PayPal Security Flaw Allows Identity Theft

miller60 writes "Phishing scammers are actively exploiting a security flaw in the PayPal web site to steal credit card numbers belonging to PayPal users. The scam tricks users into accessing a URL hosted on the genuine PayPal site, which presents a valid 256-bit SSL certificate confirming that the site belongs to PayPal. However, some of the content on the page has been modified by the fraudsters via a cross-site scripting technique, and victims are redirected to a spoof site that requests their account details."

how??

[zimsters]

"by tricking users into accessing a URL hosted on the genuine PayPal web site" How are hackers injecting this code into a legitimate paypal website?? Don't you have to modify the source code on the paypal servers themselves?

Re:how??

[serial_crusher]

Maybe they have some kind of bad forwarding system set up? At my company you could do the equivalent of: http://www.paypal.com/redirect.php?NEXT_PAGE=%5Bht tp://10.6.6.6/hackers%20fake%20page.html%5D [paypal.com] Our stuff does internal redirection to make things faster, so to the user it'll still look like he's seeing something on paypal.com.

Nothing new

[Moraelin]

"Is this some sort of natural outgrowth of MP3 downloading and software piracy? What are we going to pretend is "victimless" next?"

AFAIK, at least one psychopath has already argued that raping children is a victimless crime. It should be pretty hard to beat that, but I have no doubt that someone will try to.

Anyway, it's nothing new. The software pirates certainly didn't start it, they just found a niche where it's easier to convince someone that since a copy of the original was made, nothing had really been lost. But, as you can see, it doesn't prevent people from claiming the exact same when some demonstrable harm _did_ get done. (E.g., money from someone's account aren't duplicated, they actually disappear from person A to enter the possession of person B.)

And honestly seeing some of the arguments made, I can't help notice a common theme of handwaving someone else's loss, time, suffering, even pain, as unimportant and not enough to make anyone a victim or to make the act a crime. In effect, the gross disregard for other people. It's beyond individualism, and outright in the realm of sociopathy.

Half right

[MarkByers]

You are right that 'identity theft' is a misleading and incorrect term. However, most people will just tell you 'I could care less.'

However, you are wrong that it is a victimless crime.

For example, if I use your Slashdot username to post troll comments under your name, it will negatively affect your karma, and not mine. Same thing applies with other forms of using someone else's identity, except instead of karma, think 'credit history', 'bank account' or 'criminal record'.

Re:Trickery and Buggery

[happyemoticon]

I usually spot phishing scams based on the informal register of the language. Like, this is what I'd expect to hear in that case:

We suspect that your account information has been compromised, and have disabled your account as a security precaution. You will now be redirected to the Resolution Center to verify your information.

That is, when they're not totally butchering my language:

Sir apologies you to! We is suspects that hackers been gotting into your account and disabled fraud! Please give to your credit card details us!!! All your base are belong to them!!!

Now, what these dirt-poor third-world phishers need is the opportunity to work with an English major from an American university! I see a lucrative business opportunity for both them and my cohorts, who are universally working at theaters and coffee shops.

Or worse, a brokerage debit card.

[vinn01]

I used to have a brokerage debit card. It withdrew funds from my money market account. It was an insane risk to use that card. It would have been a jackpot if thieves got that number. And my financial life would have been in ruins for months.

Since the bubble burst, I don't have to worry about having a lot of money in a money market account.

That's fine

[tzanger]

Paypal's main site (http://www.paypal.com) does *NOT* do a permanent redirect to https://www.paypal.com, so if you hit www.paypal.com you give your paypal login and password in the clear. I've emailed them several times on this and have finally given up, as they don't bother to respond.

So if you can get inbetween Paypal and your target, you don't even need to fool anybody.

Good news for Google

[blueZ3]

in their attempt to break into the on-line payments business?

I recently (re)opened an account to buy a pinball machine on eBay (Stern Stars, a cool old machine), but it is only tied to my credit card. I'm very familiar (through personal experience) with PayPal's inability to handle fraud (the reason I closed my original, bank-linked account) and their lose-lose-win schemes (on a contested purchase, the buyer loses their money, the seller loses the item, and PayPal gets the big win by keeping any contested funds). I would probably have closed the account again, but my wife wanted to purchase some baby periphenalia from a home-based business that only accepts checks or PayPal. I'm thinking this article is areminder to close my PayPal account.

Frankly, I will be very, very happy once Google's tool is available and I have a viable on-line payments alternative to PayPal.

Re:No signature = No liability

[70Bang]

They're up to no good somehow.

I made a contribution to a free overseas web service, being a good guy, supporting it, etc. Looking at the PayPal trail of breadcrumbs, they determined the exchange rate[*], rounded up, made the payment, then returned the difference to my account.

About ten days later, I get a nifty envelope from GE, managing a "PayPal Credit Service" for the amount of the exchange rate[*] with a minimum charge, deadline, service charge if it's late ($15), everything you'd expect to see from a credit card service. My only means of communication with this "GE" service which is handling the PayPal credit service is a PO Box.

I've never seen a credit service mentioned on the PayPal site and the fact everything balanced in the exchange rate process tells me something something smells.

Does anyone else have info on this type of garbage?

I'm halfway tempted to make the ten mile drive to the county seat and make a filing in Small Claims and find out what they're up to.

I'd like to know...

[pongo000]

...why it is that whenever I log into PayPal, the number of PayPal-phishing e-mails suddenly increases over the next few minutes? It's as if something is monitoring traffic destined for PayPal (a compromised router, perhaps?) and is automatically triggering phishing e-mails to the originating IP.

Has anyone else seen this?

They got me

[sodomchaka]

Well, a first for me... they got me.Iopened a new paypal account on Monday, and by Wednesday, my credit card was being fleeced. Worst of all, there is no way these guys get caught based on the following actions by the involved entities: Paypal: Classic, I contacted Paypal on Wednesday, "we have had no security problems.... Don't reply to phishing scams." (no shit sherlock, i just figured I was safe entering information directly into your website using SSL). When elevated up the customer support retard chain, I was then lectured on phishing scams (damn these people are bright), and told to contact my local authorities. Unreal... my local authorities... I wonder how many local reports are taken nationally due to these wankers. Follow up today (Friday), "you should contact our security" [by filling out our webform that warns you incessently about phishing scams and that tells you after you fill out the form that they will get back to you in about 10 days... nice]. Mastercard: I contacted my credit card company, they cancelled the card but will not investigate until I fill out an affidavit, "which will take about 14 days to arrive." Kmart: I contacted Kmart, being one of the companies that put through charges to my credit card. "We cannot give you any information without your purchase number" (unreal, my credit card is used for illicit purchases, and I cannot find out where they are shipping the goods). They were nice though, and suggested I fax information to them if I wanted to speak to a security person, and they also suggested I have my local police contact them. Frederick's of Hollywood: Another company that put charges on my card- "We don't have a security department, call your credit card company." Will someone please shoot that g-string wearing cow. Local Police - I filled out an online complaint on Wednesday with the financial fraud division of my local police department. Still haven't heard a thing. I went the extra mile and filed a complaint with the FBI's Internet Crime Complaint Center: Classic moment in law enforcement... after filling out the extensive affidavit, I received a generated email that read in part, "The IC3 receives thousands of complaints each month and does not have the resources to respond to inquiries regarding the status of complaints. It is the IC3's intention to review all complaints and refer them to law enforcement and regulatory agencies having jurisdiction. Ultimately, investigation and prosecution are at the discretion of the receiving agencies." [in other words, we really don't do anything, best of luck old chap]. I wish the crew working this scam the best, they are truly disgusting, but ingenious. As for the entities above, the next time I hear a news report where they are whining about credit card fraud costing consumers and businesses millions, I'll just chuckle at how pathetic the reaction was to my inquiries. They really don't care. Finally, some have posted that it won't cost me anything.... they are wrong. Some credit cards require the user to pay the first $50 of such fraud. And what about the people who just don't catch the credit card fraudulent uses. If you do not challenge the charge within 90 days, in most cases, you own the debt. Finally, by having my credit card cancelled for fraudulent purposes, I am the lucky recipient of a fraud alert on my credit statements with the credit reporting agencies for at least the next thirty days (I think 60). This means that I am barred from gaining any instant credit during this time period. Several years ago I had fraud on another credit card (authorities believed that the info was lifted from the card while I was on vacation when I paid for something at a restaurant). I cancelled the card, but a couple weeks later there I was buying $2,000 worth of lumber at home depot for a home project. The clerk says to me, hey if you open up a home depot card, I can discount your purchase by 10%. Hey, I don't need a home depot card, but 200 bucks is nothing to sneeze at. After filling out the form, I was reject