Google Pay users could be left out of pocket by PayPal fraud bug
Hackers purchased thousands of euros worth of goods using linked PayPal accounts
Criminals have taken advantage of a bug in PayPal's Google Pay integration to execute unauthorized transactions.
Users on PayPal's forums, Reddit, Twitter and Google Pay's Russian and German support forums have all reported seeing mysterious transactions show up in their PayPal history which originated from their Google Pay accounts.
According to the victims, hackers abused their Google Pay accounts to buy products using linked PayPal accounts. Most of the illegal transactions that have occurred so far have taken place at stores in the US with a number of them happening at Target stores across New York. As of now, most of the victims appear to be German users.
- PayPal expands access to its ecommerce platform to SMBs
- Google expands its efforts in India with new Google Pay initiatives
- 30 million payment cards listed on fraud marketplace
Based on public reports, the damages from these fraudulent transactions are in the tens of thousands of euros range and some of them even go over 1,000 euros.
Possible explanation
The German security researcher Markus Fenske believes that the recent string of illegal transactions appear to be similar to a bug that he and fellow security researcher Andreas Mayer reported to PayPal in February of last year.
According to Fenske, the bug he discovered has to do with the fact that when you link a PayPal account to a Google Pay account, PayPal creates a virtual card with its own card number, expiration date and CVC. When Google Pay users make contactless payments using funds from their PayPal accounts, these transactions are charged using this virtual card.
Fenske believes that hackers have discovered a way to figure out the details of these “virtual cards” and they are now using them to carry out unauthorized transactions at US stores. However, Fenske's theory is just that as he and Mayer are just guessing as to the real cause of these attacks.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
PayPal's security team carried out an investigation into the matter and according to the online payments giant, they have addressed the issue which was being exploited but it is still worth checking your PayPal statements for any irregularities.
- We've also highlighted the best antivirus software
Via ZDNet
After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.