Paypal security updates

Discussion in 'General Support' started by Jan Krohn, Apr 9, 2018.

  1. Jan Krohn

    Jan Krohn Member

    Joined:
    Aug 31, 2015
    Messages:
    73
    Likes Received:
    11
    I just received an email from Paypal, which seems to be genuine, that I need to apply security updates to be able to continue using the seller integration.
    Since my auction portal really is my only site that integrates Paypal seller services, my guess is that the PayPal modue on WeBid requires fixing.
    Did anyone else receive this as well?
    This is the details page of what supposedly needs to be fixed:
    LINK REMOVED, suspected phishing site. Go directly to Paypal for information on changes.
     
    Last edited by a moderator: Apr 23, 2018
  2. david62311

    david62311 Well-Known Member

    Joined:
    Aug 29, 2013
    Messages:
    2,149
    Likes Received:
    247
    I didn't read the full page but, if you notice it's not paypal.com , it's paypal-notice.com. It's most likely fake. PayPal won't change their domain name like that. They are most likely phising to trick you.

    If you think you’ve received a fake email, forward it to spoof@paypal.com then delete the fake email from your inbox.
     
  3. Jan Krohn

    Jan Krohn Member

    Joined:
    Aug 31, 2015
    Messages:
    73
    Likes Received:
    11
    hhavatar likes this.
  4. Box Lot

    Box Lot Super Moderator Staff Member Developer

    Joined:
    Dec 18, 2008
    Messages:
    2,621
    Likes Received:
    165
    It will depend on what they note your lacking but more often than not it is the lack of an SSL certificate. New security has to have callbacks to/from a secure URL.
    In other, and their words, the checkout related URLs have to be served as HTTPS and not HTTP.
     
  5. Jan Krohn

    Jan Krohn Member

    Joined:
    Aug 31, 2015
    Messages:
    73
    Likes Received:
    11
    I have SSL across all sites, so I'd exclude that as the root cause. It's also not what the PayPal email and the website say, which give postback to a non SSL page (on paypal.com) as the root cause.
     
  6. david62311

    david62311 Well-Known Member

    Joined:
    Aug 29, 2013
    Messages:
    2,149
    Likes Received:
    247
    I just recently discovered after trying to get back into my PayPal account which I hadn't accessed for a couple of years that my account had changed. PayPal pretty much had me start up a new account. PayPal has made a lot of changes since the last time I logged into it. I had a premiers account and now they no longer offer the premiers account.

    Ah, here's a full listing of a lot of that stuff here on the home page.
    LINK REMOVED AT MEMBER'S REQUEST

    We might have to update the Webid code to adapt to all of that.
     
    Last edited by a moderator: Apr 23, 2018
  7. Jan Krohn

    Jan Krohn Member

    Joined:
    Aug 31, 2015
    Messages:
    73
    Likes Received:
    11
    Thanks so much for acknowledging!!!
    We have about 10 weeks left before very likely the current Paypal integration in WeBid becomes useless.
    If you need any help, please let me know.
    (I'm not really an OO guy, so helping with coding would be adventurous... not in a positive sense... but maybe there are other ways for me to help.)
     
  8. david62311

    david62311 Well-Known Member

    Joined:
    Aug 29, 2013
    Messages:
    2,149
    Likes Received:
    247
    Something is off with that site. I tried to click my own link for paypal-notice and my AVG Antivirus shield came up and blocked the page several times and showed me this message.

    capture-20180422-022637.png

    I have reported my own post with that link and yours too. I should of trusted my gut the first time. That is not a site to be trusted. I even checked it with the online virus total and got this.

    capture-20180422-024055.png

    Don't trust anything on that site and if you tried to log on somewhere then I go to your real paypal account and change your password.
     
    Last edited: Apr 22, 2018
  9. Jan Krohn

    Jan Krohn Member

    Joined:
    Aug 31, 2015
    Messages:
    73
    Likes Received:
    11
  10. david62311

    david62311 Well-Known Member

    Joined:
    Aug 29, 2013
    Messages:
    2,149
    Likes Received:
    247
    IPN Verification Postback to HTTPS
    If you are using PayPal’s instant Payment Notification (IPN) service, you will need to ensure that HTTPS is used when posting the message back to PayPal for verification. HTTP postbacks will no longer be supported.

    It also says something about the ssl in the history roadmap at #2:
    https://www.paypal.com/au/webapps/mpp/merchant-security-roadmap

    I think mainly it's for people that use the PayPal IPN feature and have SSL on their site. I don't know if Webid has any coding to integrate the IPN Verification.
     
  11. Jan Krohn

    Jan Krohn Member

    Joined:
    Aug 31, 2015
    Messages:
    73
    Likes Received:
    11
    And here's proof that paypal-notice.com is genuine, and your AV warnings are false positives:
    https://www.paypal.com/us/selfhelp/article/our-technical-support-content-has-moved!-ts2171

    As I said before, my WeBid site is my only site that has PayPal seller services integrated, and therefore the notification has most likely been triggered by non SSL IPN calls from my WeBid site.

    (Does anyone here actually care that, if I'm right, this will be a killer for a massive amount of existing WeBid installations?)
     
  12. Box Lot

    Box Lot Super Moderator Staff Member Developer

    Joined:
    Dec 18, 2008
    Messages:
    2,621
    Likes Received:
    165
    Links to phishing site have been edited out. Please be very careful when posting outside links.
     
    david62311 likes this.
  13. Box Lot

    Box Lot Super Moderator Staff Member Developer

    Joined:
    Dec 18, 2008
    Messages:
    2,621
    Likes Received:
    165
    Since this notice sent to OP was a phishing site, is there confirmation that Paypal integration is an issue with the current Webid installation in any other way then the lack of SSL certificate on the site?

    Have other members received a legitimate notification? Please report in only if you HAVE received these notifications so the thread does not fill with members noting they have not received a notice.

    As I mentioned, the vast majority of sites I work with that received a legitimate notification from Paypal sometime ago were due simply to the lack of an SSL certificate. Once that was installed there were no further notifications.

    One site that I could not get to in a timely manner ignored the initial message and a follow-up was sent so if payments occur after the first message it is likely that Paypal would notify you again though I cannot confirm that is always the case.

    Please review Paypal's new criteria on the Paypal site and verify that you meet all of the changes.
     
    david62311 likes this.
  14. david62311

    david62311 Well-Known Member

    Joined:
    Aug 29, 2013
    Messages:
    2,149
    Likes Received:
    247
  15. Joey Johnson

    Joey Johnson New Member

    Joined:
    Oct 17, 2020
    Messages:
    2
    Likes Received:
    0
    Yes, this is now a big issue and Paypal will not work. It's odd.
     

Share This Page