Flaw in PayPal’s Google Pay integration leading to suspected fraud

Hackers can exploit a virtual credit card within phones to make rogue transactions without authorisation

PayPal users have reported signs of suspicious behaviour on their payment history that originate from their linked Google Pay account, with hackers thought to be exploiting an unknown flaw to commit fraud.

The payment service allows users to make contactless payments via Google Pay on a smartphone, through a virtual credit card which deducts money from their PayPal accounts.

Advertisement - Article continues below

According to a German security researcher, this mechanism is being exploited through an unknown flaw by hackers in order to make fraudulent transactions. 

Streams of users are complaining about mysterious payments appearing on their PayPal payment history, according to German publication Golem, with deductions made ranging between as much as €500 and €1,000. There are also a series of one-cent withdrawals, with hackers likely testing the exploitation to see whether the method works.

The researcher suggested that due to the flaw, anybody near a PayPal user’s phone has access to the virtual credit card that deducts money from their account without authorisation. 

Related Resource

Digital Risk Report 2020

A global view into the impact of digital transformation on risk and security management

Download now

He added that he disclosed the vulnerability to PayPal a year ago, and has followed with disclosure now due to the fact the company apparently hasn’t yet fixed it, despite paying out a fee through its bug bounty programme.

Advertisement
Advertisement - Article continues below

The company, however, told IT Pro that the issue has now been fixed.

Advertisement - Article continues below

Those affected appear to be based largely in Germany, although the fraudulent activity has allegedly been billed to US shops like Target and Starbucks. One user, for example, was charged €923.93 via the virtual credit card in Google Pay, which showed in their history as Target T-1401 in Brooklyn, New York.

"We never lose sight of the fact that we are entrusted to look after people’s money," a PayPal spokesperson told IT Pro.

"The security of customer accounts is a top priority for the company. We use advanced fraud and risk management tools to keep our customers and their payments safe.

"We quickly addressed and fixed this issue, which affected a very small number of PayPal customers using Google Pay in Germany. No personal or financial information was compromised, and no PayPal accounts were accessed by third parties." 

PayPal’s security was previously thrown under the spotlight in 2018 when a teenage hacker revealed he could easily bypass PayPal’s two-step authentication procedure to access user accounts. 

The Australian teen said he was able to bypass the multifactor authentication (MFA) process by spoofing a browser cookie created when users linked their eBay and PayPal accounts together.

Featured Resources

Top 5 challenges of migrating applications to the cloud

Explore how VMware Cloud on AWS helps to address common cloud migration challenges

Download now

3 reasons why now is the time to rethink your network

Changing requirements call for new solutions

Download now

All-flash buyer’s guide

Tips for evaluating Solid-State Arrays

Download now

Enabling enterprise machine and deep learning with intelligent storage

The power of AI can only be realised through efficient and performant delivery of data

Download now
Advertisement

Recommended

Visit/digital-currency/34578/mastercard-and-visa-abandon-support-of-facebooks-libra-cryptocurrency
digital currency

MasterCard and Visa abandon support of Facebook's Libra

14 Oct 2019

Most Popular

Visit/security/cyber-crime/355171/fbi-warns-of-zoom-bombing-hackers-amidst-coronavirus-usage-spike
cyber crime

FBI warns of ‘Zoom-bombing’ hackers amid coronavirus usage spike

31 Mar 2020
Visit/security/data-breaches/355173/marriott-hit-by-data-breach-exposing-personal-data-of-52-million
data breaches

Marriott data breach exposes personal data of 5.2 million guests

31 Mar 2020
Visit/development/application-programming-interface-api/355192/apple-buys-dark-sky-weather-app-and-leaves
application programming interface (API)

Apple buys Dark Sky weather app and leaves Android users in the cold

1 Apr 2020
Visit/data-insights/data-management/355170/oracle-cloud-courses-are-free-during-coronavirus-lockdown
data management

Oracle cloud courses are free during coronavirus lockdown

31 Mar 2020