The ‘nasty’ sides of the PayPal Fraud

[German]I would like to take up again the story about the illegally charged PayPal accounts of German users. Because more and more details about this fraud are coming into light.


Review: The PayPal/Google Pay scam debits

A few days ago it became known that German PayPal users became victims of unauthorized debits for fake orders via Google Pay. The following screenshot from the Google Pay forum was taken by one of the affected persons and lists some of these ominous payment requests.

Paypal: Unberechtigte TARGET-Abbuchungen
(PayPal: Unauthorised TARGET debits, Google Pay Forum)

I had reported fraud in the blog post: Fraud: Unauthorized Google Pay debits at Paypal. Later I received a statement from PayPal that there was only a small number of people affected and that they would be reimbursed for the debits. This is discussed in the blog post News about unauthorized PayPal/Google Pay debits. So everything is fine? No, because PayPal didn’t address the cause of the abuse – and at the end of the article you’ll find links to posts here in the blog that discuss further PayPal hacks and open security holes from the last 2 weeks.

I got in contact with a person from France via Twitter. She told me about a similar case that had already happened in the summer of 2019. Here the short version of what has told to me:

  • A French PayPal user was already a victim of this fraud in June 2019. More than 1,000 euros were stolen from his PayPal account. The victim never received a confirmation email of the transaction.
  • The user had not been able to set up a two-factor authentication: The two mobile phone numbers already listed were never sent the required security code.
  • On the day he noticed the fraud, the victim was able to contact PayPal technical support. A dispute case was opened in the morning, but closed in the late afternoon. A refund was refused because the transaction was allegedly made by the account holder. Paypal did not respond to attempts to contact them via Twitter and Facebook.
  • The victim then immediately revoked his PayPal direct debit authorizations of his bank accounts. Furthermore, he had the debit note returned via the bank with the booking. This is possible within 30 days. 
  • PayPal then launched a ‘harassment campaign’ by phone and email to reverse the cancellation. Finally, a debt collection company was instructed to collect the outstanding amount and a court case was threatened.
  • The victim even managed to find the recipient of the stolen money. He took screenshots of all this information (Paypal site, payment, etc.). But that was useless.

The French source wrote: PayPal can only be sued in England (not in Luxembourg). According to Brexit, the conditions for the support of victim assistance by European associations have changed. In France, all institutions dealing with cyber fraud and which were contacted by the victim were not able to react and/or find solutions to this kind of problem, which they do not even know about. In summary, according to the source, Paypal is unassailable. Of course I cannot check the statements, for me it read conclusively.


A possible Vulnerability

The question remains as to why the unauthorised debits could have taken place. Already with my first articles I had pointed out the following tweet.

Security researcher Markus Fenske contacted German  magazines Golem und heise after the fraud became known. Fenske suspected that he had already discovered a vulnerability in February 2019 and reported it to PayPal. ZDnet has here some details. German IT magazine heise has published this article with more details – and also German site Golem offered details here. Meanwhile, Fenske has made further progress with heise – even if PayPal writes that they have reacted, the vulnerability found by Fenske in virtual credit cards remains unresolved. In this German article heise writes that the vulnerability is even bigger than feared and easier to exploit than expected.

The point is probably that the IDs used for the virtual credit cards consist of a 7-digit random number, with one digit used for verification. That leaves 6 digits that hackers could calculate and try. PayPal does not perform sufficient verification and security. 

Tricked on the bug bounty

In the blog postDoes PayPal fail with security? Vulnerabilities unfixed I had reported about the complaint of other security researchers who reported Paypal vulnerabilities. These reports were dismissed, and a bug bounty wasn’t paid.  

In the tweet above, iblue takes up this topic and asks why PayPal participates in the bug bounty if you don’t implement something like this. There is something wrong with PayPal. From this point of view, articles like this one about the success of the HackerOne Bug Bounty program already have a bitter taste. 

Similar articles:
Fraud: Unauthorized Google Pay debits at Paypal
News about unauthorized PayPal/Google Pay debits
Does PayPal fail with security? Vulnerabilities unfixed
Mass newsletter spam and the Paypal account hack


This entry was posted in Security and tagged , . Bookmark the permalink.

1 Response to The ‘nasty’ sides of the PayPal Fraud

  1. Kate Ward says:

    I was scammed twice now purchasing on Ebay using my linked Paypal account. Since May 2020, since paying for my last purchase which never came, I have been trying to obtain a refund. Paypal will not now take phone calls and they run you in circles from department to department chasing your tail. The last email from Paypal stated that the seller did not respond to them and they are closing the case and I’m out the money. Due to Covid, they will not take any phone calls and even when you click the icon for “instant chat”, you are taken to a message that states page does not exist. I filed a complaint with the FTC, but still no further response from Paypal. Do Not Link Your Bank Account as you will never get Paypal to adhere to their own protections advertised.

Leave a Reply

Your email address will not be published. Required fields are marked *