PayPal fixes phishing hole

PayPal has fixed a flaw in its Web site to block a sophisticated scam designed to obtain sensitive data from members, the payment service said Friday.

By exploiting the flaw, attackers were able to redirect people from a PayPal Web page to an online trap located in South Korea, a representative for the service said. The page actually has a real PayPal URL, but hosts malicious code that presents a message warning members that their account had been compromised. It then redirects them to a "phishing" Web site.

At the malicious, information-thieving Web site, people are asked for their PayPal login information, experts at Netcraft, an Internet monitoring company in England, said in an advisory. Subsequently, the scammers are urged to enter their Social Security number and credit card details, Netcraft said.

"As soon as we became aware of this scheme, we changed some of the code on the PayPal Web site. So this scheme, or any scheme like it, can no longer be effective," Amanda Pires, a PayPal spokeswoman, said in an interview.

PayPal, a unit of online auctioneer eBay, is working with the Internet service provider that hosts the malicious site to get it shut down, Pires added. The company has no information on how many people may have fallen victim to the scam, she said.

[directorblue]

When will PayPal and other financial firms require stronger authentication?

Many forms of stronger auth exist, without forcing vendors to pay for two-factor. One example is captcha-based authentication described here:

http://directorblue.blogspot.com/2005/06/making-phishers-solve-captcha-problem.html

In addition, SSL for all transactions is an absolute requirement. Another is communication plans that utilize webmail hosted on the financial website only (i.e., no direct communications through an email channel).

[tony_z]

PayPal doesn't even have an age check!

So many freaking kids used their parent's credit card to buy stuff and then the parent chargeback! PAYPAL NEEDS COMPETITION FROM GOOGLE!

[209979377489953107664053243186]

... or smarter email

If PayPal really wanted to make identifying them as the legitimate company from phishing scams, they would make the step to email that authenticates. Yes, it would mean customers would have to install the software to access the email, but there are simple solutions available that make downloading no more difficult than getting an IM account. PayPal themselves would only have to buy licenses for them to send the emails, customers access them for free. Secure, authenticated, and inexpensive.

I think it's time for companies like PayPal, Ebay and your average credit card company to start requiring this from the customers, for their own protection.

http://www.essentialsecurity.com/

[jetter99]

Hi,

I am just starting up my online store, and am exploring ecommerce providers. I came across SWREG. They have new pricing for 0% (http://usd.swreg.org/zeropercentecommerce.htm). Has anyone used them, the features offered make it pretty interesting.

Mark

[lonny paul]

C'mon guys

PIN ##s - are the only way to go with Credit Cards. I mean, it's retarded we don't have them already for in person use - even though a biometric reader integrated into my Toshiba Libretto is the real future.

Why not biometrically scan our fingerprints?

Guess they don't want a rush of "finger" choppings?

[westrajc]

Find The Phishers and "Sanction" Them!

Enough! Find the phishers and "sanction" them! These people are the 21st Century version of 18th Century pirates. That scourge was eliminated by hunting them down, bringing them swiftly to trial, hanging them and displaying their rotting corpses for all other would-be pirates to see. Let's do the same with these bastards with the added touch of displaying their corpses on the Internet!

[Gromit801]

A little Islamic Law?

Cutting off their hands perhaps? No more coding.

[Nkully86]

If it were only so easy...

I completely agree, phishers/pirates/thieves whatever you call them these days need to be taken care of. They are now targeting civilians and making them seem personally responsible because they were not careful enough in giving out their Social Security/Credit Card etc. These pages are so difficult to identify because it is not an everyday task to check every little detail of a web page to make sure it is legitimate.

Phishers are like email hackers, they go about their business so subtly and make the victim (usually helpless individuals) feel utterly guilty about not being too careful. One way to prevent phishing scams is to make sure that you are using an encryption program that lets you identify exactly who sent you the message and for what purpose it was sent. Phishing is one of the most obvious, but widespread forms of identity theft and it seems like people have done minimal to stop it, lets change our ways and spread awareness.
http://www.techknowbizzle.com/2006/03/anatomy-of-phishing-scam.html

[billstewart]

When will Paypal use SPF or equivalent email protection?

It's nice that they found and fixed a bug. But 99.9% of the email I get purporting to be from Paypal or EBay is spam that *doesn't* come from Paypal/EBay's mail servers. When will they enable SPF so my mail client or mailbox service can discard it without bothering me with it? (Or if not SPF, then Microsoft's or somebody else's DNS-based email source verifier - I don't really care whose.) Digital signatures are nice too, but I want to discard most of the obvious forgeries first, and it's only about 1 step above a no-brainer to implement.