Paypal dissing my browser.

[88V8]

Dissing. Is that a word?

Anyway, email from what appears to be Paypal today suggesting that my browser is obsolete and no longer acceptable for using their services.
Learn More, says a link which I don't click.

I'm using whatever is the latest version of IE.

Anyone else had this strange communication?

V8

[Alaric]

Anyway, email from what appears to be Paypal today suggesting that my browser is obsolete and no longer acceptable for using their services.

How would an email know what browser you were using? Sounds extremely likely to be a phishing attempt, similar to when Microsoft or "Windows" phones your home line to inform you that your computer is running slowly, or when the "Revenue" inform you there's a tax repayment. How can they possibly know the correlation between IP address and phone number?

[Breelander]

Anyway, email from what appears to be Paypal today suggesting that my browser is obsolete and no longer acceptable for using their services.

How would an email know what browser you were using? Sounds extremely likely to be a phishing attempt...

...or worse. That link is most likely to a site that would install malware to steal your login details.

Every website you visit can see what browser you are using*, if it were incompatible you'd see a popup to tell you so, not an email later. That's the first clue this is fake. The second clue would be that the email contains no personal identification, such as your paypal login name.

It's fake - and dangerous. Delete it!

* the only thing this site get's wrong is my screen resolution https://www.whatismybrowser.com/

[ClaudiusTheIdiot]

Yes, I also received the same message a week ago. It looks genuine - my correct email address and the link is to paypal -
https://www.paypal.com/us/smarthelp/art ... er-faq3893

Since I'm also using the up to date version of IE, and out of caution, I ignored it, but checked just now. A DuckDuckGo search on "paypal update web browser" gives the same link, which contains a link to check whether the version of your browser meets security standard TLS1.2. I clicked and mine does. Looks like Paypal are sending out messages as a precaution - perhaps as Breelander suggests, they don't actually know what browser you're using.

[Lootman]

perhaps as Breelander suggests, they don't actually know what browser you're using.

I thought Breelander was saying the exact opposite, here:

Every website you visit can see what browser you are using

It was my understanding that if you visit a site, or even just send someone an email, then the other party knows your IP address, browser version, operating system, your hardware specifics and so on.

But maybe not if you use a VPN or proxy server.

[Breelander]

perhaps as Breelander suggests, they don't actually know what browser you're using.

I thought Breelander was saying the exact opposite, here:

Every website you visit can see what browser you are using

...

I was suggesting that the sensible way to tell you that you may need an updated browser would be on your visit to the website - and then only if your browser was an old one. The link that ClaudiusTheIdiot gave has a test which could equally well have been done silentlly when you went to PayPal, only alerting you if your browser failed the test.

The least sensible way would be by bulk email. Everyone receiving it would be (rightly) suspicious that it was a scam, and therefore ignore it. These new security standards were announced a year ago, and PayPal is only now telling you to update your browser?

30 June 2018 is the deadline for disabling SSL/early TLS and implementing a more secure encryption protocol – TLS 1.1 or higher (TLS v1.2 is strongly encouraged) in order to meet the PCI Data Security Standard (PCI DSS) for safeguarding payment data.

https://blog.pcisecuritystandards.org/a ... -early-tls

[Infrasonic]

One of the advantages of using webmail from one of the 'big players' to view emails is that DMARC end to end verification is used, so a genuine email from Paypal (who also use end to end) would be marked as 'from a trusted sender'. If you looked at the message routing first you'd see all the SPF/DKIM/DMARC server check passes from a genuine email.
Webmail has the added benefit that if you did get a spoofed address dodgy email with an active payload you'd have an extra layer between it and your PC as you aren't viewing locally, although using a decent secure browser (sandboxed or VM'd) helps there too...

Paypal sending out security alerts about outdated browsers (IE does very poorly on security reviews and also HTML5 tests) seems entirely plausible, seeing as their whole business model is financial and preventing fraud should be top of their list.

There has been discussion here and previously on TMF about having one browser specifically set up for all financial transactions or other data sensitive websites, with the settings tweaked for maximum security/privacy whilst still maintaining functionality.
There are quite a few off the shelf 'security first' options out there already tweaked to the max, so you don't even need to understand what all the settings do.

[chas49]

The article at https://www.paypal.com/gb/smarthelp/art ... al-faq2061 says that:

You’ll know that an email is not from PayPal when:

It begins with a generic greeting like ‘Dear user’ or ‘Hello, PayPal member.’ We'll always begin with your first and last name or the business name on your PayPal account.

Did the email mentioned do that?

If it had the right name, it doesn't prove it's genuine, but not having the name proves it's fake

[Breelander]

Paypal sending out security alerts about outdated browsers (IE does very poorly on security reviews and also HTML5 tests) seems entirely plausible, seeing as their whole business model is financial and preventing fraud should be top of their list.

Whether the email is genuine or not is beside the point. The link to a PayPal FAQ that ClaudiusTheIdiot gave earlier is genuine and says...

If your browser does not meet new security standards for websites (like PayPal) that hold payment data, you’ll need to update it to continue accessing paypal.com after June 27th.
Check your desktop browser to see if it’s up-to-date
Click here to test your browser.

https://www.paypal.com/us/smarthelp/art ... er-faq3893

Ironically, IE11 passes PayPal's test.

[Sussexlad]

I had something similar from a couple of sites. The Guardian's explanation is here...

https://www.theguardian.com/help/2018/m ... my-browser

[Infrasonic]

Paypal sending out security alerts about outdated browsers (IE does very poorly on security reviews and also HTML5 tests) seems entirely plausible, seeing as their whole business model is financial and preventing fraud should be top of their list.

Whether the email is genuine or not is beside the point. The link to a PayPal FAQ that ClaudiusTheIdiot gave earlier is genuine and says...

If your browser does not meet new security standards for websites (like PayPal) that hold payment data, you’ll need to update it to continue accessing paypal.com after June 27th.
Check your desktop browser to see if it’s up-to-date
Click here to test your browser.

https://www.paypal.com/us/smarthelp/art ... er-faq3893

Ironically, IE11 passes PayPal's test.

We'll have to agree to disagree about IE11 Bree as we've been over this before on other threads.

I have it and have only used it once in the past couple of years for some antiquated Govt. site that needed it. It wanted sensitive data off of me over an http link, so I closed it, sent a complaint email and waited 'till the site was updated to something remotely secure a few months later.

Whether the email is genuine or not is beside the point.

WRT to the veracity of sensitive emails from any financial organisation, I would have thought that is the first thing that should be established, otherwise you leave yourself open to spammers, phishers or worse exploiting current security news to send out dangerous spoofed emails that look very convincing. The webmail/DMARC solution I provided negates that problem.

If the email is genuine, what about the information provided in it?
How subjective is it?
Paypal like all commercial organisations have their own vested interests at heart. TLS isn't the only security issue.

I let all three of my Paypal accounts (and two of three eBay) lapse years ago when they started insisting on account verification via bank details or CC information. Bearing in mind how many issues they had at the time with eBay/Paypal fraud, I wasn't remotely interested in Paypal having more of my financial information. I'm still not.
I'm currently investigating using time limited or one off numbers for all online transactions and third party recurring payments, linked to my CC or bank details (but with no third party access to them.)

[Sussexlad]

I let all three of my Paypal accounts (and two of three eBay) lapse years ago when they started insisting on account verification via bank details or CC information. Bearing in mind how many issues they had at the time with eBay/Paypal fraud, I wasn't remotely interested in Paypal having more of my financial information. I'm still not.
I'm currently investigating using time limited or one off numbers for all online transactions and third party recurring payments, linked to my CC or bank details (but with no third party access to them.)

I use a Pockit card with my Paypal account, which I keep pre-loaded with £200 so no great risk.

[Infrasonic]

https://www.pockit.com/fees/

Thanks for that SL, just having a look.

The services I've been looking at so far are provided by the major banks and CC providers, so the fees tend to be much lower.
I just want the one step of isolation between my real CC/Bank details and any third party vendor so they have nothing to go after.

[Lootman]

I use a Pockit card with my Paypal account, which I keep pre-loaded with £200 so no great risk.

The services I've been looking at so far are provided by the major banks and CC providers, so the fees tend to be much lower.
I just want the one step of isolation between my real CC/Bank details and any third party vendor so they have nothing to go after.

Paypal has the ability for you to set limits (daily, monthly etc.) so it is possible to cap the amount that can go out of your account in any event, Given that you also get an email every time a payment goes out, it is possible to limit any losses fairly easily.

Of course that assumes that someone can't hack into your account, because then they could change the limits, email etc. But then that is true of any online financial account.

I was not aware that third parties can "see" my bank or CC details within Paypal. I thought not. The only personal information I know for a fact that third parties can see is the email address I gave to Paypal, and that does not indicate my real name.

[Infrasonic]

I use a Pockit card with my Paypal account, which I keep pre-loaded with £200 so no great risk.

The services I've been looking at so far are provided by the major banks and CC providers, so the fees tend to be much lower.
I just want the one step of isolation between my real CC/Bank details and any third party vendor so they have nothing to go after.

Paypal has the ability for you to set limits (daily, monthly etc.) so it is possible to cap the amount that can go out of your account in any event, Given that you also get an email every time a payment goes out, it is possible to limit any losses fairly easily.

Of course that assumes that someone can't hack into your account, because then they could change the limits, email etc. But then that is true of any online financial account.

I was not aware that third parties can "see" my bank or CC details within Paypal. I thought not. The only personal information I know for a fact that third parties can see is the email address I gave to Paypal, and that does not indicate my real name.

By third parties I meant any company that you had registered your real CC number/expiry/code or bank account details with (or their e-commerce merchant provider more accurately) that has the ability to do customer not present payments, reversals et al. So that includes Paypal, even if they have the limits.

I only want those details stored with the originating bank or CC company, who can still be defrauded (even SWIFT gets hammered for many hundreds of millions a year, it's just that the banks just keep very quiet about it...) Everyone else just gets a one off or time limited unique number for which a specific or variable transaction limit can be set. It also means when a CC/DC comes up for expiry/renewal you don't have to schlep round all the third party recurring payment sites updating the card information...

[Slarti]

It was my understanding that if you visit a site, or even just send someone an email, then the other party knows your IP address, browser version, operating system, your hardware specifics and so on.

But maybe not if you use a VPN or proxy server.

Visit a site may well give much of that information, but you can block a lot of it, but it is not included in emails, other than your IP address.

Slarti

[Breelander]

We'll have to agree to disagree about IE11 Bree as we've been over this before on other threads.

I wasn't touting IE as secure, only pointing out that it passed PayPal's minimum requirements. Personally I'd never use it for my financial sites. For that (and not much else) I use Edge.

Paypal like all commercial organisations have their own vested interests at heart. TLS isn't the only security issue.

True, but other issues, while important, are a bit OT here. TLS is the only issue raised by the email being discussed here. PayPal along with all other financial organisations are obliged to stop support for anything less than TLS 1.1 from 30th June and it is this which will render older browser inoperative...

30 June 2018 is the deadline for disabling SSL/early TLS and implementing a more secure encryption protocol...

Personally I'm beginning to think the email was genuine, but a very poorly chosen last minute nod towards the changes on the part of PayPal.

[chas49]

email from what appears to be Paypal today suggesting that my browser is obsolete and no longer acceptable for using their services.

Tagging the OP to ask if s/he has established if this was genuine. Did it have his/her name on the email etc.?

[88V8]

My name? Mmm, Yes.
It did look genuine.

I went to the Paypal site, logged in as usual, no message about my browser. So I deleted the email.

Have since noticed on various forums including the Paypal Community, people discussing whether the message was genuine. It seems to have been distributed quite widely.

V8