PayPal XSS Vulnerability Undermines EV SSL Security (Netcraft)

I agree that the process is the correct unit of security, but I think it's a mistake to
include all "customer service" in the security process per se.

When your bank replaces money which was fraudulently taken from your account that's not part
of a "securty process" it's just a customer retention measure or a legal obligation. If the
bank is able to revert the fraudulent transfer then /that/ might be part of a security
process, or if they're able to  identify where the money went and alert a local subsidiary to
call in the police, /that/ could be part of the security process. But just giving the customer
money so he'll stop whining isn't security.

PayPal's wider process is at fault here too, they've been telling customers that their EV cert
means better security and that they can trust the PayPal web site, but it turns out that this
wasn't actually true.

Also, "customer service" responses to fraud aren't a free lunch. If your friends routinely
fall for web-based PayPal fraud and have to recover the money through some sort of customer
service process, you can be sure that PayPal is ensuring their fees cover that "cost of
fraud". If the company is well run the executives /should/ realise that making the site secure
would be cheaper than paying for escalating rates of fraud, but I'm not comfortable assuming
that an effective monopoly like PayPal thinks that way.