PayPal danger - use Firefox!
If you use PayPal on Windows you should switch to Firefox immediately or you risk getting robbed by fake websites. The risk may also soon spread to online banking too.
A critical bug in Windows CryptoAPI, reported to Microsoft two months ago, remains unpatched and is on the verge of being exploited in the wild. The bug means fake websites can deceive Internet Explorer, Safari (on Windows) and Chrome browsers using bogus SSL credentials. It's therefore possible for PayPal customers to be on an https page (with padlock etc) on a fake site pretending to be PayPal, and not get any "untrustworthy certificate" warning from the browser.
There's further information and discussion , and .
Bottom line: Switch to browser and you're safe. It doesn't affect Linux or Mac users.
band59 (12-11-09),beat2l (07-10-09),beer4life (07-10-09),best4less (07-10-09),bigfella08 (07-10-09),Blinkybill (11-11-09),c427537 (07-10-09),frenzal (08-10-09),gulliver (07-10-09),Hakko (07-10-09),kevin1341 (07-10-09),marty 17 (07-10-09),Micah (01-01-10),myf360f1 (07-10-09),osci (07-10-09),OSIRUS (09-11-09),peter3535 (07-10-09),Ramjet (07-10-09),rewstar (08-10-09),ROH (07-10-09),sdrambo (07-01-10),SystemRat (10-11-09),Twoshots (07-10-09)
| Look Here -> |
Thanks GW 1,
Because I am not a fan of Firefox, if I was to go directly to the paypal site ( IE 7/8) and log on, then conduct my business, there should not be any issue. The main problem comes from emails or links that take you to a fake site then you in trouble.
Cheers
Going directly to Paypal by typing their address in your web browser isn't safe either, strictly speaking. It's safer but still not safe. That's because can still occur by various means such as DNS cache poisoning, viral infections of host file or browser plugins, router hijacking or numerous other schemes. The whole purpose of https, and SSL's server certificates, is to solve this exact problem: how do you know the host you're actually connected to is the one you think it is?
Here's how it's meant to work.
- The security of https websites depends on browsers warning or stopping users whenever the ID presented by the websites at the door isn't current or doesn't carry a signature of a trusted server certificate issuer.
- All such issuers are ultimately licensed by one of a handful of trusted root certifying authorities, like Verisign and Thawte, after demonstrating that they have a trustworthy system for verifying the identity of each person or entity seeking to buy a server certificate.
- All browsers carry copies of the public signatures of the root certificate authorities in a secure database.
- The browser's SSL site authentication operation is done by crypto calculations that mathematically prove the site's credentials are traceable to one of the root certificates in its database. Those calculations at each end, and the latency of the multiple network round-trips needed to exchange credentials in an orderly and safe manner, are why it takes a long time to log into secure websites like online banks and PayPal.
The trouble is, if the browser's certificate database gets compromised (eg if your PC gets pwned by a virus or if you've previously told it to accept an invalid certificate), or if the crypto math library or the browser's certificate inspection code are buggy, then the browser's ability to distinguish a genuine SSL certificate from a fake one is undermined. In this case the problem is a bug in the Windows crypto library. Mozilla Firefox uses an open source library, for portability, rather than Microsoft's proprietary one which is why Firefox isn't affected.
Bottom line: You're slightly safer if you type the paypal address by hand rather than click on website links, since fake links are a common attack vector. But you're still vulnerable to the flaw.
Don't panic - the security flaw has been demonstrated but nobody's saying any crims are actually utilising it yet. But it's well enough known in security circles now that we can assume it's only a matter of time - unless Microsoft push a patch out to Windows users first. Until then, the experts are saying use Firefox for your financial transactions, especially PayPal. You can keep using IE7/8 for all your non-financial browsing if you want.
Top post GW 1,
Gee there is a lot to learn in this game
Not the news you want to hear but glad when you do.
Many thanks GW1
Ordinarily what matters is that the padlock icon is lit and the site address (eg etc) is correct.
Ordinarily the rule of thumb - "type the address manually, don't follow links" - works because if the site traffic has been hijacked somehow the attacker's certificate either won't be valid or won't match the "paypal.com" domain.
But this flaw is a game-changer because it amounts to a blind spot in Windows browser security. Effectively it's shown that attackers can use a , presenting certain certificates that say "you don't need to see my certificate, my certificate is fine", and most Windows browsers will believe it.
Security Key
PayPal do have an extra layer of protection called a security key
It sends a special code to your mobile via SMS or you can order your own key generator for $7.50 (cheap)
Very easy to setup in your account details
This verifies your transaction is legit
Cheers
Last edited by bigfella08; 07-10-09 at 09:18 PM.
I know my netbanking facility jhas this extra secuirty layer...thanks bigfella
Democracy & Ignorance = A Winning Combination
Those safeguards protect PayPal, but the trouble is MANY people reuse their passwords for multiple online services
A site impersonating PayPal may not succeed in raiding the victim's PayPal account, but after acquiring his login details you can bet an attacker would try to get into
- his internet banking
- his webmail archive (a goldmine for identity theft)
- his ISP's account settings (ditto)
- his PC admin account
- his router admin account
Thanks for the warning gw1
Dont forget that if a trusted root CA certificate is installed into the crypto store, then any certificate that has been signed with that CA Master WILL BE VALID to your computer.
As GW1 has already pointed out, your DNS Cache or DNS server may have invalid entries. There was a nasty little virus/malware that made ANY site you visit go to a bogus DNS Server, if would then from time to time send you to a different webpage. This can be done at many points in the system from your proxy settings, network and DNS settings, Host File changes "hidden" registery settings and file replacement.
in IE there is a setting in the registery that will add from a list of prefixs to the address if the HTTP:// or FTP:// is missing. The was used for while as well.
I believe that SSL is NOT as safe as most people think. There are three things it is meant to do (in no order)
1. Ensure your data is kept private (between TWO points) This mostly works
2. Provide identity. ie: a web site proves its the same as the address typed. In the most part this works, but are you really looking at the correct site.
eg: is NOT the same
3. Prove that the owner of the page is meant to be the owner of the page. Most lower level CA (Certificate Autorities) to not do much checking. Top level sites like VeriSign to alot more checks to ensure you are allowed to have that SSL Certificate for that site.
In my opinion, the internet is in edge. It will soon go through a major change. if/when SSL is proven that it cant be trusted, then online purchases will grind to a halt. once businesses start to fall off, $$$ to the ISP will start to fall and cost pushed back to the end user...... If the great australian filiter ever works and if the check SSL pages, it will just show how simple it is for the man in the middle attack to check/edit your data....
The clock is ticking.....
I was recently ripped off by a site selling Nostalgia DVD's who were Paypal registered sellers.
I complained to Paypal and they agreed I have been ripped off but Paypal have advised that they cannot recover my AU$25 as there is no money in the seller's account but of course should funds appear, I MIGHT get a refund.
This was NOT a sale thru Ebay.
The site is in the USA called Vividvideo.com aka FilmNoir, selling DVD's of the 1930's to 1950's.
They still appear to be trading but not advertising some of the DVD's they did previously.
So you now have the choice of being ripped off by some sod with a fake web page or a dodgy seller.
(comment deleted)
EDIT: in fairness to PayPal on gordon's matter I've withdrawn my flame. It turned out Paypal provided him with a refund after all.
My flame was motivated by my with Paypal over their unscrupulous handling of recurring payments. (Paypal collect commission on payments made to defunct sellers, when clearly no service has been provided, and do not allow refunds on "virtual goods" like forum memberships even when those forums no longer exist. They fail to indicate the existence of recurring payments in customer account overview page, they provide no advice prior to such transactions, and no means for recurring payments to be cancelled or refunded. It's abysmal service.)
Last edited by gw1; 10-11-09 at 10:34 PM.
gw1 and everyone, an addendum to my Paypal comments.
I have just checked my Paypal email account and found that Paypal were successful in recovering the monies I paid last September and credited my paypal account over the weekend.
I seem to have done about $2 possibly due to exchange fees and currency fluctuations but I got $22 back.
The reason I hadnt checked sooner was I took what they said back last month that the Seller had no funds available meant he had done the bolt, Rio de Janero, on me $24 BUT no.
gw1, This payment was done using Paypal via a Visa Attatchment on a Debit Card but as you said I would not have been able to make a claim for the loss of goods by a fraudulent seller.
I have to say as well that this is the first ever hiccup I have had with an Overseas Paypal purchase that was made outside of Ebay.
I would guess the only fool proof way would be for you the buyer to pay the monies into an escrow account, the Seller sends and you sign on arrival and then the seller gets paid.
That would take time and could add to the costs.
There are a hell of a lot of genuine buyers and sellers out there but it only took one too lazy jerk to ignore numerous emails to put the cat among the pidgeons.
Maybe Paypal could set up a 'Rating for Sellers' like Ebay does based on the Sellers handling of purchases.
The buyer rating is useless except to rate Tyre kicking time wasters because if you dont send the money, they dont send the goods.
can only see porn videos at that urlOriginally Posted by gordon_s1942
Ohhhh dear, I think that must have been a Freudian slip there but that was the name on their site and its gone now so try
This is the site I ordered from and some of the DVD's shown now were advertised back in early September, but not the one I wanted.
There has definately been some changes to the site, particully that about making claims and refunds etc, that wasnt there before.
I have still NOT had the courtesy of a reply of any sort from whoever runs this site regarding my sale.
I will look but unless I get a Gold Plated Guarantee in BLOOD, I wont buy from them.
I would rather pay double from a reputable site than go through all this again.
be like me:- i do not have a bank account i only deal in cash or direct deposit, the reason i am not a premium member here is they want the money paid buy paypal, in the older days they took the money any way they could get it.
Godzilla (11-11-09)
Mate,
nothing is safe, you can be robbed on the street or in your own home. It is rather difficult or almost not possible to live those days without bank account ect. (well, everyone situation is different so this is not impossible)
You might to feel safe that way, but this goes with the price, the first will be the Austech Premium Membership...
Take care
Last edited by mborkp; 11-11-09 at 10:22 AM. Reason: spelling
mate i will invite you or anyone on the forum to my place anytime, all you have to do to get in is get past 2 x 4yo german shepherds 1 x 3 yo doberman, and 1 x 2 yo rotty, all these are fully trained attack dogs, even my mates and son ring to say they are coming around, then i lock the dogs up, the only ppl they tolerate is my wife, grandson and me, the others are the enemy. these dogs cannot be poisoned as they have their own bowls and will only eat on a command number and after they eat the bowl is taken away, the only way to stop them is to shoot them, by that time im armed and dangerous.Mate,
nothing is safe, you can be robbed on the street or in your own home. It is rather difficult or almost not possible to live those days without bank account ect. (well, everyone situation is different so this is not impossible)
You might to feel safe that way, but this goes with the price, the first will be the Austech Premium Membership...
Take care
at times during the mango season i do have large amounts of cash here,the safe is an old bank safe so no one is going to carry it away.
this works for me.
BTW they are all desexed
Last edited by mango; 11-11-09 at 12:41 PM.
And it was a deadset pain in the arse manually dealing with unknown deposits in my bank account and then having to match them to peoples accounts and then manually change peoples account status back and forwards each day. Just because I was prepared to spend hours wasting my time with it doesnt mean others have the time to. Do you actually know anything about how the premium membership system works with paypal ? At a guess , no. You dont need a have a paypal account to become a premium member. A credit card or a bank account is all thats needed. All paypal provide is the billing facility. Just as your biller is your bank.
Lets stick to the actual topic at hand please.
Posting Permissions
Reply With Quote
Bookmarks