Hackers have discovered a bug in PayPal's Google Pay integration which they are now actively exploiting to execute unauthorized transactions.
Users on PayPal's forums, Reddit, Twitter and Google Pay's Russian and German support forums have all reported seeing mysterious transactions show up in their PayPal history which originated from their Google Pay accounts.
According to the victims, hackers abused their Google Pay accounts to buy products using linked PayPal accounts. Most of the illegal transactions that have occurred so far have taken place at stores in the US with a number of them happening at Target stores across New York. As of now, most of the victims appear to be German users.
- PayPal expands access to its ecommerce platform to SMBs
- Google expands its efforts in India with new Google Pay initiatives
- 30 million payment cards listed on fraud marketplace
Based on public reports, the damages from these fraudulent transactions are in the tens of thousands of euros range and some of them even go over 1,000 euros.
Possible explanation
The German security researcher Markus Fenske believes that the recent string of illegal transactions appear to be similar to a bug that he and fellow security researcher Andreas Mayer reported to PayPal in February of last year.
According to Fenske, the bug he discovered has to do with the fact that when you link a PayPal account to a Google Pay account, PayPal creates a virtual card with its own card number, expiration date and CVC. When Google Pay users make contactless payments using funds from their PayPal accounts, these transactions are charged using this virtual card.
Fenske believes that hackers have discovered a way to figure out the details of these “virtual cards” and they are now using them to carry out unauthorized transactions at US stores. However, Fenske's theory is just that as he and Mayer are just guessing as to the real cause of these attacks.
PayPal's security team carried out an investigation into the matter and according to the online payments giant, they have addressed the issue which was being exploited but it is still worth checking your PayPal statements for any irregularities.
- We've also highlighted the best antivirus software
Via ZDNet
No comments yet.