- Many Germans are reporting that someone has bought stuff from Target using their PayPal account.
- PayPal is investigating the reports, while bug bounty hunters claim to have reported the flaw to the firm a long time ago.
- Disabling PayPal from being a payment method or simply turning off the NFC would minimize the risk for the victims.
Multiple reports from German PayPal users about fraudulent transactions that they never authorized indicate that actors have found a way to abuse the platform’s Google Pay integration. Thus, they are buying things from online stores using other people’s money, with the estimated damages right now being in the range of tens of thousands of Euros. PayPal has acknowledged the reception of the user reports, and they announced that they are investigating the matter to figure out what exactly is going on.
In almost all cases, the fraudulent transactions are made through Google Pay, buying stuff from the U.S.-based Target online store. Target sells anything, from clothes and furniture to electronics and kitchen gear, so there’s a mix of items bought through other people’s accounts depending on what each hacker wants. The fraudulent transactions started popping up as alerts on users’ email inbox during the weekend, so as to minimize the risk of PayPal intervening immediately.
Some bitch hacked into my PayPal and bought $500 worth of AirPods (like 3 of em) and Left HER NAME AS THE PICK UP PERSON AT THE EXACT TARGET SHE ORDERED THEM FROM 😂😂😂😭 target emailed me and was “like thank you for your order!!!”I GOT YOU “DARLA BIRD” ASS BITCH
— X Æ A-12 (@ChrisPerezOne) February 24, 2020
Whereas PayPal is investigating the reports, some bug bounty hunters claim that they had already reported the problem that led to the victimization of the users. In fact, a German researcher reports that he had warned PayPal about a flaw that allows contactless payments via Google Pay over a year ago. If the user has enabled this, someone can come near their mobile phone and deduct money from the victim’s PayPal account and onto the crook’s virtual card. There is no validation required for this, and there’s also no amount of money limit in place.
I think we can disclose it by now.
Issue: PayPal allows contactless payments via Google Pay. If you have set it up, you can read the card details of a virtual credit card from the mobile, if the mobiles device is enabled. No auth.
— iblue (@iblueconnection) February 24, 2020
A week ago, a team of researchers published their complaint about how PayPal disregarded their reports on six critical security vulnerabilities and the fact that the online payments giant didn’t pay them a dime. The researchers managed to bypass PayPal’s 2FA, verify their phone number without using an OTP, send money without having to go through the platform’s security checks, change the full name of an account, exploit an XSS flaw in “SmartChat”, and conduct MITM on “Security Questions”. PayPal has either deemed these as “out of scope” or marked them as “duplicate”. This indicates an irresponsible stance from PayPal, which is entirely inexplicable considering the size and the reputation of the company.
There are two ways to protect yourself against this type of exploitation. First, you may disable PayPal from being an active payment method on Google Pay. Second, you may deactivate NFC on your smartphone, as this is required in order for the hackers to be able to steal your money when they are near your device. NFC is a convenient feature, but it comes with several security drawbacks that are impossible to handle in many “real-life” situations.