lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: exibar at thelair.com (Exibar)
Subject: PayPal issues another blow to user security

The e-mail response from PayPal sounded more like a "canned" response than
an actual human response.  I would image that they simply have a rule setup
that looks for links within a message and if it doesn't have
https://www.paypal.com then it spits back that canned message.  On the other
hand, it could simply be a college kid that is working at PayPal to make a
few extra bucks and just saw that the link didn't point to
https://www.paypal.com and hit the "send canned response" button.

  Either way, PayPal should mention something about it on their site's
homepage.  It is very irresponsible of them not to.

  Exibar

----- Original Message ----- 
From: "Mary Landesman" <mlande@...lsouth.net>
To: "Rob Adams" <rob@...ep.org>; "Aaron Horst" <anthrax101@...oo.com>
Cc: <full-disclosure@...ts.netsys.com>
Sent: Wednesday, December 17, 2003 1:23 PM
Subject: Re: [Full-Disclosure] PayPal issues another blow to user security


> I think the response speaks more of the tunnel vision of the person
> answering the email. PayPal and Providian entered a partnership in Feb
2001.
> At the time, Providian apparently took a huge stake in PayPal equity
> (estimates placed it at between $100 - $200 million) and the two companies
> agreed to co-brand the credit cards. See Forbes for details:
> http://www.forbes.com/2001/02/07/0207eccommerce.html
>
> The legal agreement between the two parties, dated March 2002, can be
found
> here:
>
http://techdeals.startup.findlaw.com/agreements/paypal/providian.card.2002.03.01.html
>
> The June 2001 press release announcing the site, and sponsored by both
> parties, can be found here:
>
http://www.findarticles.com/cf_dls/m4PRN/2001_June_18/75602419/p1/article.jhtml
>
> Perhaps PayPal might wish to take the opportunity to ensure the folks
> answering email at spoof@...pal.com are versed in company partnerships and
> policies.
>
> Regards,
> Mary Landesman
> Antivirus About.com Guide
> http://antivirus.about.com
>
> ----- Original Message ----- 
> From: "Rob Adams" <rob@...ep.org>
> To: "Aaron Horst" <anthrax101@...oo.com>
> Cc: <full-disclosure@...ts.netsys.com>
> Sent: Wednesday, December 17, 2003 12:09 PM
> Subject: Re: [Full-Disclosure] PayPal issues another blow to user security
>
>
> [[Warning -- I do not speak for, nor do I represnt, my employer. --Rob]]
>
> Aaron Horst reported earlier this week that Paypal violates their own
> anti-phish policy. He received an official email that included a
> clickable link to "paypalcreditcard.com." Their stated policy is that
> they will only ever link to "paypal.com." Paypalcreditcard.com appears
> to be a legitimate web site operated by Paypal's business partner,
> Providian Financial Corporation.
>
> I received a similar solicitation. I forwarded it to the
> "spoof@...pal.com." I think you'll enjoy the response:
>
> =================
>
> Dear Rob Adams,
>
> Thank you for contacting PayPal.
>
> Thank you for bringing this suspicious email to our attention. We can
> confirm that the email you received; was not sent to you by PayPal. The
> website linked to this email is not a registered URL authorized or used
> by PayPal. We are currently investigating this incident fully. Please
> do not enter any personal or financial information into this website.
>
> If you have surrendered any personal or financial information to this
> fraudulent website, you should immediately log into your PayPal Account
> and change your password and secret question and answer information.
> Any compromised financial information should be reported to the
> appropriate parties.
>
> If you notice any unauthorized activity associated with your PayPal
> transaction history, please immediately report this to PayPal by
> following the instructions below:
>
> 1.  Go to https://www.paypal.com/
> 2.  Click on the Security Center at the bottom of the page
> 3.  Click on "Report a Problem"
> 4.  Select the Topic: Report Fraud
> 5:  Select the Subtopic: Unauthorized use of my PayPal Account, and
> click Continue.
> 6.  Follow the instructions to access the appropriate form
>
> If you have any further questions, please feel free to contact us
> again.
>
> =======================
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ