Paypal to block older browsers

Paypal plans to block older versions of popular browsers such as Internet Explorer as part of a wide range of measures to combat phishing.

Initially users of browser such as Internet Explorer (IE) 3 and IE4 will receive a warning message when they try to use Paypal. However later on the payment provider said it plans to block customers using those browsers it deems the most unsafe from using its site.

These browsers, the oldest of which was released nearly 10 years ago, lack some of the safety features of later browsers. Also flaws in the code that can be exploited by cybercriminals are not addressed with updates.

“In our view, letting users view the Paypal site on one of these browsers is equal to a car manufacturer allowing drivers to buy one of their vehicles without seatbelts.

"The alarming fact is that there is a significant set of users who use very old and vulnerable browsers, such as Microsoft’s IE 4 or even IE 3. We argue that it’s critical to not only warn users about unsafe browsers, but also to disallow older and insecure browsers.

"At Paypal, we are in the process of re-implementing controls which will first warn our customers when logging in to Paypal from those browsers that we consider unsafe. Later, we plan on blocking customers from accessing the site from the most unsafe – usually the oldest – browsers"

The steps were outlined in a white paper, A Practical Approach to Managing Phishing, written by the firm's chief information security officer Michael Barrett and Dan Levy, director of risk management.

It described how Paypal is also supporting the use of Extended Validation SS L certificates, which were introduced a few months ago. These give consumers more confidence they are visiting a bona fide company’s site.

The latest versions of IE and Firefox support these certificates by turning the address bar green when the site visited is legitimate. They also display the company name and the certificate authority name. However Apple’s Safari browser for Mac and PCs does not.

The company said that there was “no silver bullet” for the problem of cybercrime but if the industry adopted multiple layers of defence they can make a huge difference.

“We have not identified any one solution that will single-handedly eradicate phishing; nor do we believe one will ever exist. Instead, our approach relies on a holistic 'defence in depth' model.

"In this approach, there are multiple layers of defence – while no single layer can defeat phishing on its own, in tandem they can make a huge difference, with each layer shaving off some percentage of crime that otherwise would have occurred."