Google Pay users could be left out of pocket by PayPal fraud bug

Headquarters
(Image credit: PayPal)

Criminals have taken advantage of a bug in PayPal's Google Pay integration to execute unauthorized transactions.

Users on PayPal's forums, Reddit, Twitter and Google Pay's Russian and German support forums have all reported seeing mysterious transactions show up in their PayPal history which originated from their Google Pay accounts.

According to the victims, hackers abused their Google Pay accounts to buy products using linked PayPal accounts. Most of the illegal transactions that have occurred so far have taken place at stores in the US with a number of them happening at Target stores across New York. As of now, most of the victims appear to be German users.

Based on public reports, the damages from these fraudulent transactions are in the tens of thousands of euros range and some of them even go over 1,000 euros.

Possible explanation

The German security researcher Markus Fenske believes that the recent string of illegal transactions appear to be similar to a bug that he and fellow security researcher Andreas Mayer reported to PayPal in February of last year.

According to Fenske, the bug he discovered has to do with the fact that when you link a PayPal account to a Google Pay account, PayPal creates a virtual card with its own card number, expiration date and CVC. When Google Pay users make contactless payments using funds from their PayPal accounts, these transactions are charged using this virtual card.

Fenske believes that hackers have discovered a way to figure out the details of these “virtual cards” and they are now using them to carry out unauthorized transactions at US stores. However, Fenske's theory is just that as he and Mayer are just guessing as to the real cause of these attacks.

PayPal's security team carried out an investigation into the matter and according to the online payments giant, they have addressed the issue which was being exploited but it is still worth checking your PayPal statements for any irregularities.

Via ZDNet

Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.