Michael Barrett, PayPal‘s chief information and security officer, has a message for users of Apple’s Safari Web browser: don’t use it with PayPal, at least if you want to avoid online fraud. In an interview with PC World, Barrett laments that Safari doesn’t support two anti-phishing technologies that he says have accounted for a “several percentage-point” improvement in customers signing up for the service. “I’d love to say that Safari was a safer browser, but at this point it isn’t,” said Barrett.
Safari is the default Web browser under Mac OS X and on Apple’s Mobile OS X, used on the iPhone and iPod touch. Safari is also available for Windows.
Barrett takes Safari to task for not offering an anti-phishing filter that alerts users when they may be visiting suspicious sites. He would also like to see Safari and other browsers support Extended Validation certificates (EV), a technology currently only supported right now in Internet Explorer 7, although Firefox 3.0 plans to implement it. Barrett recommends PayPal users stick with IE 7, FireFox 2 or 3, or Opera. “Apple, unfortunately, is lagging behind what they need to do, to protect their customers,” Barrett said.
Anti-phishing filters turn a browser’s address bar green when a user is visiting a site the technology believes is legitimate. Allegedly fraudulent sites highlight the address bar in red, while suspicious sites will be marked with yellow. The technologies have received some criticism for being biased towards large enterprises, and for potential vulnerabilities that may let attackers game the systems to misrepresent arbitrary sites. Microsoft’s phishing filter relies on a database of sites “confirmed by reputable sources” to be fraudulent.
A small usability study of anti-phishing technologies conducted by Microsoft and Stanford University found that, without training, users weren’t likely to notice or understand the green address bar on approved sites.