PayPal considers blocking browsers

PayPal is seriously considering blocking some browsers from accessing its site, according to a paper (PDF) available to shareholders.

Titled "A Practical Approach to Managing Phishing," the paper admits that there's no one silver bullet to prevent fraudsters from making money on the Internet. However, authors Michael Barrett, PayPal's chief information security officer, and Dan Levy, the company's senior director of risk management for Europe, say companies could and should start addressing five specific areas:

1. Prevent fraudulent e-mail from getting into users' in-boxes

2. Prevent phishing sites by shutting them down

3. Authenticate users so that stolen credentials can't be used on PayPal

4. Prosecute fraudsters to the full extent of the law

5. Focus on brand and consumer recovery

Of these, the paper focuses mainly on e-mail prevention and phishing-site blocking. For e-mail prevention, the authors cite Yahoo Mail as an example and point to its use of domain keys to identify legitimate and illegitimate mail marked as coming from PayPal.

Most controversial is the idea of blocking "unsafe" browsers, or browsers that do not currently include antiphishing tools. PayPal says it would first notify users when they log in if they are using an unsafe browser. Later, PayPal would simply block the use of the browser entirely.

PayPal is interested in enforcing new Extended Verification SSL certificates used by Internet Explorer 7 and the upcoming Mozilla Firefox 3. EV SSL highlights the address bar in green when the site has been certified. Other browsers, such as Apple Safari and Opera, do not currently include these protections.

Browsers not on the desktop could also be barred. On Monday, researchers cited the Apple Safari browser on the iPhone and Nintendo's use of the Opera on its DS and Wii gaming systems as lacking adequate antiphishing protection.