PayPal is planning to start blocking users to access its services if they have older versions of their browser that do not support anti-phishing features. This decision is part of the big strategy that the famous on-line payment system provider is pushing in order to protect users from phishing attacks that would compromise their account.
According to Sophos, PayPal and its owner eBay were the two most popular phishing targets in 2006 with the 75% of all the phishing e-mails sent.
At first PayPal tried to solve the problem by reimburse the victims for the amount they lost, but eventually this practice was far from be effective and so the company started to work with individual ISPs to create filters against phishing e-mail so they would not reach the users’ mailbox; these filters were based on digital signatures bundled into the PayPal genuine messages in order to prove that these messages were sent in fact from PayPal itself.
But since security plans are never enough, PayPal also started another strategy to protect their users: in order to educate them in the mater of self-protection, PayPal will start to block them if they still use older versions of their browsers and they will be notified that they are required to upgrade to the latest version if they want to continue use the service.
The browsers will be divided in three tiers:
- The first-tier browsers (that currently includes Firefox 2, MSIE 7.0, and Opera 9.25, and successive versions) will be able to log in to Paypal normally.
- The second-tier browsers (the previous to the current version) will be able to log in, but the users will be warned that their browser version is out of date and does not include a phishing filter or does not support Extended Validation SSL certificates.
- The third-tier browsers (that includes all the older versions of the browsers) will be totally blocked from accessing PayPal at all.
For most people this blocking will not be a problem since those browser upgrades are free and usually delivered by automatic-update systems. At first there were concerning for Apple Safari since it does not includes either an anti-phishing feature and the support for “Extended Validation (EV) certificates”, but Friday Paypal stated that it will not ban Safari 2.0 on Tiger until Apple ships the successor to Mac OS X 10.5.
Regarding this plan PayPal states: “In our view, letting users view the PayPal site on one of these [older] browsers is equal to a car manufacturer allowing drivers to buy one of their vehicles without seatbelts.”
PayPal has yet to specify a timetable for when it would switch-on this browser blocking system.
PayPal’s logo is copyrighted by PayPal.
PayPal’s Home Page: http://www.paypal.com;
PayPal’s “Safer Web Browsers Overview” guide: https://www.paypal.com/cgi-bin/webscr?cmd=xpt/cps/securitycenter/general/SaferBrowsers-outside;
Edited on 21/04/08: I have updated this article to reflect the PayPal position on Apple Safari.