PayPal to Ban Safari?

According to ComputerWorld, PayPal is planning on limiting access to its site to users of Browsers that implement "anti-phishing" technologies, such as later versions of Firefox and Micrsosoft's Internet Explorer. ComputerWorld claims this would include a ban on Apple's Safari browser. This is ComputerWorld jumping to conclusions -- ComputerWorld is piecing together comments made by PayPal over the last few months.

Safari is perfectly fine, now that I have been using it for a while. I read PayPal's White Paper mentioned in the ComputerWorld article, and it is quite a good overview of the problems of Phishing, and PayPal's response to it.

PayPal is an online bank, really. Phishers have been targeting them just like any other bank. Phishing is the practice of someone mailing millions of emails that masquerade as a target bank's official email, luring the email recipient to click on an embedded link which goes to a fake site, where you then enter your logon information. Viola! Now they have your personal information, which the crooks use to steal money from you and from the target bank (since banks usually cover moneys stolen by fraud, which Phishing is).

PayPal's approach to Phishing is interesting. It is:

1. Try to put in place verified email so that phishing emails can be stopped before they reach in-boxes.
   
   
2. Have Phishing sites "Blocked" from the internet, by using anti-Phishing features of some browsers and law enforcement working with the Phisher's Internet provider. (The law enforcement piece here was listed separately on the white paper as an "Ancillary Strategy" but, really, it is part of the same thing. Block the site, and take it down through legal means).
   
   
3. "Customer Education" -- get the customer to know more about the problem and act to avoid Phishers. (This smacks of "if only the customer would stop screwing up!").
   
   
4. Better authentication methods.
   
   
5. Finally, legal means via legislation preventing "spoofing" sites.

Their conclusion is that they want to move forward with the multi-pronged strategy, and they single out specifically the email authentication part (step 1).

Here's my take:

PayPal can do something that can nip this in the bud - and, as it turns out, they are almost already there.

They put "Authentication" as section 5.3 under "Ancillary Strategies". Four paragraphs in an eleven page document. And yet, authentication is the true answer to the problem. Phishers can phish all day long and die on the vine if PayPal puts in place a real authentication scheme.

I logged into my PayPal account. I used my email address and password -- this is the standard way. Email address and password. This is weak authentication. This is the kind of thing that is easily Phished for and gotten. PayPal, in their white paper, appears to be trying to "boil the ocean" with internet protocol changes, changes to laws in a hundred countries, law enforcement swat teams, and user re-education camps, and yet they still have this weak password scheme? Why don't they implement a real authentication scheme? One that proves that the person is who they say they are?

Guess what? They have! But not 100%.

After I logged in, I noticed that they have something called the "Pay Pal Security Key." This is a device that implements "dual factor" authentication. You have your ID and password. The device provides a six digit code that changes every thirty seconds. When you log in, you provide your user ID, password, and security code from the device. For whatever reason, this is optional, not required.

They are introducing this for $5. It also works for eBay, and they say it will be usable at other sites down the road. If you have PayPal or eBay, get one!

I used basically the same thing years ago at my prior job, and it works great. You no longer have to really worry about your password, and the company that issues it no longer has to worry about customers or employees that write their passwords down on post-its attached to their keyboard. This circumvents all that. A fraudster can have your name, user ID, password, mother's maiden name, social security number, etc., etc. They can even have the last six digit number you used. But if they don't have the device, they can't get in! Not unless they happen to guess a one-in-a-million number. In other words, they have to win the lottery, but all they get is your PayPal balance!

So, PayPal wants to stop fraud. They can stop fraud tomorrow if they require all their users to get one of these keys. This is an expensive solution, but, hey, banks have been known to give toasters away with new accounts, so why not security keys?

Everything else in their white paper is interesting, but at the end of the day will not eliminate fraud. It will reduce fraud, and that is good. But changing email protocols, forcing browsers to conform to some "anti-phishing" standard, changing laws, and finally getting users educated are all long term incremental actions that over a period of maybe ten to twenty years may yield some fruit. The internet, however, by its nature, is wide open. You can cordon off parts here and there using laws and protocols, but the openness will always be there, leaving room for crooks to maneuver.

In any event, I think it is important for companies like PayPal to know who it is they are dealing with - it is up to them to ensure you are who you say you are. I personally have no control over someone claiming to be me and logging into PayPal, even if some personal information was Phished out of me. It is someone else, knocking on PayPal's door, claiming to be me. PayPal is holding my money in trust. I expect them to keep someone else's mitts off my money! So, PayPal needs to implement a way that proves it is me doing business as me. This Security Key does that.

There are other methods to do this other than hardware keys. Vidoop was mentioned in an earlier blog entry. However, Vidoop is more for your piece of mind than for the place where you log in -- Vidoop authenticates your machine and you, to your satisfaction, so you know that no one else can fake you using a Vidoop ID. But since Vidoop is an "OpenID," sites that use OpenID are not forced to accept only Vidoop IDs.

As far as the threat of PayPal restricting site access to "safe" browsers, potentially banning Safari, I think it is a better bet for PayPal to push their Security Key than it is to restrict users based on what browser they choose to use. There are a lot of Apples out there. Yes, I know you can run Firefox on a Mac, but why force the issue? Lots of people will pay $5 for an access key/token, but not $1,000 for a new computer that can handle a pig like IE 7, especially when that $1,000 gets them a Mac!

Vidoop OpenID, Sprint Aircards

Well, time does fly. Here it is 2008 and I haven't posted since August. I almost posted in October, but it was an involved topic and the post was never "post-worthy." I find that writing is work! Not drudgery -- I have read writers who feel that it is -- but, work. I find myself wanting to write a quick post, but then, the details come in, and the need for accuracy comes in, and the need to set the correct context comes in, and then a quick post becomes a novelette!

So, here is the first post of 2008. Yahoo is going to support OpenID. Here is where details and context enter. Suffice it to say the OpenID is an attempt to make authentication on the web easier. Rather than having sign-ons for each website, each with its own password, OpenID allows a single ID to be used on multiple websites. The OpenID site has details.

Now, I figured that if Yahoo and a slew of others are supporting OpenID, I should at least get one. After perusing a few providers (not an insignificant task, I assure you), I came across Vidoop. These guys have a great authentication method. You get an ID. When you log in, they first authenticate the machine you are logging in from by emailing, telephoning, or text-messaging an authorization code, which you then enter, and then ask you to provide a passcode. The passcode is given to you in a grid of pictures, each with its own category. You tell vidoop which categories you want to use, they show you a grid of all categories with a letter in each, and you enter the letters from the categories you chose. Their categories are things like People, Dogs, Cats, Trains, Clocks. If your categories are Dogs and Trains, you enter the letters from the grid where there is a picture of a dog and the grid where there is a picture of a train.

This is brilliant. This is the type of thing that will pretty much guarantee that it will be you who is logging in -- they email the authentication codes to your email account, or call or text-message your phone, and the categories are the ones you chose. I don't have the math here, but I can guess that the odds are low that a break-in will occur. It sure is more secure than a simple password that never gets changed and that is usable from everywhere on Earth.

I just signed up today. Get an OpenID, and use myvidoop.com to get it.

Also, I live in the boonies. This means that there is no cable, no DSL, and, until recently, no internet. I have been using the Sprint Aircard for the last month. It uses their mobile network. It is great -- as fast as DSL. They also have a Linksys router that can have the card plugged into it -- now I can get to it from my laptop. Good stuff.

That's all for now. I'll try to post more short and sweet ones this year -- but even this one ain't short!

Wikipedia -- Exposed

I have noted before here that I am no fan of Wikipedia. It can be and has been used as a voice of propaganda, misinformation, and controversy. Why? Because it is completely anonymous, which means that posters have no real responsibility for what they write. People can lie, and often do. One of the more egregious examples was last spring, when one of the more respected "editors" of Wikipedia turned out to be a fraud -- faking his credentials.

I personally don't think it should be shut down -- more power to it -- but I do not trust it, and do not expect any entry in it to be correct. If I want to do a quick lookup of something and I only need about 50-80% accuracy, I will sometimes use it for that.

I will admit that there is one area in which Wikipedia excels: if you want to know if something is or is not controversial in the web world, Wikipedia is truly excellent at that. For example, the entry on "Gun" has had eight edits today (August 21, 2007). One edit replaced a whole section with "HA HA", another added a paragraph on an English usage. So, here is a subject that changes almost hourly as people with competing agendas fight over the entry.

Another example: an edit for Elvis Presley from, again, today has someone asserting that he is still alive.

I say that Wikipedia allows anonymous posts, and that is correct -- except that each entry has as part of its entry the internet address from which the entry was posted. In other words, Wikipedia tracks the IP address of each posting.

IP addresses for most home users are assigned to them by their internet service provider (ISP) on an as-needed basis, when they log in. The IP address is "owned" by the ISP.

However, most institutions have permanent IP addresses which are assigned to them. Anyone in their offices using the web will be using an address from their range. You can find out what institution an IP address is assigned to using ARIN (the American Registry for Internet Numbers) Whois. Type the address there, and you will see to whom it is assigned.

This kid from Cal Tech (where else?), Virgil Griffith, created a tool to scan Wikipedia and show the edits made by IP addresses. This has created quite a storm! All of a sudden, we can easily see what edits were made from people at the ACLU, Apple Computer, Microsoft, the NRA, Fox News... All sorts of places. It is enlightening, and really, confirms my criticisms of Wikipedia.

We have entries by an ACLU address user making derogotory comments on the Pope. We have another entry in which the some using an NEA address deletes criticism about the NEA.

What astounds me is that articles on this are either missing the point by pointing out self-editing by companies such as Apple, Microsoft, or others, or are amazed that "anonymous" is not really anonymous.

But, really, what else can we expect from Wikipedia? That's the point.

Robocop is Real!

This, from Wired. The new SWORDS robot that is just about ready for field use in Iraq, and is the real-life version of the ED-209.

An armed robot that is directed by radio. Thus, it is to some degree vulnerable to viruses, or commandeering. When I look to the future, I see these in civilian use for police departments -- crack-house and meth-lab raids, for sure -- and with ubiquity and relatively lax security inherent with having these in hundreds of police precincts instead of one army, there will be an attempt at infiltration.

In any event, sci-fi continues to show that it is closer to reality than one might think!

An Open Wireless Network Could Put You "On The Hook"

A child pornographer used at open wireless connection to send a lewd instant message to someone. He was tracked, and he was using an "open" WIFI, or wireless network router. The person tried to claim that his wireless was open, and therefore, it could have been anyone. The court did not buy it.

The bottom line is this: If you have an "open" wireless network at home, anyone inside or outside the house can have access to it. "Anyone" could be a child pronographer, bomb-maker, or some other criminal trying to hide their tracks. On top of this, their activities can and will lead to your door. When that happens, it will be a hassle. Now it looks like you could go to jail for it, or at least risk going to jail.

Moral of the story? Close your wireless connection!

Couldn't Happen to a Nicer Guy

(ex) Judge Ronald Kline, in California, was sent to prison on child porn charges. He was brought down by what you could call a "benevolent hacker" named Brad Willman who broke into thousands of people's PCs and monitored all their activities. He was especially interested in hunting down child predators.

I point this out because, first, I am happy that Kline was caught. Here is a person in the public trust who was performing hideous crimes. I also point it out because it shows how little security there is on the 'net -- and not just the 'net, but also on telephones and text messages (Ex-Congressman Mark Foley comes to mind...). In this case, 3,000 computers were compromised, with Willman able to pretty much do what he wanted with them. I thought it was clever how he got the victims to download his "Trojan horse": He made it look like they were downloading an image from the net, but actually, he got the image from their own PC! When they downloaded the Trojan, Willman got control.

My view on hackers has been that I really don't have too many issues with hackers per se. I think we are still in the stage where we actually need hackers to probe the system and uncover the ways things can be broken. Most hackers are, really, slightly deranged hobbyists who hack because they find it a challenge. Most viruses fall into that category. When you think about it, anyone who can break into your email program and force it to send messages to all of your contacts can also permanently delete all your mail and contacts as well. Anyone who can break into your computer and make it a "zombie" that bombards Microsoft as part of a coordinated "denial of service" attack can also wipe out your entire hard drive. Most hackers tend not to do this, which means that they are really out more for fun than damage. In the case of Willman, he was hacking for a public service, and he brought down a big fish.

I guess the moral of the story is: don't do anything on your PC that you wouldn't want your mom or the IRS to see you doing!