Paypal is a very popular online payment system and with great acceptance in almost all countries in addition to other payment systems such as Google Pay make a link to be able to pay with the funds found in the Paypal accounts, which in turn, if not counted, takes the funds from the linked debit or credit cards.
This can be somewhat confusing when you can simply pay with your cards and that's it, but many people prefer to make payments this way in order to prevent their plastics from being cloned or simply because what they want to pay counts with that ease (generally online ).
However it seems that this has generated a much bigger problem that many people have started reporting that they have discovered unauthorized payments with your PayPal account on various platforms, such as PayPal forums or Twitter, of which all The reports have in common that they all used the Google Pay integration with PayPal.
Since this Friday, February 21, transactions that sometimes exceed a thousand euros appear in your PayPal history, as if they came from your Google Pay account.
One of the victims on Twitter said she had noticed an unusual purchase of three pairs of AirPods, for the equivalent of $ 500. Therefore, it is impossible to cancel the purchase. The estimated damages are currently in the tens of thousands of euros, according to public reports.
According to Markus Fenske, a cybersecurity researcher with the alias "iblue" on Twitter, The hackers exploited a flaw in the Google Pay integration with PayPal. On Twitter, the expert claims to have warned the company of the existence of a violation in February 2019, but the group has not made it a priority.
When a PayPal account is linked to a Google Pay account, PayPal creates a virtual credit card, with your own card number, expiration date and CVV, says Fenske.
«PayPal allows contactless payments through Google Pay. If you configure it, you can read the card details of a virtual credit card from the mobile. Authentication is not required ”, regrets Markus Fenske.
In these conditions, hackers can collect data from virtual cards. Thanks to this data, a hacker has no difficulty making purchases in the store on his account.
Recipients of transactions are often Target stores, which are referenced in declarations in the form "Target T-". A Google search identifies the location of these different stores fairly quickly.
The investigator said there could be three ways an attacker could get the details of a virtual card.
First, by reading the card details on a user's phone or screen. Second, by malware infecting a user's device. Finally guessing it.
"It could be possible that the attacker simply forced the card number and expiration date, which is in the range of about a year," Fenske said. 'This makes it quite a small research space. And to clarify that "The CVC does not matter", explaining that "Everything is accepted."
Even before the vulnerability was exploited, hackers made an article about the complaints on handling security holes found by PayPal. LThe criticism is that PayPal offers a rewards program error via HackerOne, but this is a pure facade.
The article's authors said they reported several vulnerabilities, but PayPal's responses were anything but helpful. For example, one of the gaps mentioned allows you to bypass 2FA, another allows you to register a new phone without a PIN.
Fenske believes that the Hagaks have found a way to discover the details of these "virtual cards" and they are using the card details for unauthorized transactions in American and German stores (most of the victims are in Germany).
Thanks for the info!
I like these types of articles, informative, about security.