PayPal may take the unusual step of blocking Safari users from accessing its service as the company increases its anti-phishing countermeasures.
The company today warned of plans to lock PayPal users from accessing the electronic payment service if they are using older versions of web browsers as it continues its war against phishing attacks.
PayPal said a "significant" group of people still use Microsoft's Internet Explorer 3, released in 1996, and IE 4, which debuted in 1997. These lack a phishing filter, which can block users from accessing a reported phishing website.
Safari may also be threatened as the browser itself lacks anti-phishing features, causing Michael Barrett, PayPal's chief information security officer, to warn customers not to use the browser to access the service.
Safari also lacks support for Extended Validation SSL (Secure Socket Layer) Certificates which are issued to websites that have been vetted as legitimate. For site's with that certificate, IE shows a green bar. Firefox's address bar changes with white to beige and Opera denotes a safe site.
"Our recommendation at this point, to our customers, is use Internet Explorer 7 or 8 when it comes out, or Firefox 2 or Firefox 3, or indeed Opera," he said in February.
"In our view, letting users view the PayPal site on one of these browsers is equal to a car manufacturer allowing drivers to buy one of their vehicles without seatbelts," the company more recently said in a paper released during the RSA security conference in San Francisco earlier this month.
IPhishing sites are designed to look like the legitimate websites of major brands such as banks and seek to elicit financial and personal information. Users are often lured to the sites through unsolicited emails, or can unwittingly land on one if a phisher has bought a domain with a convincing-looking name or one with slightly differently spelling.
PayPal has been one of the brands hit hard by phishing since the service allows people to transfer money. The company has taken steps to strengthen authentication controls and worked with ISPs (Internet service providers) to block emails purporting to be from PayPal but lacking a valid digital signature.
PayPal said it plans to warn users who come to its site that they are using an old browser. Eventually, those users will be blocked, although the company did not say when.
The plan won't necessarily prevent a person from being victimized by a phishing attack. A user could still be duped by an email with a link to a phishing site and then divulge their details.
But by preventing access to its site, PayPal hopes those users will then upgrade their browsers, which will then give them an additional security protection against phishing.