[German]Currently (German) PayPal customers seem to be increasingly victims of unauthorized debits for fake orders via Google Pay. The payment target are Target and Starbucks shops in the USA. Here is some information what I found out.
Advertising
1000 Euro debit via Google Pay
I first became aware of the problem this morning in German site Golem through this article. In the (German) PayPal forum, for example, there is this German-language thread – here's my translation.
High debit after Google Pay payment
Hello,
i paid a parking ticket for 6€ with GooglePay and this was also charged to my credit card. Only a short time later I got a debit of 6,47€ from IWCWJQAUNHKLALD FUQNI and half an hour later 646,75€ from TARGET T-0762 . I did not initiate any of the payments, […]
In the thread there are more than 40 responses in which interested parties express similar views. Debits have been initiated via Google Pay, with information about the payee pointing to TARGET and Starbucks branches in the USA. Here is an affected party:
Subject: High charge after Google Pay payment
Hello, I have exactly the same problem with Target T – 2475 (When I enter it in Google a Starbucks appears in NY?!?!??) with 461.96€ wants to debit. Also initiated via GooglePay.
Can also not open a case with PayPal itself and have reported the problem to GooglePay. There was the test can take up to 10 days.
The debited contributions range from 500 to 1,000 euros or even more. Theoretically, test debits of 1 euro cents could also occur if fraudsters test the debit procedure via Google Pay. There are also threads like this one in the Google Pay forum.
The premiums charged range from 500 to 1,000 euros or even more. Theoretically, test debits of 1 euro cent could also occur if fraudsters test the debit procedure via Google Pay. There are also threads like this one in German Google Pay forum.
External access to my account, unauthorised payments
Hello, everybody,
I have a question and that is 5 payments were made today on my Google Pay account which are not from me. The payments were most likely made in the USA in various stores.
Has anyone ever had such an experience and did you get your money back?
Thanks in advance for your answers
The following screenshot from the Google Pay forum was taken by one of the affected people and lists some of these ominous payment requests.
(Paypal: Unauthorised TARGET debits, Google Pay Forum)
Advertising
Google has collected information on this page on how to dispute unauthorised payments. And there's this Google contact form for Google Pay help. .
Mysterious: Google didn't see the debits
German site Golem states that Google redirects affected persons to Paypal as the payment service provider, where thy should clarify or cancel the debits. According to the above quotes from the Paypal forum, however, those affected cannot open a case with PayPal for the purpose of payment clarification. Golem writes that Google itself, according to information from several users, cannot do anything against these debit fraud. One user was told that the debits could not be seen in the Google Pay account.
Cancel with Paypal, remove Google Pay
Golem says that users should report payments to Paypal and can cancel them there. The problem here is that the cancellation is only possible when the debit is actually made (would explain why the people concerned state above that no case can be opened with Paypal). But when I look at this forum post in the German Google Pay forum, it's quite a hassle. The current recommendation is to delete the Google Pay payment option from your PayPal account – if that is possible at all.
Addendum: At Facebook there is a private German Group, in which affected people are discussion. Currently I have no permission to post private information here. But the number of affected people is increasing and it is crystallizing for me that Paypal, Google Pay and the payees are not yet aware of the number of cases and the explosiveness.
Refunds partially rejected by PayPal
Addendum: Meanwhile there is a documented case in the German Paypal forum with the title 'Refund refused'. Here is the text.
Hi,
did you receive a refund of the actually transferred money into your account?
I also contacted the Paypal customer service yesterday when the payment was not yet done, where I was assured that it would not be debited because they were missing information.
When it was debited I contacted them again, whereupon they told me that the only thing I can do is to report the whole conflict resolution as unauthorized access and wait. This morning then the mail that after checking it was found that it was not an unauthorized access I'm speechless right now.
I have similar information from private messages, so this is not a single isolated case. The topic is not over yet – although it probably only affects German (and Russian) users at the moment.
Is the vulnerability known since a year?
During my research for this article I came across the following tweet, you claim, that the user has informed the parties about this vulnerability a year ago.
Reported a critical issue to PayPal ONE YEAR AGO.
"Not an issue. Please self-close". Lots of discussion. Finally got a bounty. Asked several times if its fixed. No response. Gave up.
Found that it's actively exploited by now. Sorry PP, you suck.https://t.co/48IVszRqlb
— iblue (@iblueconnection) February 24, 2020
The discoverer then revealed the problem in a follow-up tweet. PayPal enables contactless payments via Google Pay. Once set up, the card data of a virtual credit card can be read from the mobile phone, provided the mobile device is activated. This does not require authorization. Perhaps that's where the current problem comes from – but that's speculation.
Addendum: The German site here contains a few more details about that attack vector. Although this attack scenario (somebody walks through crowds and tries to siphon virtual credit cards from Google Pay from active smartphones using NFC) is possible, I personally don't think, it's the root cause. Reason: In this case we would probably have a cluster among those affected – nobody moves across Germany to swipe some virtual credit cards from smartphones via Google Pay. My guess is that some point of sale (POS) terminals were infected by skimming scripts and the virtual credit card data was taken from the victims. With this scenario an attacker can catch people all over Germany who paid at an infected POS terminal with Google Pay on their mobile phones via NFC.
Also ZDNet has covered the issue and has additional details about a potential attack vector.
Final thoughts
I had published last week the blog post Does PayPal fail with security? Vulnerabilities unfixed, where security researchers pointed out possible vulnerabilities in PayPal. I decided to published this post because I received hints from two PayPal users about hacked PayPal accounts or unauthorized debits. There's probably no connection – but all this is very scary.
All references here in this post are pointing to German Paypal and Google Pay forum post. In a quick search I haven't found English forum entries with similar topics – but maybe I searched for the wrong terms.
Addenum: From a private Facebook group I know that some PayPal dispute cases are closed whithout refunding. Based on my article (and this tweet), Bleeping Computer and ZDNet has covered this story with new findings.
Pingback: PayPal Users Hit With Fraudulent Target Charges via Google Pay | Bleeping Computer