According to the victims, The hackers leverage Google Pay accounts to purchase products using their linked PayPal accounts. The published screenshots and the testimonies of the victims show that most of the illegal transactions take place in the shops of USA and especially in stores Target.
Most of them victims it seems to be German users.
Hackers have made purchases worth thousands of euros. Some transactions (from a single account) exceed € 1.000.
The error exploited by the hackers has not yet been known. PayPal said it is conducting an investigation. THE Google has not commented.
Yesterday, a German security researcher, Markus Fenske, claimed on Twitter that the current error looks like that for which he and his colleague Andreas Mayer had informed PayPal in February 2019. However, service did not consider it her priority to correct it.
According to Fenske, the problem starts with link your PayPal account to a Google Pay account. When accounts are linked, PayPal creates one virtual card, with its own card number, expiration date and CVC.
When a Google Pay user chooses to make a payment using money from their PayPal account, the transaction is charged through this virtual card.
"If the virtual card were for POS transactions only, there would be no problem, but PayPal allows it to be used for online transactions," the researcher said.
Fenske believes that hackers have discovered the elements of these virtual cards and are using them for unauthorized transactions on Internet.
"The attacker could make a brute-force attack, obtain the card number and the validity date, which lasts about a year," Fenske said. "This limits the search field".
"The CVC doesn't matter," he added. "Everything is accepted."
PayPal is investigating the case
Although Fenske was the first to announce her most likely cause attack, the PayPal security team started research on unauthorized transactions.
PayPal staff looks at everything data, including the attack scenario described by Fenske today and the report he had presented in February 2019.
“Customer account security is a top priority for company"A PayPal spokesman said. “We look at and evaluate them all information and we will take appropriate measures to further protect our customers. "