PayPal Security Flaw Allows Identity Theft 212
miller60 writes "Phishing scammers are actively exploiting a security flaw in the PayPal web site to steal credit card numbers belonging to PayPal users. The scam tricks users into accessing a URL hosted on the genuine PayPal site, which presents a valid 256-bit SSL certificate confirming that the site belongs to PayPal. However, some of the content on the page has been modified by the fraudsters via a cross-site scripting technique, and victims are redirected to a spoof site that requests their account details."
how?? (Score:3, Interesting)
Re:how?? (Score:2, Interesting)
Nothing new (Score:3, Interesting)
AFAIK, at least one psychopath has already argued that raping children is a victimless crime. It should be pretty hard to beat that, but I have no doubt that someone will try to.
Anyway, it's nothing new. The software pirates certainly didn't start it, they just found a niche where it's easier to convince someone that since a copy of the original was made, nothing had really been lost. But, as you can see, it doesn't prevent people from claiming the exact same when some demonstrable harm _did_ get done. (E.g., money from someone's account aren't duplicated, they actually disappear from person A to enter the possession of person B.)
And honestly seeing some of the arguments made, I can't help notice a common theme of handwaving someone else's loss, time, suffering, even pain, as unimportant and not enough to make anyone a victim or to make the act a crime. In effect, the gross disregard for other people. It's beyond individualism, and outright in the realm of sociopathy.
Half right (Score:3, Interesting)
However, you are wrong that it is a victimless crime.
For example, if I use your Slashdot username to post troll comments under your name, it will negatively affect your karma, and not mine. Same thing applies with other forms of using someone else's identity, except instead of karma, think 'credit history', 'bank account' or 'criminal record'.
Re:Trickery and Buggery (Score:3, Interesting)
I usually spot phishing scams based on the informal register of the language. Like, this is what I'd expect to hear in that case:
That is, when they're not totally butchering my language:
Now, what these dirt-poor third-world phishers need is the opportunity to work with an English major from an American university! I see a lucrative business opportunity for both them and my cohorts, who are universally working at theaters and coffee shops.
Or worse, a brokerage debit card. (Score:4, Interesting)
I used to have a brokerage debit card. It withdrew funds from my money market account. It was an insane risk to use that card. It would have been a jackpot if thieves got that number. And my financial life would have been in ruins for months.
Since the bubble burst, I don't have to worry about having a lot of money in a money market account.
That's fine (Score:1, Interesting)
Paypal's main site (http://www.paypal.com) does *NOT* do a permanent redirect to https://www.paypal.com, so if you hit www.paypal.com you give your paypal login and password in the clear. I've emailed them several times on this and have finally given up, as they don't bother to respond.
So if you can get inbetween Paypal and your target, you don't even need to fool anybody.
Good news for Google (Score:3, Interesting)
I recently (re)opened an account to buy a pinball machine on eBay (Stern Stars, a cool old machine), but it is only tied to my credit card. I'm very familiar (through personal experience) with PayPal's inability to handle fraud (the reason I closed my original, bank-linked account) and their lose-lose-win schemes (on a contested purchase, the buyer loses their money, the seller loses the item, and PayPal gets the big win by keeping any contested funds). I would probably have closed the account again, but my wife wanted to purchase some baby periphenalia from a home-based business that only accepts checks or PayPal. I'm thinking this article is areminder to close my PayPal account.
Frankly, I will be very, very happy once Google's tool is available and I have a viable on-line payments alternative to PayPal.
Re:No signature = No liability (Score:3, Interesting)
They're up to no good somehow.
I made a contribution to a free overseas web service, being a good guy, supporting it, etc. Looking at the PayPal trail of breadcrumbs, they determined the exchange rate[*], rounded up, made the payment, then returned the difference to my account.
About ten days later, I get a nifty envelope from GE, managing a "PayPal Credit Service" for the amount of the exchange rate[*] with a minimum charge, deadline, service charge if it's late ($15), everything you'd expect to see from a credit card service. My only means of communication with this "GE" service which is handling the PayPal credit service is a PO Box.
I've never seen a credit service mentioned on the PayPal site and the fact everything balanced in the exchange rate process tells me something something smells.
Does anyone else have info on this type of garbage?
I'm halfway tempted to make the ten mile drive to the county seat and make a filing in Small Claims and find out what they're up to.
I'd like to know... (Score:4, Interesting)
Has anyone else seen this?
They got me (Score:2, Interesting)