PayPal and Anti-Phishing

Over the past few days, I have seen a gaggle of reports that PayPal may block older browsers from accessing their site to stop phishing attacks. Of course, the Macintosh sites and a couple non-Mac sites such as the NY Times have headlines that proclaim “PayPal Plans to Block Safari and Old Browsers.” Interestingly enough, the white paper that PayPal put out, doesn’t actually mention Apple’s Safari web browser by name (although it certainly could qualify). However, to me there are a couple sadly missing points in their white paper, one of which I believe could lead to discrimination against people with disabilities.

PayPal has the noble goal to reduce phishing to a bare minimum. They recognize that there are two types of people that browse the web, those that are actively watching out for their own security and those that expect others to take care of them. PayPal calls them active and passive. I almost want to call the passive ones lazy but really, most are just uninformed.

PayPal then sets out ways to help both the active and passive users. To help the active users, PayPal would like to require them to use a web browser that implements the SSL-EV standard, a very recent development. The EV stands for extended verification and displays the address bar in green as well as a padlock. This is a “good thing,” something businesses should consider seriously for their e-commerce sites. The SSL certificate costs significantly more but consumers will start to refuse to buy from sites that don’t use the EV standard. Check out COMODO SSL for a price comparison for some of the well know EV certificate issuers. They seem to have pretty good prices for all their SSL certificates.

To help the passive users, PayPal would like to require the web browser to have anti-phishing capabilities, ones that would block the users from going to know phishing sites. Another “good thing.”

Hrrumph. I don’t know this for sure but wouldn’t PayPal blocking all “non-modern” browsers pretty much eliminate all people with disabilities that can’t use IE 7+ or FireFox 2+ unless their specialized browsers add those features? The EV component is almost useless to the blind unless their browser would say, “This is an SSL-EV secure site.” Now, maybe that is a feature they would want to add and will but I question how critical it will be to upgrade those specialized browsers.

The EV component with the green bar is even out of reach for some color blind folks even if they are using a browser that can display it. I really think that web developers (myself included) really need to think through their web development, how it affects the disabled and how they can accomodate those special needs. To my eyes, PayPal is ignoring those needs.

It will certainly eliminate text based browsers such as Lynx, eLinks, etc that I still use on occasion when at the command line. I am guessing but it will also eliminate a lot of other built-in browser capabilities other programs have (for example, my Twitter client has a built-in web browser). Of course, I probably am not going to use them to go to PayPal and there is the main rub I have with PayPal’s idea. It only prevents people from using older browsers from accessing the PayPal site – it doesn’t stop the user from going to the phishing site at all since they could be using a totally different program to access that phishing site!

This brings me to their solution for passive users, blocking access to phishing sites. There are other solutions that are far more effective than adding it directly to the browser. I for example use OpenDNS which provides me with anti-phishing capabilities for all my programs. If I accidently try to go to a phishing site, it blocks me, no matter what program I am using. PayPal apparently thinks that if they force people to use a “good” web browser to access their web site, those users will always use that web browser. Pshaw! I have at least two web browsers open all the time and quite frankly often don’t even notice which one I am using at that moment.

The problem is, until more ISP’s add the same anti-phishing capabilities to their DNS, this is a solution out of reach to the passive user. Active users will switch to OpenDNS or other DNS services that offer that kind of capabilities but the passive user will continue to use whatever DNS their ISP provides them. As such, the browser capability is a good idea, if not a short term good idea.

Now, do I believe that Apple should add SSL-EV and anti-phishing capabilities to the web browser? Of course. They should implement these features as soon as possible, not because of PayPal which is taking a weak stance, but because it is the right thing to do.

Do I believe that PayPal’s idea that forcing users to use a web browser that has those capabilities in order to access their site effective? No. Passive users will be the worst at this. They will complain that PayPal is broke, most likely to their ISP, and continue using whatever browser they have even when told they need to upgrade or switch. Active users will simply use whatever browser they feel like using and use the “correct” one when accessing PayPal – but not necessarily the “correct” one at other times!

But most importantly, I have to ask again, would PayPal in essence block all people with disabilities from using their site? From my vantage point, I think they would and that is “a bad thing.”

Leave a Reply