Friday, April 18, 2008

PayPal to Ban Safari?

According to ComputerWorld, PayPal is planning on limiting access to its site to users of Browsers that implement "anti-phishing" technologies, such as later versions of Firefox and Micrsosoft's Internet Explorer. ComputerWorld claims this would include a ban on Apple's Safari browser. This is ComputerWorld jumping to conclusions -- ComputerWorld is piecing together comments made by PayPal over the last few months.

Safari is perfectly fine, now that I have been using it for a while. I read PayPal's White Paper mentioned in the ComputerWorld article, and it is quite a good overview of the problems of Phishing, and PayPal's response to it.

PayPal is an online bank, really. Phishers have been targeting them just like any other bank. Phishing is the practice of someone mailing millions of emails that masquerade as a target bank's official email, luring the email recipient to click on an embedded link which goes to a fake site, where you then enter your logon information. Viola! Now they have your personal information, which the crooks use to steal money from you and from the target bank (since banks usually cover moneys stolen by fraud, which Phishing is).

PayPal's approach to Phishing is interesting. It is:

  1. Try to put in place verified email so that phishing emails can be stopped before they reach in-boxes.

  2. Have Phishing sites "Blocked" from the internet, by using anti-Phishing features of some browsers and law enforcement working with the Phisher's Internet provider. (The law enforcement piece here was listed separately on the white paper as an "Ancillary Strategy" but, really, it is part of the same thing. Block the site, and take it down through legal means).

  3. "Customer Education" -- get the customer to know more about the problem and act to avoid Phishers. (This smacks of "if only the customer would stop screwing up!").

  4. Better authentication methods.

  5. Finally, legal means via legislation preventing "spoofing" sites.
Their conclusion is that they want to move forward with the multi-pronged strategy, and they single out specifically the email authentication part (step 1).

Here's my take:

PayPal can do something that can nip this in the bud - and, as it turns out, they are almost already there.

They put "Authentication" as section 5.3 under "Ancillary Strategies". Four paragraphs in an eleven page document. And yet, authentication is the true answer to the problem. Phishers can phish all day long and die on the vine if PayPal puts in place a real authentication scheme.

I logged into my PayPal account. I used my email address and password -- this is the standard way. Email address and password. This is weak authentication. This is the kind of thing that is easily Phished for and gotten. PayPal, in their white paper, appears to be trying to "boil the ocean" with internet protocol changes, changes to laws in a hundred countries, law enforcement swat teams, and user re-education camps, and yet they still have this weak password scheme? Why don't they implement a real authentication scheme? One that proves that the person is who they say they are?

Guess what? They have! But not 100%.

After I logged in, I noticed that they have something called the "Pay Pal Security Key." This is a device that implements "dual factor" authentication. You have your ID and password. The device provides a six digit code that changes every thirty seconds. When you log in, you provide your user ID, password, and security code from the device. For whatever reason, this is optional, not required.

They are introducing this for $5. It also works for eBay, and they say it will be usable at other sites down the road. If you have PayPal or eBay, get one!

I used basically the same thing years ago at my prior job, and it works great. You no longer have to really worry about your password, and the company that issues it no longer has to worry about customers or employees that write their passwords down on post-its attached to their keyboard. This circumvents all that. A fraudster can have your name, user ID, password, mother's maiden name, social security number, etc., etc. They can even have the last six digit number you used. But if they don't have the device, they can't get in! Not unless they happen to guess a one-in-a-million number. In other words, they have to win the lottery, but all they get is your PayPal balance!

So, PayPal wants to stop fraud. They can stop fraud tomorrow if they require all their users to get one of these keys. This is an expensive solution, but, hey, banks have been known to give toasters away with new accounts, so why not security keys?

Everything else in their white paper is interesting, but at the end of the day will not eliminate fraud. It will reduce fraud, and that is good. But changing email protocols, forcing browsers to conform to some "anti-phishing" standard, changing laws, and finally getting users educated are all long term incremental actions that over a period of maybe ten to twenty years may yield some fruit. The internet, however, by its nature, is wide open. You can cordon off parts here and there using laws and protocols, but the openness will always be there, leaving room for crooks to maneuver.

In any event, I think it is important for companies like PayPal to know who it is they are dealing with - it is up to them to ensure you are who you say you are. I personally have no control over someone claiming to be me and logging into PayPal, even if some personal information was Phished out of me. It is someone else, knocking on PayPal's door, claiming to be me. PayPal is holding my money in trust. I expect them to keep someone else's mitts off my money! So, PayPal needs to implement a way that proves it is me doing business as me. This Security Key does that.

There are other methods to do this other than hardware keys. Vidoop was mentioned in an earlier blog entry. However, Vidoop is more for your piece of mind than for the place where you log in -- Vidoop authenticates your machine and you, to your satisfaction, so you know that no one else can fake you using a Vidoop ID. But since Vidoop is an "OpenID," sites that use OpenID are not forced to accept only Vidoop IDs.

As far as the threat of PayPal restricting site access to "safe" browsers, potentially banning Safari, I think it is a better bet for PayPal to push their Security Key than it is to restrict users based on what browser they choose to use. There are a lot of Apples out there. Yes, I know you can run Firefox on a Mac, but why force the issue? Lots of people will pay $5 for an access key/token, but not $1,000 for a new computer that can handle a pig like IE 7, especially when that $1,000 gets them a Mac!


James P said...

The security key is indeed the simplest option. I have one, not the particular PayPal version, but one from VeriSign. VeriSign runs the "VIP" identity protection scheme, and provides the Security Key for PayPal. It's the same thing.

Mine is a credit card-like device that slips in my wallet, rather than on my keychain. I'm known to forget my keys, but never my wallet. Nevertheless, it is the same generator of 6-digit codes, and it works flawlessly and easily.

Were I so inept as to give some jerk in Russia or Nigeria my user/pass for my PayPal, eBay, or worse, my bank account, they still can't get in. Because that little VeriSign card is in my grubby paws as I type this, and they won't be able to press the button and get the fresh 6-digit code.

It is the way of the future, and it needs to become the standard.

I would suggest getting a token from PayPal rather than directly from VeriSign, since PayPal only charges you $5. PayPal is losing money on the deal, for your benefit. Mine direct from VeriSign cost me $30. Save the 25 bucks - it's the same thing - VeriSign VIP.

James P said...

Oh, and by the way, they should put this on page one when you log in. I actually had to dig to find out where to activate my token!

Talk about 4 paragraphs in a many-page document. This should be first and foremost. Log in, get a security token page.