News about unauthorized PayPal/Google Pay debits

[German] some German (and Russian) Paypal users suffer from unauthorized debits for purchases at US branches of Starbucks and Target. This morning it looked as if dispute cases of affected parties are rejected. Now I have an answer from the German PayPal press department – they fixed the issue and will refund all affected customers.


Some Background

In the last few days, German PayPal customers were probably victims of unauthorized debits for fake orders via Google Pay. The victims suddenly found charges on their PayPal account in high three, sometimes four-digit amounts for alleged purchases at US branches of Starbucks and Target.

Common to all cases is that the people were never in the USA. and common to the cases is also that there was a link with Google Pay to the respective PayPal accounts. The details I had prepared in the blog post Fraud: Unauthorized Google Pay debits at Paypal.

Rejected refunds, a mistake by PayPal

In the case of unauthorised charges, PayPal has a dispute procedure where those affected can complain. In a private Facebook group on the subject this morning, there were users who had their complaint rejected by the PayPal team with a demand for a chargeback. Here is such information, which was provided to me by an affected person.

Abgelehnte Rückzahlungen von PayPal

It says that Paypal inspected the case, but rejected a refund, because the transaction has been authorized. In a 2nd message hours later, there was then the statement that one will report back in 9 days in the case of an unauthorized payment.


PayPal-Info wegen Konfliktlösung

So the PayPal team obviously realized that not everything is flat in this case. The affected person contacted me shortly before noon and told me that PayPal will refund the contribution after all.

PayPal Erstattungsbestätigung

I've posted it here in the blog, because there were some people affected who had a similar experience – my thanks to J.S. for providing me with the information for publication. If someone of you is also affected and has not yet received a refund confirmation, please contact PayPal again and refer to this blog post if necessary.

Feedback from the PayPal press department

After I had read the above dispute cases this morning and the colleagues from Bleeping Computer and had picked up my tip and published also articles about the case, I reached out to the German PayPal press relations department in parallel. In the meantime I have received their statement.

We are aware of the trust people place in us by entrusting us with their money. We take this responsibility very seriously. In the areas of fraud prevention and risk management, PayPal relies on modern technology to protect its customers and enable secure payments.

We have taken immediate action to address this issue. A very small number of PayPal customers using Google Pay were affected. The problem has since been resolved.

No personal or financial information was stolen from PayPal customers. Also, no third parties have had access to PayPal accounts at any time.

In accordance with our usage policy, we will refund any unauthorized payments to affected customers.

This is the relevant information for affected customers. If you are affected by the Google Pay-Target abuse and the dispute case has been dismissed, please contact the team again. Unfortunately, the press team has not communicated what went wrong – which remains unsatisfactory. and German site heise have published articles with suspicions what has happened with the virtual credit card data, some details about a possible vulnerability, which I already mentioned in the yesterday article.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security, Software and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *