PayPal: Safari Not Among 'Unsafe Browsers'
Over on Twitter, during a discussion on PayPal's plan to ban "unsafe browsers," I suggested there was no way the company would risk blocking Safari connections. Can't afford to alienate iPhone and the mobile transaction market.
Woke up this morning and found this statement from a PayPal spokesperson:
"PayPal is developing features to block customers from logging into PayPal when using obsolete browsers on outdated or unsupported operating systems. An example of such a browser/OS combination might be, for example, Internet Explorer 4 running on Windows 98. We have absolutely no intention of blocking current versions of any browsers, including Apple's Safari, from our website."
To be fair, the PayPal whitepaper (.pdf) never mentioned Safari but, by a process of elimination (Safari does not support EV-SSL certificates), it seemed logical to assume that Apple's browser would fall into PayPal's "unsafe" category.
(See Techmeme discussion).
PayPal must be commended for taking steps to enforce security standards for financial transactions but, as Gartner's John Pescatore pointed out in an e-mail conversation, the company is looking in the wrong area:
The real answer to fighting phishing is to stop using reusable passwords. The browser doesn't matter if people continue to get tricked into giving away their passwords.
When PayPal bought Signio from Verisign, they agreed to buy something like 100,000 password-generating tokens from Verisign as part of the deal, but they really haven't aggressively tried to push them out. It doesn't even have to be tokens -- it could be SMS/text messaging approaches to onetime passwords, as many European online banking systems are going to.
The real issue is that the passwords are reusable, and that is a fatal flaw. More secure browsers is a good thing, but phishing and password capturingTrojans only work because the same password is used every time.
PayPal offers the security key for a non-refundable $5 (shipping included).
Yankee Group's Andrew Jaquith suggests that SSBs (single-site browsers) could be useful to help secure Web-based financial transactions. Look out for my story next week on Jaquith's proposal.