PayPal: unsecure browsers = cars without seatbelts

PayPal, the most attacked company in phishing attacks, is planning to block users who use older, unsecured browsers that don't have anti-phishing protection. Michael Barrett, the Chief Information Security Officer of PayPal, who recently recommended against the the use of Safari because of its lack of phishing and EV SSL Certificate support, has released a whitepaper about phishing and how it can be prevented with new security procedures. One big method of lessening the threat of phishing is blocking older browsers.

He explained,

In our view, letting users view the PayPal site on one of these browsers is equal to a car manufacturer allowing drivers to buy one of their vehicles without seat belts...At PayPal, we are in the process of reimplementing controls which will first warn our customers when logging in to PayPal of those browsers that we consider unsafe. Later, we plan on blocking customers from accessing the site from the most unsafe—usually the oldest—browsers,

He specifically mentioned the use of older verions of Internet Explorer (4 and earlier) but, clearly, their list of "unsafe" browsers will include any browser without anti-phishing technologies and support for EV SSL Certificates. On the use of EV SSL Certificates, Barrett  stated:

More or less all of the pages on our site are SSL encrypted, and they all use EV certificates. And after nine months of usage, [our] data suggests that there is a statistically significant change in user behavior. For example, we’re seeing noticeably lower abandonment rates on sign-up flows for IE 7 users versus other browsers. We believe that this correlates closely to the user interface changes triggered by our use of EV certificates,

The full whitepaper can be viewed on the PayPal Blog.

Originally posted on Sun Apr 20, 2008