Nothing Wrong With Limiting Supported Browsers

PayPal is going to limit the browsers that it allows to use its application:

PayPal, one of the brands most spoofed in phishing attacks, is working on a plan to block its users from making transactions from Web browsers that don’t provide anti-phishing protection.

The eBay-owned company, which runs a Web-based payment system that allows the transfer of funds between bank accounts and credit cards, said browsers that do not have support for blocking identity theft-related Web sites or for EV SSL (Extended Validation Secure Sockets Layer) certificates are considered “unsafe” for financial transactions.

“In our view, letting users view the PayPal site on one of these browsers is equal to a car manufacturer allowing drivers to buy one of their vehicles without seat belts,” said PayPal Chief Information Security Officer Michael Barrett.

In a white paper that outlines a five-pronged action plan aimed at slowing the phishing epidemic, Barrett said there’s a “significant set of [PayPal customers] who use very old and vulnerable browsers” and made it clear that any browser that falls into the “unsafe” category will be banned.

“At PayPal, we are in the process of reimplementing controls which will first warn our customers when logging in to PayPal of those browsers that we consider unsafe. Later, we plan on blocking customers from accessing the site from the most unsafe—usually the oldest—browsers,” he declared.

I don’t have a problem with limiting browser support; however, PayPal needs to provide some feedback if a user tries to visit the site with an unsupported browser.

Of course, the phishing sites will continue to support unsafe browsers, so those who fall prey to phishing–casual users who created a PayPal account in 1999 to pay for a Beanie Baby auction and haven’t kept up with their accounts or technology–will still be vulnerable to phishing attacks.

Comments are closed.

wordpress visitors