|
Auctionbytes-NewsFlash, Number 696 - February 06, 2004 - ISSN 1539-5065
| Next Story
Update: PayPal Payment Wizard Raises Phishing Concerns
By Ina Steiner
AuctionBytes.com
February 06, 2004
|
In the January 28 issue of AuctionBytes Newflash, I wrote about PayPal Payment Wizard for Outlook ("eBay's PayPal Service Makes It Easy to Ask for Money via Email" http://www.auctionbytes.com/cab/abn/y04/m01/i27/s02). The tool allows sellers to include a PayPal button in emails and is free to use.
Several readers wrote with concerns about security. "So now, instead of getting phony emails looking like they came from PayPal, we can expect phony emails, complete with an html link to who knows what bogus look-alike site? I don't generally mind clicking a button from a secured web page.... but from an email?"
The concern comes because for years, scammers have been employing a tactic known as "phishing," or sending hoax emails that appear to come from PayPal, but in reality are attempts to steal the recipient's identity. Ironically, in the same issue I had included a link to a site that explained a Microsoft Explorer vulnerability that hoax-emailers may try to exploit (http://netsquirrel.com/spoof): now scammers can mask the address bar of Internet Explorer.
I asked PayPal spokesperson Amanda Pires whether users should be concerned about using the PayPal Payment Wizard tool, considering all the hoax emails sent by identity thieves. Pires explained that scammers cannot spoof https:// URLs, and users should always look for the "s" in the https:// part of the URL when using PayPal. She added, "PayPal recommends when using our site to always open up a new browser and type in https://www.paypal.com to log onto PayPal."
Interestingly, the Washington Post reported on February 2 that Microsoft's latest patch fixes the vulnerability in Explorer that allowed scammers to hide the identity of a site in the address bar (http://www.washingtonpost.com/wp-dyn/articles/A6331-2004Feb2.html).
So what's the bottom line? PayPal has gotten good about not sending out emails with links to sign-in pages in order to get people out of the habit of clicking on links in email. But now, it is enabling an army of its users to do just. Even sophisticated users who are aware of hoaxes find it difficult to keep up with scammers. It seems the best advice remains, never click on a link in an email to log-in to a site. Always go to your browser and type the name of the site in manually.
|
Email this story to a friend.
| Next Story
Related Stories
Identity Theft Up Nearly 80 Percent, Gets National Attention - July 22, 2003, Issue #579
Amazon.com Files Lawsuit to Combat Email Forgeries - August 27, 2003, Issue #598
Hoax Emailers Broaden Attempts to Steal Identities - September 15, 2003, Issue #608
eBay to Launch New Sign-In Function for Increased Security - November 18, 2003, Issue #649
Scammers Go Phishing on Amazon.com - January 16, 2004, Issue #683
Scammers Impersonate UPS in New Twist on eBay 'Fake Escrow' Fraud - February 12, 2004, Issue #699
Former PayPal CEO Creates Solution to Hoax-Email Scams - February 25, 2004, Issue #707
eBay: Scammers Obtained Customer Data from PayPal Merchants - March 15, 2004, Issue #718
eBay Hoax Email Alert: Win a Great Prize - April 06, 2004, Issue #733
New Hoax: 'Donate $1 and pay no more eBay fees for 2004' - April 28, 2004, Issue #749
eBay Users Plagued by Hoax Email 'Phishing' Attacks - July 20, 2004, Issue #809
eBay Signs up for Phish Report Network - February 15, 2005, Issue #954
Phishers Use New Bait to Trick eBay Users - March 04, 2005, Issue #967
Ten-Cent Listing Day on eBay Is a Fraud - July 26, 2005, Issue #1071
PayPal Launches Identity-Protection Resources - August 02, 2005, Issue #1076
Auction Software FAQ: How can I tell if I'm being phished? - November 06, 2005, Issue #154
|
Discuss this story in our forums.
|
