SSL cert, but it's only one factor to consider. It's still possible to encounter malicious code if the site itself is vulnerable to an attack.

At least it doesn't look like PayPal is blocking Safari. That would bring us to the bad old days of "Sorry, Firefox isn't secure enough, please connect with Netscape 6."

I find it very telling how so many of these "pro-Darwinism" bloggers say it up to "us" to be more responsible with web browsing, as though their audience includes the non-technical folks like my aunts and uncles who are the most likely victims of such attacks. I'm talking about otherwise intelligent people who just happen not to have anything close to expertise when it comes to computers. And that's supposed to sentence them to identity theft and spyware? Not knowing what the phrase "URL" means or how to parse one? It's a disgusting attitude to have, and I'm grateful to the Firefox team and its community for helping make the typical technology consumer be safer online.

mac fanboys are anoying on this issue. normally they brag about apple's offers "just work", when it "just doesn't work", they turn around and promoting "discipline yourself".

Its utterly shameless.

Asa, your tendency to spend time attacking the competition of late is disappointing. You don't show either yourself or Mozilla up in a good light by flaming like this. If you're supposed to be some sort of public face for Mozilla, you ought to think about how that face looks to other people.

I haven't researched the deep inner workings of the phishing protection in Firefox 3, but here's an idea: Couldn't they check the contents of the site to see if it looks like PayPal (most of the phish attempts are exact duplicates of PayPal's login page), and if it is NOT paypal (looking at the URL, or an IP range, or some known identifier) then flag the site, or just outright block it? It seems to me that most of the phishing protection software relies on a database of known phishing sites, but it seems that some simple content analysis could be foolproof.

"Firefox 2 and IE 7 offer built-in [..blah blah patting your own back..] phishing protection."

Yes, Asa. If you read the actual statements of the PayPal representatives, you will see, as you already know all too well, that these are, in fact, the two only browsers in the world that offer built-in phishing protection. There are no other such browsers, and the reason why all the fuzz is about Safari is not because it is the only major browser not offering it, but because it is the only other browser anyone cares about.

I wouldn't touch IE with a ten-foot pole, and certainly not trust my security to it. But it is a fairly established fact that when it comes to anti-phishing quite specifically, MS is currently leading, not following. Take the time to check out the mighty impressive list of phishing feed sources they use. Compare that to your statement that Firefox users are better protected than IE users with Google alone.

When IE ordered the "independent" study that (to no great surprise) claimed IE as the winner, the only other source that could measure up on its own was Netcraft. What did they do? Not long after, they licensed Netcraft's feed too, *in addition* to all the sources they were already using.

Your claim indirectly states that Google's feed is superior not only to *all* other feeds available, but also to many of them put together. Heck, if Google wasn't Google, I'm sure MS would already be using their feed too. Would you still claim Firefox was better?

Pardon me while I trust Microsoft's controversially bought independent study of their plethora of phishing data more than Mozilla stating that the company that finances much of their development is better than everything else put together - just cause you say so.

- yitz

yitz, an independently audited study put Firefox's protection way ahead of Microsoft's. maybe read up on it?.

- A

Asa, I refrained from refering to that report due to the simple fact that it is from January 2007, while Microsoft started licensing Netcraft's feed in February 2007.

Maybe read up on that?

I don't know of any independent reports more recent than February 2007, but if you'd like to provide one to back up your questionable and outdated claim, I'd love to see it.

Furthermore, the report commisioned by Mozilla uses data exclusively from PhishTank. Considering Opera uses PhishTank's actual phishing feed, Opera should in principle have beaten both IE7 and FF2 had it been tested as part of that report. This in stark contrast to very few sources claiming Opera currently has the superior anti-phishing feature of the three.
I have chosen to question iSEC's claim of PhishTank representing independence in this report - it's equivalent to testing each browser's effectiveness in comparison to Opera.
If Mozilla judges its effectiveness against the data actually being used by a competitor, how can it claim superiority against it?
(I'm not saying you did, in fact you chose to inexplicably pretend it does not even exist, but you did however claim it to be better than IE7.)

The significance of the report is further lessened by the fact that no testing was performed of false positives, an aspect of equal importance to the field of anti-phishing. With this method of testing, blocking all sites would produce a 100% success ratio, and hence a top score.
It is simply unscientific.

- yitz

Yitz, so you're agreeing that the most recent legitimate data puts Firefox ahead. Good enough for me.

- A

Asa, please change "maybe read up on that" to "maybe start reading at all".

Considering you had no problem with my claims above, I shall henceforth interpret your view on this as follows:

1. Testing only caught phishes against PhishTank is a fully legitimate method of evaluating an anti-phishing solution.
2. The most recent "legitimate" data puts Firefox ahead of IE, according to the method mentioned above.
3. The hereby fully accepted norm of evaluating success rate against PhishTank (and thereby Opera), puts Opera on top. Opera is better than Firefox, which in turn is better than IE. Real hard facts can not overrule the at any point latest commisioned anti-phishing evaluation.

Conclusion: Opera's anti-phishing feature is better than Firefox's. Any future reports will be measured the same way, as this is the optimal method of testing an anti-phishing feature.
Opera will always be better than Firefox, and thereby more secure.

I'm glad we managed to work this out, thanks for your valuable input.

- yitz

Has Opera been released under a free software license?

Nope. Opera has a EULA (End User License Agreement) like Microsoft Windows.

http://www.opera.com/docs/changelogs/windows/850/

Opera 8.50 for Windows Changelog
...
# Advertisement banner removed
# Registration options removed
# Updated end-user license agreement

Gee, why was there an Advertisement banner in the first place? And a EULA?

Opera cracks me up, trying to compete against a GPL-licensed project with their EULA.

Also, if Opera is so great at stopping phishing, what is it they're doing? Oh right, it's proprietary and they're not part of any software sharing community.

Opera can take their secret innovations and tuck them away somewhere the sun doesn't shine.

Paul

Paul, Free as in Beer: yes. A EULA is a software license, that's what the L is about. It states various things regarding what you can and cannot do with that software.

Yes, the advertisement banners were removed, and therefore there was no longer any need for you to (voluntarily) enter a few details about your demographic, to prevent you seeing ads for dentures and wheelchairs. Or only those, if you should prefer. As all this was removed, the license had to be updated to reflect your further increased freedom.

The advertisement banner was there to make money for Opera Software, just like there are Google ads right here on MozillaZine to make money for The Mozilla Corporation. With Opera, you had an option of paying a few bucks, and the ads would be gone. The money to finance development had to come from somewhere, be it from banner ads, personal licenses/donations, or from sponsored search boxes within the browser.
Once these search boxes became a viable option, both Firefox and Opera started using them, and getting their income that way, rather than ads and other such intrusive advertising.
In a way, Google (and a few other partners) are now really paying the paychecks of both Mozilla and Opera developers. Not much difference there, really.

Opera uses its own specific license, with no particular name, for its EULA. Mozilla uses its own specific license, called MPL, for its EULA.
If you do not provide a EULA (license), you are also not allowing any use of your software. This is why most of today's software, with some very few exceptions, are shipped with a EULA.
(qmail is the only I can think of, and that's 10 years old)
Opera's EULA is nothing like Microsoft Windows. Microsoft's EULA is 33 kilobytes of text telling you all the things you're not allowed to do. Opera's EULA is 6 kilobytes of text, and says mostly that you can't repackage and sell it (when Opera is giving it away for free), that Opera can't be held responsible if you try to run Opera on your toaster, and a reiteration that Opera does its absolute very best to protect your online privacy - a section that is not too common in EULAs.

You can find Mozilla's many different EULAs here:
http://www.mozilla.com/en-US/legal/eula/


What Opera is doing wrt. phishing is to receive from and provide data to PhishTank, one of the largest open anti-phishing community sites in the world, if not the largest. Everyone is invited to submit a phish, everyone is allowed to verify the submitted phishes. That way, the data is fully in the open for anyone to see, verify and make an impact on. Anyone is free to use all data from that community as they wish, even for commercial use, for free.
http://www.phishtank.com/
A public in-depth technical documentation of exactly how this feature is implemented can be found here:
http://www.opera.com/docs/fraudprotection/

Mozilla uses data that has been collected by Google.
Mozilla ordered a report about a year ago, that demonstrated very clearly that PhishTank, the open phishing community, was better and more secure than Google. This is the same report Asa points his readers to.


Oh, if you wanted to know how the banner ad technology worked, that is also fully publicly documented. It's still available here:
http://www.opera.com/docs/ads/
This has been available for anyone to read ever since the ads were first implemented.
If you want to verify what it says, you can try sniffing the traffic transmitted for phishing or banner ads - it's intentionally unencrypted so people can clearly see for themselves that it is nowhere near where the sun doesn't shine.


Hope this answers your questions.

- yitz

I think everyone has come across this. Every browser brand had been discussing at length about this. Some are saying users have to be careful and not browsers that attack is on people and not on technology but (no offense meant) these guys forget that technology is meant to protect us.

Paul, Firefox has a EULA. But this discussion is not about open vs closed source. It's about phishing technologies. Try to answer the comments and don't get defensive on behalf of Asa/Mozilla by changing the subject.

wuuut, user freedom will always be at the top of my agenda.

Firefox is a GPL-licensed project.

Because of the GPL, I can acquire a derivative of Firefox without accepting the EULA that Firefox ships with.

This particular EULA is for protecting the corporation, not subjugating the user's freedoms.

You scored a rhetorical point, but Firefox is not proprietary software so the Firefox EULA is not an obstacle to the user.

wuuut, user freedom will always be at the top of my agenda.

Firefox is a GPL-licensed project. Neither Safari nor Opera are free software.

Because of the GPL, I can acquire a derivative of Firefox without accepting the EULA that Firefox ships with.

This particular EULA is for protecting the corporation, not subjugating the user's freedoms to peruse the source code, modify and redistribute the source-code.

You scored a rhetorical point, but Firefox is not proprietary software so the Firefox EULA is not an obstacle to the user.

The joke is on you if you allow others to take your freedom.

Looks like I won that round then

-yitz

Yitz, anti-phishing is like spam-filtration. A few regular expressions, blacklists, white-list registry - whatever it takes.

Personally, I'm no expert on anti-phishing statistic databases. All I know is it's not a big deal to update a black-list, add a new filter, etc. On top of that, it's a constant process to maintain these black-lists, white-lists, and regex filters. It's no big deal for one company or another to come up with a few new domains to black-list, tweak to a regex filter, etc.

Firefox has that and so much more. I just don't understand how proprietary software fanatics can feel so great about software which belongs to someone else.

Paul: "Also, if Opera is so great at stopping phishing, what is it they're doing? Oh right, it's proprietary and they're not part of any software sharing community."

I've come late to this particular entry, so probably won't get a reply, but what does that have to do with how effective anti-phishing in any browser is?

Paul: no, anti-phishing is not like spam filtering. It is in the sense that you are wanting to block content from teh Intarwebz, but that really is where the similarities end. Unless you want to get into heuristics, the anti-phishing of all major browser vendors is based on the concept of blacklisting URLs, by means of single URLs or by means of sane regexing. The collective concept of spam filtering consists of a myriad of various methods to try (yes, try) to give users or systems an indication that something might be spam.
If spam filtering was about blocking From addresses the same way anti-phishing is about blocking (or warning about) URLs, then it might be the same thing. But it's not.
You are however correct that yes, updating phishing blacklists is a 24/7/365 task. It's no big task for anyone, company or otherwise, to create such a list, and nowadays everyone gets enough phishing email that there'd be a constant source of additions. It *is* however a big deal to maintain a blacklist that is actually effective against phishing, worldwide, in realtime. Always. That's the make or break of anti-phishing, and claiming it's "no big deal" makes you look downright uninformed. If it's so easy, why isn't Google doing it? Why don't they have the best phishing filter in the entire world? Surely they don't lack the resources.
Or, for that matter, why does Microsoft license the services from other companies to provide these feeds, rather than just rolling their own list? Surely throwing a few millions after a trained in-house monkey should ensure them a superior list?

To continue your analogy of spam, an incomplete anti-phishing blocklist is about as effective in protecting users from phishing as blocking emails that have "viagra" in the subject.

You say yourself you're no expert on the subject of anti-phishing. This post, quite explicitly, concerns the subject of anti-phishing. Not the fact that all major browsers have EULAs, or whether the browser has a community around it, which is entirely irrelevant to how effectively any browser blocks phishing.


dr: Nothing, really. And if that was the factor by which one would rate effective anti-phishing, Opera would likely come out on top, since they're the only ones that use PhishTank, the largest open and free phishing sharing community. But then again, who ever bothers to check facts anymore..

For the record, I wrote a lengthy comment clearing up this and various other misconceptions that have appeared in the comments of this post (complete with links to public documentation of these so-called "secret innovations"), but lo and behold, I suddenly found this blog to have introduced comment moderation, which my previous comments had not been subjected to. And I guess the self-professed prophet of openness prefers a selective truth that he can control himself, because my post never actually made it into the comments.
Someone else posting under my name had no problems getting past this selective moderation though - the comment written March 3rd by someone calling themselves "yitz" was never written by me.

- yitz (yes, the real one)

Left out of your apparent defense of PayPal is the obvious: PayPal has hundreds of millions of dollars of its customers' money flowing through it at any given time, and there is an obligation on its part to secure those funds from phishing attempts.

For example, I bank with Bank of America. A few years ago, it instituted a security check by which I selected a picture from among a hundred or so on its website and we use that photo as a security key. When I log on, I put only my user name in the splash page, and the next page has a place for me to type in my password, right below the photo I selected as my security key. If I get a BofA page and that photo isn't there, I know not to provide that password (or any other secure information).

I can't think of a single reason why PayPal can't institute the same procedure to secure the funds deposited with it by its customers. It is certainly cheaper and less effort, though, to blame the browsers.

One other note: There are still many more Windows users deploying IE 6 instead of IE 7. Barrett specifically didn't cite IE 6 as passing PayPal's security tests. Someone reading the headlines on these stories might assume the only browser with a security problem in the eyes of PayPal is Safari, and those readers using IE 6 would be giving themselves a false sense of safety in that assumption.

Left out of your apparent defense of PayPal is the obvious: PayPal has hundreds of millions of dollars of its customers' money flowing through it at any given time, and there is an obligation on its part to secure those funds from phishing attempts.

For example, I bank with Bank of America. A few years ago, it instituted a security check by which I selected a picture from among a hundred or so on its website and we use that photo as a security key. When I log on, I put only my user name in the splash page, and the next page has a place for me to type in my password, right below the photo I selected as my security key. If I get a BofA page and that photo isn't there, I know not to provide that password (or any other secure information).

I can't think of a single reason why PayPal can't institute the same procedure to secure the funds deposited with it by its customers. It is certainly cheaper and less effort, though, to blame the browsers.

One other note: There are still many more Windows users deploying IE 6 instead of IE 7. Barrett specifically didn't cite IE 6 as passing PayPal's security tests. Someone reading the headlines on these stories might assume the only browser with a security problem in the eyes of PayPal is Safari, and those readers using IE 6 would be giving themselves a false sense of safety in that assumption.

Left out of your apparent defense of PayPal is the obvious: PayPal has hundreds of millions of dollars of its customers' money flowing through it at any given time, and there is an obligation on its part to secure those funds from phishing attempts.

For example, I bank with Bank of America. A few years ago, it instituted a security check by which I selected a picture from among a hundred or so on its website and we use that photo as a security key. When I log on, I put only my user name in the splash page, and the next page has a place for me to type in my password, right below the photo I selected as my security key. If I get a BofA page and that photo isn't there, I know not to provide that password (or any other secure information).

I can't think of a single reason why PayPal can't institute the same procedure to secure the funds deposited with it by its customers. It is certainly cheaper and less effort, though, to blame the browsers.

One other note: There are still many more Windows users deploying IE 6 instead of IE 7. Barrett specifically didn't cite IE 6 as passing PayPal's security tests. Someone reading the headlines on these stories might assume the only browser with a security problem in the eyes of PayPal is Safari, and those readers using IE 6 would be giving themselves a false sense of safety in that assumption.

Left out of your apparent defense of PayPal is the obvious: PayPal has hundreds of millions of dollars of its customers' money flowing through it at any given time, and there is an obligation on its part to secure those funds from phishing attempts.

For example, I bank with Bank of America. A few years ago, it instituted a security check by which I selected a picture from among a hundred or so on its website and we use that photo as a security key. When I log on, I put only my user name in the splash page, and the next page has a place for me to type in my password, right below the photo I selected as my security key. If I get a BofA page and that photo isn't there, I know not to provide that password (or any other secure information).

I can't think of a single reason why PayPal can't institute the same procedure to secure the funds deposited with it by its customers. It is certainly cheaper and less effort, though, to blame the browsers.

One other note: There are still many more Windows users deploying IE 6 instead of IE 7. Barrett specifically didn't cite IE 6 as passing PayPal's security tests. Someone reading the headlines on these stories might assume the only browser with a security problem in the eyes of PayPal is Safari, and those readers using IE 6 would be giving themselves a false sense of safety in that assumption.

Left out of your apparent defense of PayPal is the obvious: PayPal has hundreds of millions of dollars of its customers' money flowing through it at any given time, and there is an obligation on its part to secure those funds from phishing attempts.

For example, I bank with Bank of America. A few years ago, it instituted a security check by which I selected a picture from among a hundred or so on its website and we use that photo as a security key. When I log on, I put only my user name in the splash page, and the next page has a place for me to type in my password, right below the photo I selected as my security key. If I get a BofA page and that photo isn't there, I know not to provide that password (or any other secure information).

I can't think of a single reason why PayPal can't institute the same procedure to secure the funds deposited with it by its customers. It is certainly cheaper and less effort, though, to blame the browsers.

One other note: There are still many more Windows users deploying IE 6 instead of IE 7. Barrett specifically didn't cite IE 6 as passing PayPal's security tests. Someone reading the headlines on these stories might assume the only browser with a security problem in the eyes of PayPal is Safari, and those readers using IE 6 would be giving themselves a false sense of safety in that assumption.

Monthly Archives