PayPal to block users with old browsers to cut back phishing

PayPal, eBay's electronic payment service, plans to take the dramatic step of locking out people using older versions of Web browsers in order to stem phishing attacks.

PayPal said a "significant" group of people still use Microsoft's Internet Explorer 3, released in 1996, and IE 4, which debuted in 1997. Those browsers lack a phishing filter, which can block users from accessing a reported phishing Web site.

"In our view, letting users view the PayPal site on one of these browsers is equal to a car manufacturer allowing drivers to buy one of their vehicles without seatbelts," according to a paper released during the RSA security conference in San Francisco earlier this month.

It also could mean eventual trouble for users of Apple's Safari browser, which has no phishing filter. PayPal warned users in February to stay clear of Safari.

Phishing sites are designed to look like the legitimate Web sites of major brands such as banks and seek to elicit financial and personal information. Users are often lured to the sites through unsolicited e-mail, or can unwittingly land on one if a phisher has bought a domain with a convincing-looking name or one with slightly differently spelling.

PayPal has been one of the brands hit hard by phishing since the service allows people to transfer money. The company has taken steps to strengthen authentication controls and worked with ISPs (Internet service providers) to block e-mails purporting to be from PayPal but lacking a valid digital signature.

PayPal said it plans to warn users who come to its site that they are using an old browser. Eventually, those users will be blocked, although the company did not say when.

The plan won't necessarily prevent a person from being victimized by a phishing attack. A user could still be duped by an e-mail with a link to a phishing site and then divulge their details.

But by preventing access to its site, PayPal hopes those users will then upgrade their browsers, which will then give them an additional security protection against phishing.

Internet Explorer 7, Firefox 2 and Opera 9 have phishing filters, but Apple's browser -- Safari -- does not. Safari also does not support Extended Validation SSL (Secure Socket Layer) Certificates, issued to Web sites that have been vetted as legitimate.

For Web sites with that certificate, IE shows a green bar. Firefox's address bar changes with white to beige and Opera denotes a safe site.

The IDG News Service is a Network World affiliate.