PayPal plans to block older browsers
In a White Paper, PayPal's Chief Information Security Offer Michael Barrett and Senior Director of Risk Management Dan Levy describe the measures that could be taken to handle the phishing problem. One of them is to block older browsers.
Barrett and Levy say they could protect users by only sending signed emails from servers that support DomainKeys and Sender Policy Framework (SPF). Providers would then be able to filter out most phishing emails before they ever reach users. PayPal is also working with Iconix, a firm that sells plug-ins for email clients to check email signatures.
PayPal also uses Extended Validation Secure Sockets Layer (EV-SSL) certificates for further protection. Firefox 3 and Internet Explorer 7 correctly display a green address bar if a website has a proper EV-SSL certificate. Security experts at PayPal have found that authentication poses another problem. Phishers can use the user data that they gain to access user accounts. PayPal wants to rule out this possibility by using tokens that provide one-time passwords. This approach is still vulnerable to man-in-the-middle attacks.
PayPal also wants to block access for outdated browsers and those considered unsafe. PayPal's list of safe browsers in the White Paper includes Firefox, Internet Explorer 7, and Opera as of version 9.25. Because Safari does not contain any phishing protection, it was not included in the list of trusted browsers. The version of the web browser previous to the current one reportedly displays a warning, while access to PayPal was blocked completely in older versions. However, PayPal has told ZDNet that Safari is not to be blocked. "We have absolutely no intention of blocking current versions of any browsers, including Apple’s Safari, from our website."
PayPal might also block other web browsers. At the Usability, Psyschology, and Security Conference 2008 in San Francisco, researchers from the University of California gave a presentation in which they pointed out potential security holes in web browsers on such mobile devices and games consoles as Apple's iPhone, Nintendo's Wii and DS. Some security mechanisms are apparently not implemented in these browsers, and the low display resolution of these units means that URLs are not completely displayed, which makes phishing attacks easier. In addition, users of such units are more likely to click on links in emails because the software keyboard is harder to use for the input of addresses.
- A Practical Approach to Managing Phishing (PDF), white paper by Michael Barrett and Dan Levy