Michael Barrett, PayPal’s chief information security officer, is reported in the press today as recommending that surfers use Internet Explorer, Firefox or even Opera in preference to Apple’s web browser, Safari.
Safari is the default web browser which ships on Apple Mac computers, laptops and even the iPhone, but a version for Windows was also unveiled to the world in June 2007.
Safari doesn’t command the same kind of marketshare as Microsoft Internet Explorer and Mozilla Firefox (the latter of which is also available in an Apple Mac version), but it’s likely that many Apple owners have stuck with the default web browser which shipped with their computers.
In PayPal’s opinion, Safari users are making a mistake. PayPal thinks that (at the moment at least) Opera, Firefox and Internet Explorer are safer for the average user.
People’s ears prick up when a company as prestigious as PayPal make a statement like this – but what’s the truth?
The fact is that phishing is primarily a human problem, rather than a technological one. Yes, it’s a good idea to keep your browser up-to-date with patches, and if your browser has strong anti-phishing technology built into it – all the better. But ultimately it’s the user who decides to click on a web link in an unsolicited email, or enter their username and password on a site which later turns out not to be trustworthy.
Browsers can help reduce the risk through technology – but it would be a mistake to rely on them entirely for the security of your data.
If you don’t have confidence in the workers in your company, and worry that they are putting your business at risk by using unauthorized web browsers then consider using application control to police what programs get used by which users. And whichever browser your company ends up choosing to access the web, ensure that surfing is being secured and controlled with a solution like the WS1000 Web Appliance which can block access to sites containing malware, spyware and other online threats.
PayPal and its sister company eBay, like Sophos, are members of the Anti-Phishing Working Group (APWG), an organization dedicated to wiping out internet scams and fraud. The companies have published several tutorials on how to spot phishing emails: