Friday, November 21, 2008

Broken PayPal security enables Phishers

OK, maybe this isn't the most embarassing security mistake ever, but it's close. Unlike Microsoft's screw up, it lets Phishers target your account.
PayPal, the online payment service that is a major target of phishers, has been caught sending customer emails that confuse its own login page with a third-party landing site that offers spyware protection and a bevy of other products.
Dumb, dumb, dumb.
The faux hyperlink to secure.uninitialized.real.error.com was included in official emails PayPal sent to customers to confirm recent payments. PayPal advertised it as the official address to log in to the service. Recipients who configured their systems to read email as HTML wouldn't notice the link was incorrect unless they were paying close attention.
Dumb, dumb, dumb. They're supposed to be security experts, so that you don't have to. Doesn't seem like the folks at error.com were involved:
"We're completely unaware of anything that would give us traffic" from PayPal, said Drew Griffin, director of business development for Reflex Publishing, the Florida-based company that owns error.com. "We have no clue as to how it got there. They should fix it."
Yah, that's be right.
This quick Yahoo search turned up this page showing a PayPal customer receiving the link more than two months ago. That's a long time for a financial services company to be sending their customers to an incorrect login page.
Yah, that'd be right, too.

So, let's see what happened:

1. Programmer drone at PayPal makes rookie error.

2. Security propeller-head types at PayPal miss rookie error.

3. PayPal users get sent to Lord Knows Where, for months.

So what do you now know about PayPal's uber-l33t security system? Their security division is run by Blanche DuBois. And their PR division is headed up by William the Silent:
The snafu was the result of an internal PayPal error that was fixed on Tuesday, Michael Oldenburg, a spokesman for PayPal parent company eBay, wrote in an email. Oldenburg didn't respond to a reply email that asked how long the error had persisted.
PayPal users, now you know.

No comments: