The ‘nasty’ sides of the PayPal Fraud

[German]I would like to take up again the story about the illegally charged PayPal accounts of German users. Because more and more details about this fraud are coming into light.

Review: The PayPal/Google Pay scam debits

A few days ago it became known that German PayPal users became victims of unauthorized debits for fake orders via Google Pay. The following screenshot from the Google Pay forum was taken by one of the affected persons and lists some of these ominous payment requests.

(PayPal: Unauthorised TARGET debits, Google Pay Forum)

I had reported fraud in the blog post: Fraud: Unauthorized Google Pay debits at Paypal. Later I received a statement from PayPal that there was only a small number of people affected and that they would be reimbursed for the debits. This is discussed in the blog post News about unauthorized PayPal/Google Pay debits. So everything is fine? No, because PayPal didn't address the cause of the abuse – and at the end of the article you'll find links to posts here in the blog that discuss further PayPal hacks and open security holes from the last 2 weeks.

I got in contact with a person from France via Twitter. She told me about a similar case that had already happened in the summer of 2019. Here the short version of what has told to me:

• A French PayPal user was already a victim of this fraud in June 2019. More than 1,000 euros were stolen from his PayPal account. The victim never received a confirmation email of the transaction.
• The user had not been able to set up a two-factor authentication: The two mobile phone numbers already listed were never sent the required security code.
• On the day he noticed the fraud, the victim was able to contact PayPal technical support. A dispute case was opened in the morning, but closed in the late afternoon. A refund was refused because the transaction was allegedly made by the account holder. Paypal did not respond to attempts to contact them via Twitter and Facebook.
• The victim then immediately revoked his PayPal direct debit authorizations of his bank accounts. Furthermore, he had the debit note returned via the bank with the booking. This is possible within 30 days. 
• PayPal then launched a 'harassment campaign' by phone and email to reverse the cancellation. Finally, a debt collection company was instructed to collect the outstanding amount and a court case was threatened.
• The victim even managed to find the recipient of the stolen money. He took screenshots of all this information (Paypal site, payment, etc.). But that was useless.

The French source wrote: PayPal can only be sued in England (not in Luxembourg). According to Brexit, the conditions for the support of victim assistance by European associations have changed. In France, all institutions dealing with cyber fraud and which were contacted by the victim were not able to react and/or find solutions to this kind of problem, which they do not even know about. In summary, according to the source, Paypal is unassailable. Of course I cannot check the statements, for me it read conclusively.

A possible Vulnerability

The question remains as to why the unauthorised debits could have taken place. Already with my first articles I had pointed out the following tweet.

I think we can disclose it by now.

Issue: PayPal allows contactless payments via Google Pay. If you have set it up, you can read the card details of a virtual credit card from the mobile, if the mobiles device is enabled. No auth.

— iblue (@iblueconnection) February 24, 2020

Security researcher Markus Fenske contacted German  magazines Golem und heise after the fraud became known. Fenske suspected that he had already discovered a vulnerability in February 2019 and reported it to PayPal. ZDnet has here some details. German IT magazine heise has published this article with more details – and also German site Golem offered details here. Meanwhile, Fenske has made further progress with heise – even if PayPal writes that they have reacted, the vulnerability found by Fenske in virtual credit cards remains unresolved. In this German article heise writes that the vulnerability is even bigger than feared and easier to exploit than expected.

Hey @PayPal, the 90s called. They want their security back.

1. Generate random 7 digits
2. Your new credit card: 5356 8001 XXXX XXXY, where X is from 1, Y is check digit.
3. Expiry date, CVC, Card Holder are not verified. 1 in ~100 cards are assigned to random PP accnt.

— iblue (@iblueconnection) February 26, 2020

The point is probably that the IDs used for the virtual credit cards consist of a 7-digit random number, with one digit used for verification. That leaves 6 digits that hackers could calculate and try. PayPal does not perform sufficient verification and security. 

Tricked on the bug bounty

In the blog postDoes PayPal fail with security? Vulnerabilities unfixed I had reported about the complaint of other security researchers who reported Paypal vulnerabilities. These reports were dismissed, and a bug bounty wasn't paid.  

BTW: https://t.co/5zjJxrIsKZ

Same issue.

Why are you running a bug bounty program, if you are not paying bounties and not fixing bugs?

— iblue (@iblueconnection) February 24, 2020

In the tweet above, iblue takes up this topic and asks why PayPal participates in the bug bounty if you don't implement something like this. There is something wrong with PayPal. From this point of view, articles like this one about the success of the HackerOne Bug Bounty program already have a bitter taste. 

Similar articles:
Fraud: Unauthorized Google Pay debits at Paypal
News about unauthorized PayPal/Google Pay debits
Does PayPal fail with security? Vulnerabilities unfixed
Mass newsletter spam and the Paypal account hack