Full Disclosure mailing list archives
Re: PayPal issues another blow to user security
From: "Exibar" <exibar () thelair com>
Date: Wed, 17 Dec 2003 16:26:56 -0500
yes, it is a valid link, but the whole thing started because PayPal, in their own security advisory message, states never to click on any link that claims to be from PayPal unless it is https://www.paypal.com And they usually state that any other link is bogus, even if it states that it is an "official PayPal site". Exibar ----- Original Message ----- From: "Seth Fogie" <seth () fogieonline com> To: <full-disclosure () lists netsys com> Sent: Wednesday, December 17, 2003 3:22 PM Subject: Re: [Full-disclosure] PayPal issues another blow to user security
If you enter the official https://www.paypal.com site and click on the Paypal credit card link, you will be directed to
www.paypalcreditcard.com...
So, it is most likely a valid link... Exibar wrote:The e-mail response from PayPal sounded more like a "canned" response
than
an actual human response. I would image that they simply have a rule
setup
that looks for links within a message and if it doesn't have https://www.paypal.com then it spits back that canned message. On the
other
hand, it could simply be a college kid that is working at PayPal to make
a
few extra bucks and just saw that the link didn't point to https://www.paypal.com and hit the "send canned response" button. Either way, PayPal should mention something about it on their site's homepage. It is very irresponsible of them not to. Exibar ----- Original Message ----- From: "Mary Landesman" <mlande () bellsouth net> To: "Rob Adams" <rob () ebeep org>; "Aaron Horst" <anthrax101 () yahoo com> Cc: <full-disclosure () lists netsys com> Sent: Wednesday, December 17, 2003 1:23 PM Subject: Re: [Full-disclosure] PayPal issues another blow to user
security
I think the response speaks more of the tunnel vision of the person answering the email. PayPal and Providian entered a partnership in Feb2001.At the time, Providian apparently took a huge stake in PayPal equity (estimates placed it at between $100 - $200 million) and the two
companies
agreed to co-brand the credit cards. See Forbes for details: http://www.forbes.com/2001/02/07/0207eccommerce.html The legal agreement between the two parties, dated March 2002, can befoundhere:http://techdeals.startup.findlaw.com/agreements/paypal/providian.card.2002.
03.01.html
The June 2001 press release announcing the site, and sponsored by both parties, can be found here:http://www.findarticles.com/cf_dls/m4PRN/2001_June_18/75602419/p1/article.j
html
Perhaps PayPal might wish to take the opportunity to ensure the folks answering email at spoof () paypal com are versed in company partnerships
and
policies. Regards, Mary Landesman Antivirus About.com Guide http://antivirus.about.com ----- Original Message ----- From: "Rob Adams" <rob () ebeep org> To: "Aaron Horst" <anthrax101 () yahoo com> Cc: <full-disclosure () lists netsys com> Sent: Wednesday, December 17, 2003 12:09 PM Subject: Re: [Full-disclosure] PayPal issues another blow to user
security
[[Warning -- I do not speak for, nor do I represnt, my employer. --Rob]] Aaron Horst reported earlier this week that Paypal violates their own anti-phish policy. He received an official email that included a clickable link to "paypalcreditcard.com." Their stated policy is that they will only ever link to "paypal.com." Paypalcreditcard.com appears to be a legitimate web site operated by Paypal's business partner, Providian Financial Corporation. I received a similar solicitation. I forwarded it to the "spoof () paypal com." I think you'll enjoy the response: ================= Dear Rob Adams, Thank you for contacting PayPal. Thank you for bringing this suspicious email to our attention. We can confirm that the email you received; was not sent to you by PayPal. The website linked to this email is not a registered URL authorized or used by PayPal. We are currently investigating this incident fully. Please do not enter any personal or financial information into this website. If you have surrendered any personal or financial information to this fraudulent website, you should immediately log into your PayPal Account and change your password and secret question and answer information. Any compromised financial information should be reported to the appropriate parties. If you notice any unauthorized activity associated with your PayPal transaction history, please immediately report this to PayPal by following the instructions below: 1. Go to https://www.paypal.com/ 2. Click on the Security Center at the bottom of the page 3. Click on "Report a Problem" 4. Select the Topic: Report Fraud 5: Select the Subtopic: Unauthorized use of my PayPal Account, and click Continue. 6. Follow the instructions to access the appropriate form If you have any further questions, please feel free to contact us again. ======================= _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- PayPal issues another blow to user security Aaron Horst (Dec 15)
- Re: PayPal issues another blow to user security Exibar (Dec 16)
- Re: PayPal issues another blow to user security Rob Adams (Dec 17)
- Re: PayPal issues another blow to user security Mary Landesman (Dec 17)
- Re: PayPal issues another blow to user security Exibar (Dec 17)
- Re: PayPal issues another blow to user security Seth Fogie (Dec 17)
- Re: PayPal issues another blow to user security Exibar (Dec 17)
- Re: PayPal issues another blow to user security Mary Landesman (Dec 17)
- Re: PayPal issues another blow to user security Dom Gallagher (Dec 17)
- Re: PayPal issues another blow to user security Exibar (Dec 17)