Multiple reports from German PayPal users about fraudulent transactions that they never authorized indicate that actors have found a way to abuse the platform’s Google Pay integration. Thus, they are buying things from online stores using other people’s money, with the estimated damages right now being in the range of tens of thousands of Euros. PayPal has acknowledged the reception of the user reports, and they announced that they are investigating the matter to figure out what exactly is going on.
In almost all cases, the fraudulent transactions are made through Google Pay, buying stuff from the U.S.-based Target online store. Target sells anything, from clothes and furniture to electronics and kitchen gear, so there’s a mix of items bought through other people’s accounts depending on what each hacker wants. The fraudulent transactions started popping up as alerts on users’ email inbox during the weekend, so as to minimize the risk of PayPal intervening immediately.
https://twitter.com/ChrisPerezOne/status/1232072180730560512
Whereas PayPal is investigating the reports, some bug bounty hunters claim that they had already reported the problem that led to the victimization of the users. In fact, a German researcher reports that he had warned PayPal about a flaw that allows contactless payments via Google Pay over a year ago. If the user has enabled this, someone can come near their mobile phone and deduct money from the victim’s PayPal account and onto the crook’s virtual card. There is no validation required for this, and there’s also no amount of money limit in place.
https://twitter.com/iblueconnection/status/1231962980964847618
A week ago, a team of researchers published their complaint about how PayPal disregarded their reports on six critical security vulnerabilities and the fact that the online payments giant didn’t pay them a dime. The researchers managed to bypass PayPal’s 2FA, verify their phone number without using an OTP, send money without having to go through the platform’s security checks, change the full name of an account, exploit an XSS flaw in “SmartChat”, and conduct MITM on “Security Questions”. PayPal has either deemed these as “out of scope” or marked them as “duplicate”. This indicates an irresponsible stance from PayPal, which is entirely inexplicable considering the size and the reputation of the company.
There are two ways to protect yourself against this type of exploitation. First, you may disable PayPal from being an active payment method on Google Pay. Second, you may deactivate NFC on your smartphone, as this is required in order for the hackers to be able to steal your money when they are near your device. NFC is a convenient feature, but it comes with several security drawbacks that are impossible to handle in many "real-life" situations.