Sour Grapes
Of course we're Fair and Balanced!

2009-01-13

PayPal's security lapse

I received the following e-mail message yesterday.
Subject: Notice of Policy Updates
From: PayPal
Reply-To: paypal@paypal.com
Date: Mon, 12 Jan 2009 14:23:08 PST
To: hughhyatt at bluehen.udel.edu

==================================================================

PayPal

==================================================================

Notice of Policy Updates

Dear Hugh Hyatt,

You are receiving this notification because you have elected to receive email notice of all PayPal Policy Change Notices.

PayPal recently posted a new Policy Update. You can view this Policy Update by logging in to your PayPal account. To log in to your account, go to http://Email1.paypal.com/u.d?9YGtvimT2lyrGX8k1Mh=0 and enter your member log in information. Once you are logged in, look in the What's New column on the left side of the page for the latest Policy Updates.

If you need help logging in, go to our Help Center by clicking the Help link located in the upper right-hand corner of any PayPal page.

Sincerely,

PayPal
Genuine? Or phishing attempt? I looked briefly at it and once I saw the link to a supposed login address, I did what I always do with such e-mails—forward them to an appropriate address at the website of the organization they purport to be from (in this case, spoof@paypal.com) and to the Anti-Phishing Working Group at reportphishing@antiphishing.org.

Normally I get a reply from the organization confirming that it was indeed a phishing attempt. But this time I got one back that said, in part,
Thanks for taking an active role by reporting suspicious-looking emails. Although we've determined that the email you forwarded to us is not a phishing attempt, our security team is grateful for your concern....

PayPal will never ask you for your password over the phone or in an email and will always address you by your first and last name.

Take our Fight Phishing Challenge at https://www.paypal.com/fightphishing to learn 5 things you should know about phishing....
To which I responded,
I can't tell you how appalled I am by what PayPal has done.

I am shocked that PayPal would send an e-mail inviting me to login using a URL embedded in the message. To me the first rule of avoiding phishing schemes is never to use such embedded URLs to login to websites. An invitation to log in is nothing less than a request for a password, which is something I thought PayPal would never do!

I suggest making sure your employees who produced the e-mail I originally forwarded take your Fight Phishing Challenge as well. Question #5:

"Clicking on a link in an email is the most reliable way to get to your PayPal account. True or false?

"False. Many phishing emails have links that look valid, but send you to fraudulent sites instead. Here’s what you should do: Open a new browser window, type https://www.paypal.com and log in to your PayPal account directly."


Blog home
Blog archives
         2003
         2004
         2005
         2006
         2007
         2008
         2009
         2010
         2011
         2012
         2013