Paypal has announced that they are going to block browsers which do not support EV SSL certificate anti-phishing technology, which include the Apple Safari web browser, along with a few other browsers. The online payment service, purchased by eBay for $1.5B back in 2002, in the good old days of rampant Internet mergers and acquisitions, has become a frequent target of phishers and hackers. Anxious to recapture their good name and to offer to sellers and buyers alike a more secure environment, PayPal plans to discontinue support for web browsers that do not include anti-phishing capabilities. If this plan goes through, PayPal will block Safari and older versions of Internet Explorer, Firefox, Opera, and Netscape.
*Note: Since publication of this article, we have been made aware of one comment, to one story, by a Paypal employee refuting that Paypal plans to block Safari. Said Mike Oldenburg, of Paypal Corporate Communications, “We have absolutely no intention of blocking current versions of any browsers, including Apple’s Safari, from our website.” Weasel words, we think – exactly how is Oldenburg defining “current”? We suggest that they probably mean “up-to-date with current anti-phishing technology”, which Safari is not at this time, and that if and when Safari adds that current anti-phishing technology, it will be supported. A look at Paypal’s own website shows that they are now all about anti-phishing technology-enabled web browsers. (By the way, nothing wrong with that.)
EBay’s Chief Information Security Officer, Michael Barrett, and Director of Information Security, Dan Levy, recently co-authored a white paper disclosing this move, writing that in their view, “letting users view the PayPal site on an unsafe browser is equal to a car manufacturer allowing drivers to buy one of their vehicles without seatbelts.”
In that white paper, an official PayPal white paper entitled “A Practical Approach to Managing Phishing”, they say, and we quote:
At PayPal, we are in the process of re-implementing controls which will first warn our customers
when logging in to PayPal from those browsers that we consider unsafe. Later, we plan on blocking
customers from accessing the site from the most unsafe â€“ usually the oldest â€“ browsers.
Somehow, we think we’ll give a bit more weight to what PayPal’s Chief Information Security Officer and their Director of Information Security have to say than to what some Corporate Communications flack posts in a comment to an article on a 3rd-party site. A request to clarify the impact this move will have on Safari users posted on the PayPal blog has yet gone unanswered.
It is at this point that we should make clear that we applaud PayPal for their position, the white paper, and their efforts. But they should also make an unequivocal public statement as to whether or not people who use Safari will be blocked from accessing the PayPal sites and services.
The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.
So back to unsafe browsers and seatbeltless cars, it’s time to buck up and buckle up, people. PayPal said recently that it still sees site visitors using the decade-old Internet Explorer 3, released when security was little more than making sure that nobody was looking over your shoulder as you entered your password. The security situation is much more complex today, but PayPal intend to transition themselves and their users to superior security in the future. And it does appear that in order to curb attempted security breaches, in particular phishing hacks, PayPal will after this transition only permit transactions with browsers that support Extended Validation (EV) SSL certificates.
Users will be warned if they use an insecure browser, and if they persist they will be prevented from accessing the site until they upgrade.