{"id":13328,"date":"2020-02-24T20:03:41","date_gmt":"2020-02-24T19:03:41","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=13328"},"modified":"2024-10-05T20:53:26","modified_gmt":"2024-10-05T18:53:26","slug":"fraud-unauthorized-google-pay-debits-at-paypal","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2020\/02\/24\/fraud-unauthorized-google-pay-debits-at-paypal\/","title":{"rendered":"Fraud: Unauthorized Google Pay debits at Paypal"},"content":{"rendered":"<p><img loading=\"lazy\" decoding=\"async\" style=\"float: left; margin: 0px 10px 0px 0px; display: inline;\" src=\"https:\/\/www.borncity.com\/blog\/wp-content\/uploads\/2015\/01\/Schutz.jpg\" width=\"40\" height=\"47\" align=\"left\" \/>[<a href=\"https:\/\/www.borncity.com\/blog\/2020\/02\/24\/betrug-unberechtigte-abbuchungen-bei-paypal\/\" target=\"_blank\" rel=\"noopener noreferrer\">German<\/a>]Currently (German) PayPal customers seem to be increasingly victims of unauthorized debits for fake orders via Google Pay. The payment target are Target and Starbucks shops in the USA. Here is some information what I found out.<\/p>\n<p><!--more--><\/p>\n<h2>1000 Euro debit via Google Pay<\/h2>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/vg02.met.vgwort.de\/na\/dcf32fa67d424b08b605ff3a475fdcfc\" alt=\"\" width=\"1\" height=\"1\" \/>I first became aware of the problem this morning in German site Golem through <a href=\"https:\/\/www.golem.de\/news\/paypal-nutzer-melden-missbrauch-ueber-google-pay-2002-146811.html\" target=\"_blank\" rel=\"noopener noreferrer\">this article<\/a>. In the (German) PayPal forum, for example, there is <a href=\"https:\/\/www.paypal-community.com\/t5\/Kontosicherheit\/Hohe-abbuchung-nach-Googlepay-zahlung\/td-p\/2041978?profile.language=de\" target=\"_blank\" rel=\"noopener noreferrer\">this German-language thread<\/a> \u2013 here's my translation.<\/p>\n<blockquote><p>High debit after Google Pay payment<\/p>\n<p>Hello,<br \/>\ni paid a parking ticket for 6\u20ac with GooglePay and this was also charged to my credit card. Only a short time later I got a debit of 6,47\u20ac from IWCWJQAUNHKLALD FUQNI and half an hour later 646,75\u20ac from TARGET T-0762 . I did not initiate any of the payments, [\u2026]<\/p><\/blockquote>\n<p>In the thread there are more than 40 responses in which interested parties express similar views. Debits have been initiated via Google Pay, with information about the payee pointing to TARGET and Starbucks branches in the USA. Here is an affected party:<\/p>\n<blockquote><p>Subject: High charge after Google Pay payment<\/p>\n<p>Hello, I have exactly the same problem with Target T &#8211; 2475 (When I enter it in Google a Starbucks appears in NY?!?!??) with 461.96\u20ac wants to debit. Also initiated via GooglePay.<\/p>\n<p>Can also not open a case with PayPal itself and have reported the problem to GooglePay. There was the test can take up to 10 days.<\/p>\n<p>The debited contributions range from 500 to 1,000 euros or even more. Theoretically, test debits of 1 euro cents could also occur if fraudsters test the debit procedure via Google Pay. There are also threads like this one in the Google Pay forum.<\/p><\/blockquote>\n<p>The premiums charged range from 500 to 1,000 euros or even more. Theoretically, test debits of 1 euro cent could also occur if fraudsters test the debit procedure via Google Pay. There are also threads like this one in German Google Pay forum.<\/p>\n<blockquote><p>External access to my account, unauthorised payments<\/p>\n<p>Hello, everybody,<\/p>\n<p>I have a question and that is 5 payments were made today on my Google Pay account which are not from me. The payments were most likely made in the USA in various stores.<\/p>\n<p>Has anyone ever had such an experience and did you get your money back?<\/p>\n<p>Thanks in advance for your answers<\/p><\/blockquote>\n<p>The following screenshot from the Google Pay forum was taken by one of the affected people and lists some of these ominous payment requests.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" title=\"Paypal: Unberechtigte TARGET-Abbuchungen\" src=\"https:\/\/i.imgur.com\/Megb5P9.jpg\" alt=\"Paypal: Unberechtigte TARGET-Abbuchungen\" width=\"436\" height=\"374\" \/><br \/>\n(Paypal: Unauthorised TARGET debits, Google Pay Forum)<\/p>\n<p>Google has collected information on <a href=\"https:\/\/support.google.com\/pay\/answer\/7644016?hl=en&amp;ref_topic=7644061\" target=\"_blank\" rel=\"noopener noreferrer\">this page<\/a> on how to dispute unauthorised payments. And there's <a href=\"https:\/\/support.google.com\/pay\/gethelp\" target=\"_blank\" rel=\"noopener noreferrer\">this Google contact form<\/a> for Google Pay help. .<\/p>\n<h2>Mysterious: Google didn't see the debits<\/h2>\n<p>German site Golem states that Google redirects affected persons to Paypal as the payment service provider, where thy should clarify or cancel the debits. According to the above quotes from the Paypal forum, however, those affected cannot open a case with PayPal for the purpose of payment clarification. Golem writes that Google itself, according to information from several users, cannot do anything against these debit fraud. One user was told that the debits could not be seen in the Google Pay account.<\/p>\n<h2>Cancel with Paypal, remove Google Pay<\/h2>\n<p>Golem says that users should report payments to Paypal and can cancel them there. The problem here is that the cancellation is only possible when the debit is actually made (would explain why the people concerned state above that no case can be opened with Paypal). <span id=\"preservec635e33972434afe9a257260e5a1906f\" class=\"wlWriterPreserve\"><script src=\"https:\/\/platform.twitter.com\/widgets.js\" async=\"\" charset=\"utf-8\"><\/script><\/span>But when I look at this forum post in the German Google Pay forum, it's quite a hassle. The current recommendation is to delete the Google Pay payment option from your PayPal account &#8211; if that is possible at all.<\/p>\n<blockquote><p><strong>Addendum:<\/strong> At Facebook there is a private German <a href=\"https:\/\/www.facebook.com\/groups\/249466222718434?_rdr\" target=\"_blank\" rel=\"noopener noreferrer\">Group<\/a>, in which affected people are discussion. Currently I have no permission to post private information here. But the number of affected people is increasing and it is crystallizing for me that Paypal, Google Pay and the payees are not yet aware of the number of cases and the explosiveness.<\/p><\/blockquote>\n<h2>Refunds partially rejected by PayPal<\/h2>\n<p><strong>Addendum: <\/strong>Meanwhile there is a documented case in the German Paypal forum with the title <a href=\"https:\/\/www.paypal-community.com\/t5\/Kontosicherheit\/Target-t-1401-Betrug-Abbuchung-von-923-93\/m-p\/2043854?fbclid=IwAR2EQ9AuICuvZcxAlvovyAmaMleCANtmoKWjQPOtBX9W1MM45bzcHSurI2M#M9102\">'Refund refused<\/a>'.\u00a0 Here is the text.<\/p>\n<blockquote><p>Hi,<\/p>\n<p>did you receive a refund of the actually transferred money into your account?<\/p>\n<p>I also contacted the Paypal customer service yesterday when the payment was not yet done, where I was assured that it would not be debited because they were missing information.<\/p>\n<p>When it was debited I contacted them again, whereupon they told me that the only thing I can do is to report the whole conflict resolution as unauthorized access and wait. This morning then the mail that after checking it was found that it was not an unauthorized access I'm speechless right now.<\/p><\/blockquote>\n<p>I have similar information from private messages, so this is not a single isolated case. The topic is not over yet &#8211; although it probably only affects German (and Russian) users at the moment.<\/p>\n<h2>Is the vulnerability known since a year?<\/h2>\n<p>During my research for this article I came across the following tweet, you claim, that the user has informed the parties about this vulnerability a year ago.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p dir=\"ltr\" lang=\"en\">Reported a critical issue to PayPal ONE YEAR AGO.<\/p>\n<p>\"Not an issue. Please self-close\". Lots of discussion. Finally got a bounty. Asked several times if its fixed. No response. Gave up.<\/p>\n<p>Found that it's actively exploited by now. Sorry PP, you suck.<a href=\"https:\/\/t.co\/48IVszRqlb\">https:\/\/t.co\/48IVszRqlb<\/a><\/p>\n<p>\u2014 iblue (@iblueconnection) <a href=\"https:\/\/twitter.com\/iblueconnection\/status\/1231962017734516741?ref_src=twsrc%5Etfw\">February 24, 2020<\/a><\/p><\/blockquote>\n<p><span id=\"preserveba7fb4d4a05246e1aec6346249ba48f6\" class=\"wlWriterPreserve\"><span id=\"preserved1c09543089e4887a6baf9b8dd8d1159\" class=\"wlWriterPreserve\"><script src=\"https:\/\/platform.twitter.com\/widgets.js\" async=\"\" charset=\"utf-8\"><\/script><\/span><\/span><\/p>\n<p>The discoverer then revealed the problem in a follow-up tweet. PayPal enables contactless payments via Google Pay. Once set up, the card data of a virtual credit card can be read from the mobile phone, provided the mobile device is activated. This does not require authorization. Perhaps that's where the current problem comes from &#8211; but that's speculation.<\/p>\n<blockquote><p><strong>Addendum:<\/strong> The German site <a href=\"https:\/\/stadt-bremerhaven.de\/google-pay-virtuelle-paypal-kreditkarten-weisen-sicherheitsluecken-auf\/\" target=\"_blank\" rel=\"noopener noreferrer\">here<\/a> contains a few more details about that attack vector. Although this attack scenario (somebody walks through crowds and tries to siphon virtual credit cards from Google Pay from active smartphones using NFC) is possible, I personally don't think, it's the root cause. Reason: In this case we would probably have a cluster among those affected &#8211; nobody moves across Germany to swipe some virtual credit cards from smartphones via Google Pay. My guess is that some point of sale (POS) terminals were infected by skimming scripts and the virtual credit card data was taken from the victims. With this scenario an attacker can catch people all over Germany who paid at an infected POS terminal with Google Pay on their mobile phones via NFC.<\/p>\n<p>Also\u00a0<a href=\"https:\/\/www.zdnet.com\/article\/paypal-accounts-are-getting-abused-en-masse-for-unauthorized-payments\/\" target=\"_blank\" rel=\"noopener noreferrer\">ZDNet<\/a> has covered the issue and has additional details about a potential attack vector.<\/p><\/blockquote>\n<h2>Final thoughts<\/h2>\n<p>I had published last week the blog post <a href=\"https:\/\/borncity.com\/win\/2020\/02\/18\/does-paypal-fail-with-security-vulnerabilities-unfixed\/\" target=\"_blank\" rel=\"noopener noreferrer\">Does PayPal fail with security? Vulnerabilities unfixed<\/a>, where security researchers pointed out possible vulnerabilities in PayPal. I decided to published this post because I received hints from two PayPal users about hacked PayPal accounts or unauthorized debits. There's probably no connection &#8211; but all this is very scary.<\/p>\n<blockquote><p>All references here in this post are pointing to German Paypal and Google Pay forum post. In a quick search I haven't found English forum entries with similar topics \u2013 but maybe I searched for the wrong terms.<\/p>\n<p>Addenum: From a private Facebook group I know that some PayPal dispute cases are closed whithout refunding. Based on my article (and <a href=\"https:\/\/twitter.com\/etguenni\/status\/1232019256402939904\" target=\"_blank\" rel=\"noopener noreferrer\">this tweet<\/a>), <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/paypal-users-hit-with-fraudulent-target-charges-via-google-pay\/\" target=\"_blank\" rel=\"noopener noreferrer\">Bleeping Computer<\/a> and <a href=\"https:\/\/www.zdnet.com\/article\/paypal-accounts-are-getting-abused-en-masse-for-unauthorized-payments\/\" target=\"_blank\" rel=\"noopener noreferrer\">ZDNet<\/a> has covered this story with new findings.<\/p><\/blockquote>\n","protected":false},"excerpt":{"rendered":"<p>[German]Currently (German) PayPal customers seem to be increasingly victims of unauthorized debits for fake orders via Google Pay. The payment target are Target and Starbucks shops in the USA. Here is some information what I found out.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[580],"tags":[2288,2289,69],"class_list":["post-13328","post","type-post","status-publish","format-standard","hentry","category-security","tag-fraud","tag-paypay","tag-security"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/13328","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=13328"}],"version-history":[{"count":2,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/13328\/revisions"}],"predecessor-version":[{"id":35769,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/13328\/revisions\/35769"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=13328"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=13328"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=13328"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}