Hackers recently discovered a vulnerability in PayPal's Google Pay integration and is now using it to conduct unauthorized transactions through a PayPal account, according to ZDNet.
Since last Friday, users have reported that a mysterious transaction originated from their Google Pay account has suddenly appeared in their PayPal history.
Victims reported that the hackers abused the Google Pay account to use the linked PayPal account to purchase products.
According to screenshots and various testimonies, most illegal transactions occurred at U.S. stores, especially Target stores across New York. The majority of the victims appear to be German users.
According to public reports, it is estimated that the loss was around tens of thousands of euros, and some unauthorized transactions far exceeded 1,000 euros. It's unclear which hackers are exploiting.
PayPal told ZDNet that they are investigating the issue. A Google spokesperson did not return a request for comment before the article was published.
German security researcher Markus Fenske said on Twitter on Monday that the illegal transactions reported over the weekend appeared to be similar to the vulnerability he and security researcher Andreas Mayer reported to PayPal in February 2019, but PayPal did not prioritize fixing.
Fenske claims that the vulnerability he discovered stemmed from the fact that when a user linked a PayPal account to a Google Pay account, PayPal created a virtual card with its own card number, expiration date, and CVC. When Google Pay users choose to use the funds in their PayPal account for contactless payments, transactions will be charged through the virtual card.
Hey @PayPal, the 90s called. They want their security back.
1. Generate random 7 digits
2. Your new credit card: 5356 8001 XXXX XXXY, where X is from 1, Y is check digit.
3. Expiry date, CVC, Card Holder are not verified. 1 in ~100 cards are assigned to random PP accnt.— iblue (@iblueconnection) February 26, 2020
"If you only lock the virtual card to a POS transaction, there will be no problem, but PayPal allows the virtual card to be used for online transactions," Fenske said in an interview.
Fenske now believes that hackers have found a way to discover the details of these "virtual cards" and are using the card details to conduct unauthorized transactions in U.S. stores.
Researchers say there are three ways an attacker can obtain details of a virtual card.
First, read the card details from the user's phone/screen.
Second, programmatically, use malware that infects user devices.
Third, by guessing. Fenske said: "The attacker may just force the card number and the validity period together, and the validity period is about one year. This makes the search space very small." He added: "CVC does not matter. Anyone is accepted."