A security flaw in PayPal's Google Pay integration allowed hackers to make unauthorized transactions
Users in many forums and on social media reported about issues with PayPal accounts and questionable transactions to or from their accounts. Reports were all claiming about mysterious payments that popped up in users' history as originating from their Google Pay account.
The particular transactions got charged through stores mainly located in New York or North Carolina, even when the account belongs to a European person. Most of the victims appear to be from Germany.
Fraudulent transactions ranging from €1,73 to more than €1800 started raising questions on February 22nd. People stated that the first transactions started with one or two cents, only then got up to a few euro and more. It was probably a test, so soon, after a successful transaction, charges got bigger and bigger.
Google Pay and PayPal integration investigated
Hackers supposedly exploited the integration of the Google Pay account and PayPal platform because users link their accounts and create a virtual card with its own card number and expiration date, CVC number. When the user chooses to make the contactless payment using funds from the account transaction is charged via virtual PayPal card. Unfortunately, PayPal allows this usage of virtual cards for online transactions and there is no need for authorization.
It is possible that there are three ways how attackers can obtain details of the virtual cards needed to make these transactions:
- reading the card details from users' phone or computer screen;
- using malware to infect the device and relying on programming;
- guessing random numbers and combinations.
It is also possible that attackers used brute-force attacks to obtain card numbers and dates. In such cases, CVC numbers are not needed because any random number is accepted. It is not that believable since virtual cards in Germany got hit with charges of targets in the United States of America.
PayPal is still investigating these activities and cannot report any details regarding the issue and possible bug exploiting incidents:
We are reviewing and assessing this information and will take any appropriate actions that are deemed necessary to further protect our customers.
Possibly already known vulnerability
Fraudulent transactions got reported by many outlets all over the world, especially Germany, where many victims were from, according to researchers. One, in particular, iblue, states that PayPal accounts can be linked with Google Pay to make contactless payments via virtual credit card. This is the vulnerability that he reported last year which allowed nearby mobile users to read the virtual card:
Issue: PayPal allows contactless payments via Google Pay. If you have set it up, you can read the card details of a virtual credit card from the mobile, if the mobiles device is enabled. No auth.
So basically anyone near your mobile phone has a virtual credit card which deducts money from your PayPal account. Its not limited in validity or amount.
It is possible that hackers exploited a particular bug, but that is not determined yet. At first, the issue was not addressed by PayPal, and victims haven't got their money refunded, but now the company states about possible refunds for all the victims, and if you are one of the affected – contact the company.