PayPal warns against Safari's lack of anti-phishing features

[Thursday, February 28th]

Michael Barrett, PayPal's chief information security officer, says that Safari lacks two key anti-phishing features found in some other browsers and hence recommends that customers not make use of his company's services with Safari.

InfoWorld quotes Barret "Apple, unfortunately, is lagging behind what they need to do, to protect their customers. Our recommendation at this point, to our customers, is use Internet Explorer 7 or 8 when it comes out, or Firefox 2 or Firefox 3, or indeed Opera."

The two lacking mechanisms, according to Barret:

• no built-in phishing filter to warn users when they are visiting suspicious Web sites
• lack of support for another anti-phishing technology, called Extended Validation (EV) certificates.

A response to Barret's commentary from Jeremiah Lee puts the anti-phishing onus on users, not browser developers:

"Unfortunately for Mr Barrett, SSL is the only method mentioned for securing online transactions. Blacklists and EV certificates provide information to the visitor that the site is more likely to be what it claims. They don?t actually make the browser connection to the web server any more secure. [...] Phishing sites impersonate real sites in order to trick visitors into giving legitimate information. Attackers can then use this information to defraud the visitor. Phishing attacks are attacks on visitors, not technology. The solutions aren't likely technical.

"Users must learn to verify the address of any site asking for a password. Good ideas, like Bank of America?s SiteKey, have not been effective because users don?t pay attention to the security features. Another study observed extended validation certificates failing for the same reason. At some point, users need to be responsible for themselves."

Resources