Paypal message reguarding VeriSign G2 Root Certificate

Discussion in 'Payments processing' started by tomf2468, Mar 26, 2015.

  1. tomf2468

    tomf2468 New Member

    Joined:
    Jul 17, 2009
    Messages:
    12
    I've gotten a (I believe legit) email from PayPal regarding an update of security at PayPal and indicating that I may need to update my site. Mass mailing, not a personal one. In short it says that Paypal is

    1. Discontinue use of the VeriSign G2 Root Certificate
    2. Update your integration to support certificates using the SHA-256 algorithm
    You can see the info here:
    https://ppmts.custhelp.com/app/answers/detail/a_id/1236

    I'm "guessing" this doesn't apply to an aMember site on an http URL using the aMember paypal system, that it only applies if I'm on an HTTPS URL? I'm running aMember 4.4.2

    Any advice or comments are more than welcome!

    Thanks,
    Tom
  2. thehpmc

    thehpmc aMember Pro Customer

    Joined:
    Aug 24, 2006
    Messages:
    901
    Personally I would contact PayPal via their site, or phone their support, as I just did a 'whois' lookup for that domain name and there is no mention of PayPal or their address whereas there is if when looking up paypal.com.

    May be genuine but check first BEFORE making any changes that are suggested. If you do contact PayPal can you post up their response please?
  3. tomf2468

    tomf2468 New Member

    Joined:
    Jul 17, 2009
    Messages:
    12
    Well, I feel DUMB!

    thehpmc is absolutely correct in his suspicions! PayPal just confirmed that the email was NOT from them! Darn that email and the linked site looked good and legit. The email had @paypal.com as sender and reply to. It had my first and last name… I'm 98% sure I never "logged in" on that site. I did go to the developer/sandbox site, but I "think" I did that through a real URL (not a link on the fake site). Just to be 100% safe I have changed my PayPal password and checked the account for any non legit activity… no harm done :)

    Thanks,
    Tom
  4. thehpmc

    thehpmc aMember Pro Customer

    Joined:
    Aug 24, 2006
    Messages:
    901
    Tom don't feel too bad. That is where these scam sites 'excel' they do everything possible to make themselves look legit. even the security 'SHA-256 algorithm' is 100% legit developed by US Government.

    I checked a little bit deeper because it 'felt' a bit strange to me but also because although I have a PayPal business account (not used with aMember for several years, but it was at one time) but I never received an email like that so I started wondering why not!!

    Bad news is that with very little effort you can send out emails with a 'from' and 'reply to' in the name of any recognised company. Click on reply and that name appears but it is just the name for a link that goes back to the scam servers.

    You may feel dumb but on a major positive by posting up here all those that visit this site, at least, now are aware of this scam, and thankyou, on behalf of everyone, including me, for bringing this to our attention and returning with PayPals response.

Share This Page