PayPal Security Flaw Allows Identity Theft

miller60 writes "Phishing scammers are actively exploiting a security flaw in the PayPal web site to steal credit card numbers belonging to PayPal users. The scam tricks users into accessing a URL hosted on the genuine PayPal site, which presents a valid 256-bit SSL certificate confirming that the site belongs to PayPal. However, some of the content on the page has been modified by the fraudsters via a cross-site scripting technique, and victims are redirected to a spoof site that requests their account details."

Trickery and Buggery

[Billosaur]

When the victim visits the page, they are presented with a message that has been 'injected' onto the genuine PayPal site that says, "Your account is currently disabled because we think it has been accessed by a third party. You will now be redirected to Resolution Center." After a short pause, the victim is then redirected to an external server, which presents a fake PayPal Member log-In page. At this crucial point, the victim may be off guard, as the paypal.com domain name and SSL certificate he saw previously are likely to make him realise he has visited the genuine PayPal web site - and why would he expect PayPal to redirect him to a fraudulent web site?

What will they think of next? I must say, I get more PayPal phishing emails than for anything else. With the profusion of them, and PayPal's constant warnings that they would never ask for such information, it's still amazing how many people will fall for this, especially as the spoofs get more slick and sophisticated.

Re:No signature = No liability

[Mick Ohrberg]

It's still a hassle and a violation of privacy.

What the hell?

[Grendel Drago]

You're right; it's not identity theft, it's identity fraud. Which, guess what, has its victims [privacyrights.org].

Is this some sort of natural outgrowth of MP3 downloading and software piracy? What are we going to pretend is "victimless" next?

Re:No signature = No liability

[HardCase]

Absolutely true, but, like everything else, there ain't no such thing as a free lunch. We all end up paying for it because reversed transactions are a cost of doing business that all merchants must calculate into their retail prices. If nothing else, it ought to cause people to be more aware of just what they're clicking on when they get an email.

-h-

Re:Identity "Theft"?

[NineNine]

You have to understand.... in this society, in this day and age, people DO define (identify) themselves by the things they own, the money they have in their bank account, and their credit rating. Sad, really.

Re:Identity "Theft"?

[kenthorvath]

It really grinds my gears when industry lobbyists and shills use inflammatory rhetoric to exaggerate the impact of mundane, victimless crimes.

It's a semantic point and one not even worth making. If you think that there are no victims when people's identities are assumed by others for nefarious purposes, then it has clearly never happened to you. I'd be curious to see how you felt when you had to spend countless hours of your life in aggrevation trying (perhaps futilely) to restore your credit and repair the possible damage to your reputation when some asshat overseas assumes your identity to purchase $100,000 worth of electronics and registers a kiddie-porn site in your name. These things do happen and are not at all uncommon.

In short, using the word 'theft' to describe copyright infringement is misleading, but using the word 'theft' to describe those things that are deprived to the victims of identity theft is perfectly acceptable. In the latter case there are often very real victims with very real things that are deprived them.

Stupidity still necessary

[Draconnery]

This extremely detailed and thorough (~3 paragraphs long) article does sound like PayPal has a problem to take care of, but the flaw described doesn't remove the burden of stupidity from the phishing equation.

Anybody can make a website look like another website, so it's up to a user to think. Get an email that doesn't make any sense? Think very hard about everything that it leads you to. PayPal asks for your ATM PIN? Who the fuck does that? Nobody. My bank doesn't even know what my PIN is. ... sorry, I just live in a college town where the newspapers report bank fraud once a month because some stupid student fell for the 23 emails they received about suspicious activity concerning their bank account. Annoying.

Re:how??

[MankyD]

How are hackers injecting this code into a legitimate paypal website??

Cross-Site Scripting.

You're missing the grandparent post's question. If I visit http://paypal.com/ [paypal.com] how does the phisher get their script to run?

Re:Identity "Theft"?

[sconeu]

Actually, it's a hell of a lot closer the theft than copyright infringement.

By using my identity (and credit and ....) , the fraudster has impinged upon my ability to use it freely.

Suprise?

[theaddkid.com]

I don't know how this is a surprise to anyone "cross-site scripting techniques" are so common now there writing magazine articles about them go look at the last 2600 and you will find out how to do it and that you can start with myspace.com.

Paypal is insecure

[Nightspirit]

I rarely use paypal, checked my bank statement one day, and realized 2k was missing from my bank courtesy of paypal. I have never clicked on a paypal email, and so the only explaination I could think of is either gross incompetance at paypal, or a keylogger was on my system (which was doubtful). Of course, I run all the major spyware/adware/virus/rootkit detectors and nothing (and yes, I do have a firewall, do not use wireless on this computer, and have a good password).

So, no more paypal for me. Of course I eventually got my money back, but it was a major hassle. For now on I am creating accounts using temp credit card numbers.

Shouldn't be a problem

[Todd Knarr]

This shouldn't really be a problem. It only occurs if you click on a link in the e-mail. If you ignore the link in the e-mail, go to PayPal through a bookmark of your own and proceed from there, the phisher can't inject any code. End of problem. And if what the e-mail's asking for is legitimate, you'll be able to do anything you need to do directly through PayPal without needing to use any links in the e-mail.

First rule: never trust the identity of the other party if you didn't initiate the contact yourself. When someone calls you on the phone claiming to be your bank you don't trust them, you hang up and call your bank's customer-service number yourself. When someone sends you an e-mail claiming a link will take you to PayPal you don't trust that, you fire up your browser and use your own bookmark to hit PayPal.

Re:Identity "Theft"?

[DragonWriter]

I'm really tired of hearing this term. Nobody's identity is being physically stolen; therefore it is not theft.

No, people's tangible and intangible personal property is stolen by means of misrepresenting identity (not always the one whose property is stolen, depending on the particular manner of identity theft.) "Identity theft" is not "theft of identity" its "theft by misrepresenting identity". And, therefore, it is theft.

It really grinds my gears when industry lobbyists and shills use inflammatory rhetoric to exaggerate the impact of mundane, victimless crimes.

Identity theft is no more "victimless" than than armed robbery.

Re:is it still stupidity?

[thePowerOfGrayskull]

A few weeks ago, I would have agreed with you. More recently, I've been doing some research and found that only rarely are there obvious 'tells' like asking for a PIN.

You see, in addition to making it look exactly like the vendor's site, they now no longer ask for anything unusual. You click on the link, and are presented with the standard, expected login page. You log in, and everything works just like normal. What really happens is that you log into their server, they capture your information, and redirect the login to the actual vendor. You never receive a hint that you were duped until the charges start showing up.

These days, a suspicious URL in your browser is often the only clue you'll get -- and if you don't have the latest patches for the popular browsers, the URL can be disguised.

This isn't to say that there is no stupidity factor. People still fall for the old style phishing scams like you described, or "validate your credit card numer" scams with startling regularity. Most people fail to realize that a simple precaution can make you essentially immune to phishing attempts (like disabling HTML in emails).

However, the newest round of phishing is a lot more sophisticated, and a lot more convincing. As it becomes more prevalent, expect mass stupidity to be less of a factor in its success.

Re:No signature = No liability

[Golias]

I think you're forgetting the fact that PayPal also stores checking account information, which is far, far more difficult to get money back from in the event of identity theft.

Which is one of several reasons why linking your bank accounts directly to PayPal is a terrible idea, no matter how much they like to push it on you.

If you use PayPal at all, only link it to a credit card which you've kept at a low limit. PayPal has long shown themselves far too irresponsible to be trusted with any of your real money.

Re:No signature = No liability

[fallen1]

This is the reason I have an account set up with my bank that states it is specifically for PayPal. Period. The only money I keep in the account is enough to cover 4 to 6 months of banking charges (like $5/month) so even if someone were to try and steal the money in that account, I'm out $20 to $30 or so AND I am immediately alerted to the fact that account has been breached.

At this point I immediately shut down the checking account, check with my bank to see if anyone has called and tried to change account information or get more info on accounts, apply for my money back based on fraud/identity theft, log in to PayPal (_if_ I can) and change passwords (if I cannot log in to PayPal then I try and contact PayPal to have that account shut down), set up a new checking account for PayPal only, and finally - if needed - start a new PayPal account.

With a special checking account for PayPal only, and it designated as such, that makes it much easier to prove fraud/identity theft since I have NO checks for the account, NO check card for the account, NO online banking for the account, NO way to access the account other than through PayPal or by walking into or calling the bank. Sure it costs $5 per month but if you really need/want to do transactions through PayPal it is the safest way. Also, if PayPal gets a wild hair up their ass and decides to freeze your account for some reason (someone accuses you of fraud, whatever) then the only thing they tie up is that same small amount of money in an easily closed account.
 

Re:HUH

[Anonymous Coward]

Okay, let's work backwards here:

The article reads, "The scam works quite convincingly, by tricking users into accessing a URL hosted on the genuine PayPal web site."

So we can conclude that there is something of importance particular to the URL that the user viewed...

The article continues to read, "some of the content on the page has been modified by the fraudsters via a cross-site scripting technique."

Because we know a little something about cross-site scripting, we can conclude that URL has some tricky parameters attached to it which inject the custom content into the displayed page results...

Now, how do you suppose the user ended up coming across such a cleverly fabricated URL? Don't blurt out the answer, think about it for a moment...

.
.
.

That's right: someone emailed them the link. Step away from the soap box, sir.

Re:A few things about PayPal

[JianTian13]

Umm, "doesn't lose anything"?

PayPal probably loses quite a lot of money because of phishing assholes, through the human resources spent fighting the crap spewed by the phishers.

Think about it:

• The support guy who takes the initial customer phone call, and has to explain basic things like "identity theft" and "read your newspaper once in a while", and...
• The other support guy who now has to track down where the money went, and if possible put it back, and...
• The support guy who has to call the (possibly uncooperative) ISP, which may very well be in foreign country, and explain across a language barrier that one of their users/machines is part of a phishing scam, to get it shut down.

That's just off the top of my head. Never mind the PR damage done, never mind the developer time invested in trying to prevent stuff... And what *could* PayPal do to make life easier? Seriously. There's only so much you can do before it's just down to a stupid user doing a stupid thing that other people have been shouting at them not to do for years. What then? Internet Driver's Licenses? (hmmm.... maybe not such a bad idea, if you automatically fail anyone who's ever signed up for AOL... :)

Re:Trickery and Buggery

[pavon]

While there will always be gullible people, I am not suprised that PayPal has a larger problem than other places. When I was still using them, they had horrible email practices. They sent out emails advertising new serivices. They even included links in their emails. There was more than once when I recieved a legitimate email from PayPal which I though was a phish. Yeah they sent out warning about phishing, but when legitimate email looks like a phish, people are going to have a harder time telling the difference.

Financial institutions should never include links in their emails. They should be very hesitant about sending any emails except in response to a user action. They should never send out emails the response of which is to enter personal information (such as signing up for a new service), even if they inform the user to go directly to their site rather than providing a link. Sending out crap like this just conditions the users to expect and trust emails and links from PayPal.

Maybe they are better now - I haven't used them in a while, because I don't trust them with access to my bank account. They have abused that power on too many people, too many times, so I don't do business with them anymore.

Re:Trickery and Buggery

[Bryansix]

It seems to me that this phishing attempt would never work on people who employ one simple tactic. When you get an email from a company requiring action on your account, log in directly to the account yourself and do not click the links in the email.

When will people finally learn not to click links?

[AriaStar]

This is not new. Legitimate sites are hacked more often than anyone cares to admit, and end up hosting fraudulent pages that indeed link to an outside page, often with the domain in the web bar masked. Everyone should know by now to go directly to a page, and those who chose to ignore this should either be banned from the internet as their falling for these scams encourages crooks, or else they deserve what they get.

Something else not knew is domain masking, which I am sure you all know about.

*sigh* When your ID is stolen, as mine was the "good old-fashioned way" when I was 18 (25 now), it sets you up for years of frustration, thousands you can't recoup, and makes you wonder why the hell people aren't more vigilant about protecting their identity. Once it's lost, you've got no hope, and dozens of police reports are no longer enough to get a new social to get your life back on track. Finding another ding on your report, another credit card in your name, a speeding ticket in a state you've never been to...it all becomes just something you accept, though no less frustrating. And these is no end in sight, not until people wise up and uard themselves to discourage people from even trying. And even that won't be enough.