PayPal Security Requirements: Ensure Your Systems are SHA-256 Compatible by 30 September

38 replies
I received an email from Paypal about their new security Requirement as below:

__________________________________________________ _______________________________________

Dear Avneet Singh,

I have tried to call you but no luck, please find below the detailed information relating to the
SHA-256 Security Certificate upgrade requirements that you would have received a number of communications about from PayPal over recent months.

Once you have had a chance to check your status in relation to this security upgrade
with your IT department or service/hosting provider,
could you please reply to this email advising us of your ability to meet the September 30 deadline.

When you have a date planned for the upgrade or have already upgraded
please email merchant_team@riverviewcs.com quoting Ref#3,786 to advise us of your status.

At PayPal, safety and security are out top priorities and to comply with industry standards,
we need to move our endpoints to stronger encryption known as SHA-256.

Compatibility with SHA-256 will help strengthen your protection,
ensure that your systems are up to date with the latest security measures and allow your business to continue accepting payments with PayPal.
As part of our commitment to your business, we wanted to let you know that if your systems aren't SHA-256 compatible by 30 September 2016,
your business will be unable to accept payments with PayPal until changes are made.

Please click here to view more details on PayPal's transition to SHA-256 and how to action the required changes.
https://www.paypal-knowledge.com/inf...ewlocale=en_US

Attached is also a PDF Document with more information on Security changes coming in June 2017.

We encourage you to speak with your web hosting company, e-commerce software provider
or in-house web programmer/system administrator for further assistance in implementing these changes, if needed.

__________________________________________________ _____________________________________

Not sure what it is though I have forwarded the request to my bluehost. Anybody else got such email?
#compatible #ensure #paypal #requirements #security #september #sha256 #systems
  • Profile picture of the author agmccall
    You think you received this from paypal???? The email address does not go to paypal nor does the web address you gave. You really need to use your head a little bit

    al
    Signature

    "Opportunity is missed by most people because it is dressed in overalls and looks like work." Thomas Edison

    {{ DiscussionBoard.errors[10826390].message }}
  • Profile picture of the author luciesmazanska
    l merchant_team@riverviewcs.com ?? this is not definitely from paypal...
    Dont reply or dont give them any details.!
    Signature
    ★★★★★
    {{ DiscussionBoard.errors[10826517].message }}
  • Profile picture of the author nicheblogger75
    It's a phishing email. They will take you to a "login" page that looks that looks official and once you enter your user name and password they now have full access to your account.

    You can report the email to PayPal if you want to do some good. Otherwise, delete it. If you have logged in anywhere and used your user name and password, I would advise you to immediately change your password.

    You need to be a little more careful.

    However, it's not necessarily your fault. Some of these emails can be very convincing and some of the web pages they make can look very authentic.

    One of the biggest indicators that it's a phishing scam is the "from" email address and the URLs that they use. If the URLs are long and clunky looking (they usually have several hyphenations and one of the words will be the business they are trying to fake), or if the "from" email is a Gmail or a Yahoo address, those are dead giveaways that it's fake.

    Just to show you how convincing some of these scams can be, here is a link to a thread I started about a Hostgator phishing scam that was going around several months back:

    http://www.warriorforum.com/main-int...-not-fall.html


    Notice the "from" email address.

    It's donotreply@reply.hostgator.com.

    Notice any problem with that?

    Look at the part after the "@." The URL is "reply.hostgator.com." If it was really from Hostgator, it would just be "@hostgator.com."


    Also, the web pages were almost EXACT. You had to look really closely and you could see some very small differences.
    {{ DiscussionBoard.errors[10826570].message }}
  • Profile picture of the author yukon
    Banned
    Was the email from PayPai ?
    {{ DiscussionBoard.errors[10826600].message }}
  • Profile picture of the author BradVert2013
    I guarantee that's not from Paypal. Look at Paypal's website in the security section and there's a way to report these types of emails to them. This is something they should probably know about.
    {{ DiscussionBoard.errors[10826699].message }}
  • Profile picture of the author Stephen Saha
    hey Avneet,

    Use a unique email for Paypal and don't share that mail anywhere. Use it for no subscriptions.
    No other sign-up. Keep it exclusively for Paypal. Better to use mail from your own domain.

    That way you will be safe from such fraud mails and have complete peace of mind.

    All the best!

    Stephen
    {{ DiscussionBoard.errors[10826823].message }}
    • Profile picture of the author bigkitty
      Originally Posted by Stephen Saha View Post

      hey Avneet,

      Use a unique email for Paypal and don't share that mail anywhere. Use it for no subscriptions.
      No other sign-up. Keep it exclusively for Paypal. Better to use mail from your own domain.

      That way you will be safe from such fraud mails and have complete peace of mind.

      All the best!

      Stephen
      im pretty sure the guy bought something off him and used his email to contact him. how else would he know he had a paypal with that email?
      {{ DiscussionBoard.errors[10828266].message }}
  • Profile picture of the author ForumGuru
    Banned
    Originally Posted by BradVert2013 View Post

    I guarantee that's not from Paypal. Look at Paypal's website in the security section and there's a way to report these types of emails to them. This is something they should probably know about.
    Forward the bogus email to: spoof@paypal.com.
    {{ DiscussionBoard.errors[10826847].message }}
  • Profile picture of the author nicheblogger75
    Even if this is legit I think if you are selling through networks like JVZoo or Warrior Plus it would be on them to handle all of this stuff.

    I never use my own PayPal buttons and don't run any ecommerce stores or anything like that so I'm not going to worry about it even if it is legit.

    If I had a company with a website that accepted direct payments and processed credit card data then I would have to worry about it. Actually, even then I wouldn't worry about it. I'd just hire somebody else to take care of it for me.

    I'm strictly an affiliate and promote other people's products, so I'm not worried about it.
    {{ DiscussionBoard.errors[10826995].message }}
    • Profile picture of the author Sid Hale
      As Mark noted above, Paypal IS in fact making changes and that has probably opened the door for any number of people to try to find a way to exploit the uncertainty that results.

      Originally Posted by nicheblogger75 View Post

      I'm strictly an affiliate and promote other people's products, so I'm not worried about it.
      This is primarily a problem for vendors and their web hosting companies, however...

      It can potentially affect affiliate marketers, as well.

      See: http://www.warriorforum.com/main-int...nversions.html

      If you promote products from a vendor who has not ensured that their web server is compliant - you could be losing money on potential sales that will NOT be processed.
      Signature

      Sid Hale
      Coming Soon... Rapid Action Profits (Pro)

      {{ DiscussionBoard.errors[10827119].message }}
      • Profile picture of the author nicheblogger75
        Originally Posted by Sid Hale View Post

        As Mark noted above, Paypal IS in fact making changes and that has probably opened the door for any number of people to try to find a way to exploit the uncertainty that results.



        This is primarily a problem for vendors and their web hosting companies, however...

        It can potentially affect affiliate marketers, as well.

        See: http://www.warriorforum.com/main-int...nversions.html

        If you promote products from a vendor who has not ensured that their web server is compliant - you could be losing money on potential sales that will NOT be processed.
        Right, I agree.

        What I'm saying, though, is that networks like JVZoo, Warrior Plus, Clickbank, Zaxaa, etc, are going to make sure that they are compliant so that anyone promoting products through those networks as an affiliate should not have any problems.

        I could even sell my own products where my sales pages are hosted on my web hosting, but if I'm using JVZoo, as soon as the person clicks the "buy now" button they are taken to the payment page which is hosted by JVZoo. Therefore, JVZoo would be processing the credit card info, so they would have to be compliant.

        What I'm saying is that is not going to affect affiliates who are promoting through the big networks or vendors that are using JVZoo, Clickbank, etc, to sell their products. Now, as for some smaller CPA affiliate networks, this could be a problem if they are not up to date and in compliance by September 30.

        Sid, just out of curiosity, let's say I wanted to set up and use your RAP script to run my own affiliate network and payment process?

        This is something that I have considered doing in the past and still see as a possible option for the future.

        Would you be making changes to the software so that it would run in compliance or would this be something that I would have to handle if I were to purchase and set up the RAP script on my own hosting?
        {{ DiscussionBoard.errors[10827180].message }}
        • Profile picture of the author Sid Hale
          Hey nicheblogger,

          Originally Posted by nicheblogger75 View Post

          Sid, just out of curiosity, let's say I wanted to set up and use your RAP script to run my own affiliate network and payment process?

          This is something that I have considered doing in the past and still see as a possible option for the future.

          Would you be making changes to the software so that it would run in compliance or would this be something that I would have to handle if I were to purchase and set up the RAP script on my own hosting?
          There were Paypal IPN changes issued a year or so ago that DID require changes to the RAP system, but Paypal gave us notification ahead of time and RAP was updated well in advance.

          The SHA-256 compliance cannot be handled within the application software (mine, JVZoo's, or anyone else).

          It requires that the web hosting company include SHA-256 encryption services so the problems should only arise with vendors running a self-hosted affiliate management system, on a non-compliant web server.

          In other words, this is a web server issue - but Paypal has provided testing tools (for a couple of months now) to allow such systems to verify that their web server environment was compatible.


          As for your own potential use of RAP... don't pull the trigger until after the upcoming release. It's a pretty major re-write (currently in beta), so I expect you'll start seeing the "noise" about it pretty soon.
          Signature

          Sid Hale
          Coming Soon... Rapid Action Profits (Pro)

          {{ DiscussionBoard.errors[10827805].message }}
          • Profile picture of the author nicheblogger75
            [DELETED]
            {{ DiscussionBoard.errors[10828029].message }}
            • Profile picture of the author Sid Hale
              Originally Posted by nicheblogger75 View Post

              Then, it would be up to me to make sure that the server I'm hosting the RAP script on is SHA-256 compliant.

              Am I correct about that?
              That's right.

              I don't think there will be any problems with the major hosting companies (I know that HostGator servers are compliant).

              I think the problems are going to arise with people working on a really tight budget, who often shop around for extremely low server costs, and wind up with a 1 man web hosting company who really shouldn't be in the business in the first place.
              Signature

              Sid Hale
              Coming Soon... Rapid Action Profits (Pro)

              {{ DiscussionBoard.errors[10828739].message }}
  • Profile picture of the author trobo
    Most of the time, an observant person will notice misspelled words in these emails which is a dead giveaway they are fake.

    Other times, they will use the British variants of English words that are spelled slightly differently than the words used in the USA. This is also a dead giveaway.

    Often these words will be in the footer of the email and not the message itself, so you have to look closely for them.
    {{ DiscussionBoard.errors[10827045].message }}
  • Profile picture of the author james flynn
    Don't fall for it. Email address doesn't look credible and the link also looks kind of fishy.I have been using paypal for years and have never received any upgrade instructions from them. Therefore just ignore it.

    Cheers-James
    {{ DiscussionBoard.errors[10827178].message }}
  • Profile picture of the author shaunybb
    ever heard of the deep web?


    Watch out for emails like this, there everywhere we just don't know it


    I caught one of the hackers the other day when logging in to my bank, I am quite paranoid


    so I always check the https request and protocol etc, this F**K was loading something


    funky and tried to hi jack the https!
    Signature
    ====>READY To Be Successful Online? FIND OUT more!?<====
    You FAIL online because you have the WRONG information.....
    {{ DiscussionBoard.errors[10827200].message }}
  • Profile picture of the author AnniePot
    [DELETED]
    {{ DiscussionBoard.errors[10827556].message }}
    • Profile picture of the author Khemosabi
      Originally Posted by AnniePot View Post

      It's interesting to note that the OP hasn't logged in to the WF since making this post: Last Activity: 26th August 2016 07:15 AM

      I wonder if this post is part of the scam thinking unsuspecting folk, trying to be pro-active, will follow the links and give away their information.

      I haven't clicked any of the links, but who knows?
      I agree Annie! While some of the information from people who responded was great info, I was left wondering why the OP didn't just call PayPal themselves and ask! Why go to a forum when you can just call the company?

      I received an email today that had my husband's full name in it! He has no association with this particular account! Kind of spooky. Oddly, it was for a supposed class action suit against Equifax.

      While I have checked our credit online before, I have never used that email to do so. However, the email was pretty convincing, meaning I had to actually think it through. Then again, it was pretty early when I saw it! LOL!

      ~ Theresa
      Signature


      {{ DiscussionBoard.errors[10827569].message }}
    • Profile picture of the author BradVert2013
      Originally Posted by AnniePot View Post

      It's interesting to note that the OP hasn't logged in to the WF since making this post: Last Activity: 26th August 2016 07:15 AM

      I wonder if this post is part of the scam thinking unsuspecting folk, trying to be pro-active, will follow the links and give away their information.

      I haven't clicked any of the links, but who knows?
      I copy/pasted the link into my browser and the website just had an error page. Nothing else.

      But yeah, it's strange the OP hasn't logged in again since the original post.
      {{ DiscussionBoard.errors[10827796].message }}
  • Profile picture of the author LorenceMerk
    Obviously, the email doesn't come from paypal. I suggest you call paypal as they have reliable customer service. Try to send this email to paypal as well so they can do something about it and beware people about that kind of email.
    {{ DiscussionBoard.errors[10827563].message }}
  • Profile picture of the author ForumGuru
    Banned
    Originally Posted by singhavn View Post

    Anybody else got such email?
    Originally Posted by james flynn View Post

    Don't fall for it. Email address doesn't look credible and the link also looks kind of fishy.I have been using paypal for years and have never received any upgrade instructions from them. Therefore just ignore it.

    Cheers-James
    This is what a legit email from Paypal on the SHA-256 upgrade looks like:



    The header:



    The links included in the email:

    https://www.paypal-knowledge.com/res...English%29.pdf

    https://www.paypal-knowledge.com/inf...e&locale=en_US

    As I mentioned in my earlier reply to this thread...forward bogus emails to: spoof@paypal.com.

    Cheers

    -don
    {{ DiscussionBoard.errors[10827831].message }}
  • Profile picture of the author aizaku
    just hope the OP didnt fall for it.

    you gotta watch out

    the imprisoned princess phishing scam is evolving...

    -Ike Paz
    Signature
    >> 2018 Money Making Method Video Guides [NO OPTIN] <<
    80% Of These Proven Guides Are Free... ]
    {{ DiscussionBoard.errors[10828323].message }}
  • Profile picture of the author megamind22
    That's not from PayPal my friend so don't fall for it. I get similar messages like that asking for information that makes no sense. So be alert those are either scammers or someone trying to hack your paypal account.
    {{ DiscussionBoard.errors[10828767].message }}
    • Profile picture of the author nicheblogger75
      Originally Posted by megamind22 View Post

      That's not from PayPal my friend so don't fall for it. I get similar messages like that asking for information that makes no sense. So be alert those are either scammers or someone trying to hack your paypal account.
      I agree it's not from PP, but the more I look at it the more I think it's not a phishing email but some company trying to sell their IT or web hosting services.

      Usually phishing emails ask you outright to log into a page using your credentials so they can capture them right away. Doesn't seem to be the case here.

      I think it's just a cold sales pitch.

      However, I don't how they could have gotten the OPs PP email address, either.

      Of course, they didn't necessarily need to know that it was his PP email. All they needed to know was that he sold products and so he might require their services.

      If he is using the same email as his "contact" email on any of his sales pages, blogs, etc, then they could have just scraped it that way.
      {{ DiscussionBoard.errors[10829041].message }}
  • Profile picture of the author Brent Stangel
    I agree it's not from PP, but the more I look at it the more I think it's not a phishing email but some company trying to sell their IT or web hosting services.
    A convincing lie normally contains a good deal of truth.

    Use a real situation for fear mongering. Fear of money lost is a very powerful motivator that often overrules logic.
    Signature
    Get Off The Warrior Forum Now & Don't Come Back If You Want To Succeed!
    All The Real Marketers Are Gone. There's Nothing Left But Weak, Sniveling Wanna-Bees!
    {{ DiscussionBoard.errors[10829053].message }}
  • Profile picture of the author singhavn
    Hi guys,

    First of all I would like to thank each of you for taking out your time and looking into my thread. I appreciate your response to this issue.

    I did emailed my host (bluehost) and Paypal about this email. I received reply from both. Bluehost said that they are aware of paypal upgradation and they will be updating their servers before Sept 30th.

    However Paypal support guys told me that this email is not from them and I have already forwared the email to spoof@paypal.com

    Thanks again guys. I will keep you informed with any news or info I receive in future about this.
    {{ DiscussionBoard.errors[10831002].message }}
  • Profile picture of the author Kay King
    I agree it's not from PP, but the more I look at it the more I think it's not a phishing email but some company trying to sell their IT or web hosting services.
    Why spend so much time looking at an obvious scam/phishing email?
    Why bother to look up last year's PP upgrade to compare letters?

    I have tried to call you but no luck..
    I would have stopped and deleted the email after that first line. Think about it - in 2016 Paypal has 188 million accts.....do you think they are calling each of them?

    No - when PP has something to say about YOUR acct....they put a notice on YOUR acct.

    "no luck" -? You mean they didn't leave a message? Come on, folks.
    Signature
    Saving one dog will not change the world - but the world changes forever for that one dog
    ***
    My ducks are absolutely not in a row. I don't even know where some of them are...
    ...and I'm pretty sure one of them is a pigeon.
    {{ DiscussionBoard.errors[10831046].message }}
    • Profile picture of the author singhavn
      Originally Posted by Kay King View Post

      Why spend so much time looking at an obvious scam/phishing email?
      Why bother to look up last year's PP upgrade to compare letters?



      I would have stopped and deleted the email after that first line. Think about it - in 2016 Paypal has 188 million accts.....do you think they are calling each of them?

      No - when PP has something to say about YOUR acct....they put a notice on YOUR acct.

      "no luck" -? You mean they didn't leave a message? Come on, folks.

      But I did received a call from an International Number (From Holland I think) just before that email. I was having my breakfast that time so I couldn't pick that up.

      On the other note, paypal did call me few times about discusing few things. But all the time I received call from their India office or from their Singapore Office.
      {{ DiscussionBoard.errors[10833292].message }}
      • Profile picture of the author Sid Hale
        Seriously???

        Originally Posted by singhavn View Post

        But I did received a call from an International Number (From Holland I think) just before that email. I was having my breakfast that time so I couldn't pick that up.

        On the other note, paypal did call me few times about discusing few things. But all the time I received call from their India office or from their Singapore Office.
        You come here wondering about an email from Paypal, but you are willing to trust a phone call that is supposedly from Paypal?

        Be careful. At least you can check email headers to help determine if an email is authenticate. Phone calls have no routing header, so the only way you know who they are from is based on what the caller tells you.

        The only phone calls I receive from India or Singapore claim to be from Microsoft support.

        I can assure you that Microsoft does NOT have my phone number.

        If you gave Paypal your phone number, I would suggest that you remove the number from your Paypal account so that you will know that anyone calling and representing themselves as being from Paypal... is a spoof.
        Signature

        Sid Hale
        Coming Soon... Rapid Action Profits (Pro)

        {{ DiscussionBoard.errors[10833450].message }}
  • Profile picture of the author faisalmaximus
    Be aware of scam mails, otherwise you will lose everything. This mail was not sent from Paypal authority, this was sent from scammers.
    {{ DiscussionBoard.errors[10833533].message }}
  • Profile picture of the author wendy oltman
    It is always a great idea to secure your connection with a vpn server while making online transactions especially the ones involving financial transactions. I have been the victim of counterfeiting and since then I encrypt my files and folders and also secure my connection with purevpn that provides me encrypted connection to secure myself from hacking attempts.
    {{ DiscussionBoard.errors[10857805].message }}
  • Profile picture of the author George Schwab
    So what does the real Paypal want from us?

    I read it....and are remotely reminded of installing SSL certificates
    in the order process - when the link goes back to the merchant

    is this what the ORIGINAL email is all about?
    Signature

    {{ DiscussionBoard.errors[10857885].message }}
    • Profile picture of the author Sid Hale
      No George...

      although that's probably the way what most readers of the email understood it.

      Originally Posted by George Schwab View Post

      So what does the real Paypal want from us?

      I read it....and are remotely reminded of installing SSL certificates
      in the order process - when the link goes back to the merchant

      is this what the ORIGINAL email is all about?

      It's NOT about you having an SSL certificate.

      It's about your web host's ability to support SSL-256 so that when Paypal posts back to your web site, the message can be unencrypted by the host. For instance, Paypal Instant Payment Notification (IPN) is a message from their web host to yours. Your host must be able to unencrypt such messages before handing them off to your processing.
      Signature

      Sid Hale
      Coming Soon... Rapid Action Profits (Pro)

      {{ DiscussionBoard.errors[10857909].message }}
  • Profile picture of the author George Schwab
    thanks Sid,

    now ------ to be honest i still dont know what i actually should do

    my webhosts - all top of the line - but man could you be a hint of more specific"

    what is it? in one sentence?

    i'll appreciate it.

    "Your host must be able to unencrypt such messages before handing them off to your processing. "

    ok, got that by now [slow processing power at night]

    so to make that one work
    Signature

    {{ DiscussionBoard.errors[10857951].message }}
    • Profile picture of the author Sid Hale
      Sorry George,

      I didn't mean to short change you...

      Originally Posted by George Schwab View Post

      thanks Sid,

      now ------ to be honest i still dont know what i actually should do

      my webhosts - all top of the line - but man could you be a hint of more specific"

      what is it? in one sentence?

      i'll appreciate it.
      First thing to note is that if you're using one of the mainstream web hosting companies, you're probably taken care of, because SHA-256 isn't really that new and reputable web hosting companies should already support it.

      It's not a matter of your web host replacing SHA-1 with the newer SHA-256, but rather supplementing the old with the new. They will still need to handle the older decryption from web hosts that have not upgraded.

      Paypal's email was simply to inform you that YOUR web host MUST be able to support the newer protocol in order to take advantage of those features that require server to server communication behind the scenes.

      There are no web page coding changes, no WP updates, etc., and unless you are running on your own private server (vis-a-vis Hillary Clinton ), you don't really have to do anything technical. You will have to check with your web host to make sure that they are providing SHA-256 support before 30 Sep.

      Hope that helps,
      Signature

      Sid Hale
      Coming Soon... Rapid Action Profits (Pro)

      {{ DiscussionBoard.errors[10857968].message }}
      • Profile picture of the author George Schwab
        Originally Posted by Sid Hale View Post




        There are no web page coding changes, no WP updates, etc., and unless you are running on your own private server (vis-a-vis Hillary Clinton ), you don't really have to do anything technical. You will have to check with your web host to make sure that they are providing SHA-256 support before 30 Sep.

        Hope that helps,

        great, imagine paypal would send out emails like that...so we actually would know what to do....the world would be a better place.
        Signature

        {{ DiscussionBoard.errors[10858474].message }}
  • Profile picture of the author Edmontontech
    This is indeed not from paypal. It is quite alarming how people still try and phish out data from others. They are trying to find every opportunity they can just to get money out of others pockets. Such a shame.
    {{ DiscussionBoard.errors[10858288].message }}
  • Profile picture of the author jinmin
    A lot of phishing email claimed to be from bank, paypal, etc all the times. be cautious everyone, I just reminded myself as well, sometimes I tend to overlook it.
    Signature
    Lightning Fast All-in-one Marketing Tools. Learn more and get yours FREE!
    {{ DiscussionBoard.errors[10858316].message }}
  • Profile picture of the author Marketing Team
    Hi All,
    I'm the Manager for this PayPal Project so I can vouch that this is a real email that we sent out to those who did not answer the mobile or land line numbers provided to us by PayPal for Asia Pacific.

    The purpose of this Project was to telephone 5,000 PayPal Merchants individually and ensure they each one was aware of the Industry wide changes that are happening soon and to give them all enough time to make those changes should they use PayPal as a payment gateway.

    PayPal outsourced this "information distribution" to a Global Agency and used a phone/email combination method to cut through the email noise.
    Should you ever feel unsure, you can contact PayPal to verify which most people do already.

    We did not ask for any confidential information, it was simply a courtesy call and a follow up email containing information that PayPal wants its customers to be informed about.
    What the Merchant then did with it was up to them.

    PayPal does not authorise 3rd party agencies/companies to email "as PayPal" so the email address/ domain is our own.

    I hope this helps clarify.

    Sincerely,
    Marketing Team
    Riverview Channel Services Pty Ltd
    {{ DiscussionBoard.errors[10862450].message }}

Trending Topics