WEReveal

PayPal and Anti-Phishing

Over the past few days, I have seen a gag­gle of reports that PayPal may block old­er browsers from access­ing their site to stop phish­ing attacks. Of course, the Macintosh sites and a cou­ple non-Mac sites such as the NY Times have head­lines that pro­claim “PayPal Plans to Block Safari and Old Browsers.” Interestingly enough, the white paper that PayPal put out, doesn’t actu­al­ly men­tion Apple’s Safari web brows­er by name (although it cer­tain­ly could qual­i­fy). However, to me there are a cou­ple sad­ly miss­ing points in their white paper, one of which I believe could lead to dis­crim­i­na­tion against peo­ple with dis­abil­i­ties.

PayPal has the noble goal to reduce phish­ing to a bare min­i­mum. They rec­og­nize that there are two types of peo­ple that browse the web, those that are active­ly watch­ing out for their own secu­ri­ty and those that expect oth­ers to take care of them. PayPal calls them active and pas­sive. I almost want to call the pas­sive ones lazy but real­ly, most are just unin­formed.

PayPal then sets out ways to help both the active and pas­sive users. To help the active users, PayPal would like to require them to use a web brows­er that imple­ments the SSL-EV stan­dard, a very recent devel­op­ment. The EV stands for extend­ed ver­i­fi­ca­tion and dis­plays the address bar in green as well as a pad­lock. This is a “good thing,” some­thing busi­ness­es should con­sid­er seri­ous­ly for their e-com­merce sites. The SSL cer­tifi­cate costs sig­nif­i­cant­ly more but con­sumers will start to refuse to buy from sites that don’t use the EV stan­dard. Check out COMODO SSL for a price com­par­i­son for some of the well know EV cer­tifi­cate issuers. They seem to have pret­ty good prices for all their SSL cer­tifi­cates.

To help the pas­sive users, PayPal would like to require the web brows­er to have anti-phish­ing capa­bil­i­ties, ones that would block the users from going to know phish­ing sites. Another “good thing.”

Hrrumph. I don’t know this for sure but wouldn’t PayPal block­ing all “non-mod­ern” browsers pret­ty much elim­i­nate all peo­ple with dis­abil­i­ties that can’t use IE 7+ or FireFox 2+ unless their spe­cial­ized browsers add those fea­tures? The EV com­po­nent is almost use­less to the blind unless their brows­er would say, “This is an SSL-EV secure site.” Now, maybe that is a fea­ture they would want to add and will but I ques­tion how crit­i­cal it will be to upgrade those spe­cial­ized browsers.

The EV com­po­nent with the green bar is even out of reach for some col­or blind folks even if they are using a brows­er that can dis­play it. I real­ly think that web devel­op­ers (myself includ­ed) real­ly need to think through their web devel­op­ment, how it affects the dis­abled and how they can acco­mo­date those spe­cial needs. To my eyes, PayPal is ignor­ing those needs.

It will cer­tain­ly elim­i­nate text based browsers such as Lynx, eLinks, etc that I still use on occa­sion when at the com­mand line. I am guess­ing but it will also elim­i­nate a lot of oth­er built-in brows­er capa­bil­i­ties oth­er pro­grams have (for exam­ple, my Twitter client has a built-in web brows­er). Of course, I prob­a­bly am not going to use them to go to PayPal and there is the main rub I have with PayPal’s idea. It only pre­vents peo­ple from using old­er browsers from access­ing the PayPal site — it doesn’t stop the user from going to the phish­ing site at all since they could be using a total­ly dif­fer­ent pro­gram to access that phish­ing site!

This brings me to their solu­tion for pas­sive users, block­ing access to phish­ing sites. There are oth­er solu­tions that are far more effec­tive than adding it direct­ly to the brows­er. I for exam­ple use OpenDNS which pro­vides me with anti-phish­ing capa­bil­i­ties for all my pro­grams. If I acci­dent­ly try to go to a phish­ing site, it blocks me, no mat­ter what pro­gram I am using. PayPal appar­ent­ly thinks that if they force peo­ple to use a “good” web brows­er to access their web site, those users will always use that web brows­er. Pshaw! I have at least two web browsers open all the time and quite frankly often don’t even notice which one I am using at that moment.

The prob­lem is, until more ISP’s add the same anti-phish­ing capa­bil­i­ties to their DNS, this is a solu­tion out of reach to the pas­sive user. Active users will switch to OpenDNS or oth­er DNS ser­vices that offer that kind of capa­bil­i­ties but the pas­sive user will con­tin­ue to use what­ev­er DNS their ISP pro­vides them. As such, the brows­er capa­bil­i­ty is a good idea, if not a short term good idea.

Now, do I believe that Apple should add SSL-EV and anti-phish­ing capa­bil­i­ties to the web brows­er? Of course. They should imple­ment these fea­tures as soon as pos­si­ble, not because of PayPal which is tak­ing a weak stance, but because it is the right thing to do.

Do I believe that PayPal’s idea that forc­ing users to use a web brows­er that has those capa­bil­i­ties in order to access their site effec­tive? No. Passive users will be the worst at this. They will com­plain that PayPal is broke, most like­ly to their ISP, and con­tin­ue using what­ev­er brows­er they have even when told they need to upgrade or switch. Active users will sim­ply use what­ev­er brows­er they feel like using and use the “cor­rect” one when access­ing PayPal — but not nec­es­sar­i­ly the “cor­rect” one at oth­er times!

But most impor­tant­ly, I have to ask again, would PayPal in essence block all peo­ple with dis­abil­i­ties from using their site? From my van­tage point, I think they would and that is “a bad thing.”

Leave a Reply