PayPal Plans to Ban Unsafe Browsers

PayPal, one of the brands most spoofed in phishing attacks, is working on a plan to block its users from making transactions from Web browsers that don't provide anti-phishing protection.

The eBay-owned company, which runs a Web-based payment system that allows the transfer of funds between bank accounts and credit cards, said browsers that do not have support for blocking identity theft-related Web sites or for EV SSL (Extended Validation Secure Sockets Layer) certificates are considered "unsafe" for financial transactions.

"In our view, letting users view the PayPal site on one of these browsers is equal to a car manufacturer allowing drivers to buy one of their vehicles without seat belts," said PayPal Chief Information Security Officer Michael Barrett.

In a white paper that outlines a five-pronged action plan aimed at slowing the phishing epidemic, Barrett said there's a "significant set of [PayPal customers] who use very old and vulnerable browsers" and made it clear that any browser that falls into the "unsafe" category will be banned.

"At PayPal, we are in the process of reimplementing controls which will first warn our customers when logging in to PayPal of those browsers that we consider unsafe. Later, we plan on blocking customers from accessing the site from the most unsafe—usually the oldest—browsers," he declared.

Who are the most influential people in security? Find out here.

Barrett only mentioned old, out-of-support versions of Microsoft's Internet Explorer among this group of "unsafe browsers," but it's clear his warning extends to Apple's Safari browser, which offers no anti-phishing protection and does not support the use of EV SSL certificates.

The EV SSL certificates are meant to provide trust to Web-based transactions. For example, if you use Microsoft's IE 7 to visit a Web site secured with an EV SSL certificate, the URL address bar is displayed in green and offers the ability for the user to toggle between the organization name listed in the certificate and the issuing Certificate Authority.

Firefox and Opera have announced their intention to support EV SSL in upcoming releases. 

Apple's Safari browser, which is being aggressively pushed to Windows users, could conceivably be banned from accessing PayPal.com under the plan outlined by Barrett.

EV Certificates Unproven, but Best Solution Yet

The jury is still out on the value of EV SSL certificates as a meaningful security utility but, in Barrett's mind, the green URL bar offers a visual cue that "makes it much easier for users to determine whether or not they're on the site that they thought they were visiting."

He said PayPal was one of the first companies to adopt EV certificates. "More or less all of the pages on our site are SSL encrypted, and they all use EV certificates. And after nine months of usage, [our] data suggests that there is a statistically significant change in user behavior. For example, we’re seeing noticeably lower abandonment rates on sign-up flows for IE 7 users versus other browsers. We believe that this correlates closely to the user interface changes triggered by our use of EV certificates," Barrett added.

PayPal is also recommending the use of blacklists and anti-fraud warning pages as effective technologies to help protect consumers from identity theft fraud.  Microsoft and Mozilla have invested heavily in anti-malware blockers and anti-phishing technology.