Hello again, I’m Michael Barrett, the chief information security officer for PayPal. This week the Black Hat organization held its annual security conference in Washington D.C. where a researcher exposed what we in the industry call a “Man-In-The-Middle” vulnerability.
This specific vulnerability tricks Internet users into thinking that they are on a secure website by showing “https://” in their browser’s address bar. In fact, however, it is not a secure session and there is a “Man-In-The-Middle” waiting to intercept any information submitted on the site such as usernames, passwords and even credit card numbers. This vulnerability often occurs in places where unsecured wireless Internet access is available – such as at coffee shops and airports.
Because of PayPal’s reputation as a highly secure payment service, we’re frequently mentioned in presentations of this nature. We’re used to it, but I understand that you may not be. It’s very important to understand that the PayPal site itself was in no way breached by this research, and indeed cannot be breached by it. Also, it’s important to understand that this is not a PayPal specific issue – the vulnerability that this researcher published affects the entire internet community.
These issues are complex, and will require industry cooperation to solve. Nonetheless, the Internet is still safe to use for e-commerce, and it is a lot safer if you take a few simple steps to protect yourself when logging into your PayPal account - especially when accessing the Internet using an unsecured wireless connection:
- Update your Web browser - Make sure you are using an updated version of your web browser such as Internet Explorer 7 (or higher) or Firefox 3. We call these “safer browsers” because they have security technology in them that allows the URL address bar to turn green on the the PayPal website. More information on “safer browsers” can be found here in the PayPal security center: https://www.paypal.com/securitycenter.
- Start up a new browser - When starting a new e-commerce session, we recommend starting a new browser. Either access the PayPal site through the checkout links in the payment flow when you pay. Or, if you are visiting the PayPal site directly, type in the full PayPal URL: https://www.paypal.com. If you visit PayPal frequently, you may want to bookmark this secure URL for easier access – and it will also defeat this vulnerability.
- Look for the green glow – As mentioned above, modern Web browsers will always display a green glow in the address bar when you’re on the PayPal website. Before logging in, look for this distinctive color. An image of the green glow using Firefox 3 is below.
It’s also important to know that PayPal protects you 100 percent against unauthorized access to your account. But the old saying stands true: an ounce of prevention is worth a pound of cure. These three tips, if used consistently when logging into your PayPal account, will help ensure your continued safety online.
For more tips and tricks to stay safe on the Internet, read my pervious posts in our “Online Safety” category here on the blog and visit the PayPal Security Center.