PayPal Security Flaw Allows Identity Theft 212
miller60 writes "Phishing scammers are actively exploiting a security flaw in the PayPal web site to steal credit card numbers belonging to PayPal users. The scam tricks users into accessing a URL hosted on the genuine PayPal site, which presents a valid 256-bit SSL certificate confirming that the site belongs to PayPal. However, some of the content on the page has been modified by the fraudsters via a cross-site scripting technique, and victims are redirected to a spoof site that requests their account details."
Trickery and Buggery (Score:5, Insightful)
When the victim visits the page, they are presented with a message that has been 'injected' onto the genuine PayPal site that says, "Your account is currently disabled because we think it has been accessed by a third party. You will now be redirected to Resolution Center." After a short pause, the victim is then redirected to an external server, which presents a fake PayPal Member log-In page. At this crucial point, the victim may be off guard, as the paypal.com domain name and SSL certificate he saw previously are likely to make him realise he has visited the genuine PayPal web site - and why would he expect PayPal to redirect him to a fraudulent web site?
What will they think of next? I must say, I get more PayPal phishing emails than for anything else. With the profusion of them, and PayPal's constant warnings that they would never ask for such information, it's still amazing how many people will fall for this, especially as the spoofs get more slick and sophisticated.
Re:No signature = No liability (Score:5, Insightful)
What the hell? (Score:3, Insightful)
Is this some sort of natural outgrowth of MP3 downloading and software piracy? What are we going to pretend is "victimless" next?
Re:No signature = No liability (Score:5, Insightful)
-h-
Re:Identity "Theft"? (Score:3, Insightful)
Re:Identity "Theft"? (Score:5, Insightful)
It really grinds my gears when industry lobbyists and shills use inflammatory rhetoric to exaggerate the impact of mundane, victimless crimes.
It's a semantic point and one not even worth making. If you think that there are no victims when people's identities are assumed by others for nefarious purposes, then it has clearly never happened to you. I'd be curious to see how you felt when you had to spend countless hours of your life in aggrevation trying (perhaps futilely) to restore your credit and repair the possible damage to your reputation when some asshat overseas assumes your identity to purchase $100,000 worth of electronics and registers a kiddie-porn site in your name. These things do happen and are not at all uncommon.
In short, using the word 'theft' to describe copyright infringement is misleading, but using the word 'theft' to describe those things that are deprived to the victims of identity theft is perfectly acceptable. In the latter case there are often very real victims with very real things that are deprived them.
Stupidity still necessary (Score:4, Insightful)
Anybody can make a website look like another website, so it's up to a user to think. Get an email that doesn't make any sense? Think very hard about everything that it leads you to. PayPal asks for your ATM PIN? Who the fuck does that? Nobody. My bank doesn't even know what my PIN is.
Re:how?? (Score:3, Insightful)
Re:Identity "Theft"? (Score:3, Insightful)
By using my identity (and credit and
Suprise? (Score:3, Insightful)
Paypal is insecure (Score:2, Insightful)
So, no more paypal for me. Of course I eventually got my money back, but it was a major hassle. For now on I am creating accounts using temp credit card numbers.
Shouldn't be a problem (Score:5, Insightful)
This shouldn't really be a problem. It only occurs if you click on a link in the e-mail. If you ignore the link in the e-mail, go to PayPal through a bookmark of your own and proceed from there, the phisher can't inject any code. End of problem. And if what the e-mail's asking for is legitimate, you'll be able to do anything you need to do directly through PayPal without needing to use any links in the e-mail.
First rule: never trust the identity of the other party if you didn't initiate the contact yourself. When someone calls you on the phone claiming to be your bank you don't trust them, you hang up and call your bank's customer-service number yourself. When someone sends you an e-mail claiming a link will take you to PayPal you don't trust that, you fire up your browser and use your own bookmark to hit PayPal.
Re:Identity "Theft"? (Score:3, Insightful)
Re:is it still stupidity? (Score:2, Insightful)
A few weeks ago, I would have agreed with you. More recently, I've been doing some research and found that only rarely are there obvious 'tells' like asking for a PIN.
You see, in addition to making it look exactly like the vendor's site, they now no longer ask for anything unusual. You click on the link, and are presented with the standard, expected login page. You log in, and everything works just like normal. What really happens is that you log into their server, they capture your information, and redirect the login to the actual vendor. You never receive a hint that you were duped until the charges start showing up.
These days, a suspicious URL in your browser is often the only clue you'll get -- and if you don't have the latest patches for the popular browsers, the URL can be disguised.
This isn't to say that there is no stupidity factor. People still fall for the old style phishing scams like you described, or "validate your credit card numer" scams with startling regularity. Most people fail to realize that a simple precaution can make you essentially immune to phishing attempts (like disabling HTML in emails).
However, the newest round of phishing is a lot more sophisticated, and a lot more convincing. As it becomes more prevalent, expect mass stupidity to be less of a factor in its success.
Re:No signature = No liability (Score:4, Insightful)
Which is one of several reasons why linking your bank accounts directly to PayPal is a terrible idea, no matter how much they like to push it on you.
If you use PayPal at all, only link it to a credit card which you've kept at a low limit. PayPal has long shown themselves far too irresponsible to be trusted with any of your real money.
Re:No signature = No liability (Score:5, Insightful)
At this point I immediately shut down the checking account, check with my bank to see if anyone has called and tried to change account information or get more info on accounts, apply for my money back based on fraud/identity theft, log in to PayPal (_if_ I can) and change passwords (if I cannot log in to PayPal then I try and contact PayPal to have that account shut down), set up a new checking account for PayPal only, and finally - if needed - start a new PayPal account.
With a special checking account for PayPal only, and it designated as such, that makes it much easier to prove fraud/identity theft since I have NO checks for the account, NO check card for the account, NO online banking for the account, NO way to access the account other than through PayPal or by walking into or calling the bank. Sure it costs $5 per month but if you really need/want to do transactions through PayPal it is the safest way. Also, if PayPal gets a wild hair up their ass and decides to freeze your account for some reason (someone accuses you of fraud, whatever) then the only thing they tie up is that same small amount of money in an easily closed account.
Re:HUH (Score:1, Insightful)
The article reads, "The scam works quite convincingly, by tricking users into accessing a URL hosted on the genuine PayPal web site."
So we can conclude that there is something of importance particular to the URL that the user viewed...
The article continues to read, "some of the content on the page has been modified by the fraudsters via a cross-site scripting technique."
Because we know a little something about cross-site scripting, we can conclude that URL has some tricky parameters attached to it which inject the custom content into the displayed page results...
Now, how do you suppose the user ended up coming across such a cleverly fabricated URL? Don't blurt out the answer, think about it for a moment...
.
.
.
That's right: someone emailed them the link. Step away from the soap box, sir.
Re:A few things about PayPal (Score:3, Insightful)
PayPal probably loses quite a lot of money because of phishing assholes, through the human resources spent fighting the crap spewed by the phishers.
Think about it:
That's just off the top of my head. Never mind the PR damage done, never mind the developer time invested in trying to prevent stuff... And what *could* PayPal do to make life easier? Seriously. There's only so much you can do before it's just down to a stupid user doing a stupid thing that other people have been shouting at them not to do for years. What then? Internet Driver's Licenses? (hmmm.... maybe not such a bad idea, if you automatically fail anyone who's ever signed up for AOL...
Re:Trickery and Buggery (Score:3, Insightful)
Financial institutions should never include links in their emails. They should be very hesitant about sending any emails except in response to a user action. They should never send out emails the response of which is to enter personal information (such as signing up for a new service), even if they inform the user to go directly to their site rather than providing a link. Sending out crap like this just conditions the users to expect and trust emails and links from PayPal.
Maybe they are better now - I haven't used them in a while, because I don't trust them with access to my bank account. They have abused that power on too many people, too many times, so I don't do business with them anymore.
Re:Trickery and Buggery (Score:2, Insightful)
When will people finally learn not to click links? (Score:2, Insightful)
Something else not knew is domain masking, which I am sure you all know about.
*sigh* When your ID is stolen, as mine was the "good old-fashioned way" when I was 18 (25 now), it sets you up for years of frustration, thousands you can't recoup, and makes you wonder why the hell people aren't more vigilant about protecting their identity. Once it's lost, you've got no hope, and dozens of police reports are no longer enough to get a new social to get your life back on track. Finding another ding on your report, another credit card in your name, a speeding ticket in a state you've never been to...it all becomes just something you accept, though no less frustrating. And these is no end in sight, not until people wise up and uard themselves to discourage people from even trying. And even that won't be enough.