PayPal users may have been apprised of the news that select accounts were hacked over the weekend, and intruders used funds in the affected wallets to gift themselves with merchandise primarily from American stores.
The unauthorized transactions were reported as early as Friday last week. The hack took advantage of the PayPal and Google Pay integration that was apparently not secured robustly and may have been overlooked by PayPal.
The mysterious transactions were reported across different PayPal forums but appeared to have affected users in Germany.
According to details that have since emerged, only accounts that are linked to Google Pay were affected, and funds lost are reported to be in the range of tens of thousands of Euros, although the actual figure has not been given by the American financial corporation.
At the moment, it is not clear what actually happened, although PayPal says it is investigating the matter. Also, the issue has since been fixed.
Nevertheless, security researchers have detailed what could have transpired, and argue that some security flaws were reported as early as Feb 2019, but PayPal did not dedicate resources to issue a patch.
According to some theories, since PayPal allows contactless payments via Google Pay, intruders can use their skills to read card details (the integrations is accompanied by a virtual card issued by PayPal) from mobile, that is if the mobile device is enabled. No authorization is required.
Furthermore, it is argued that card details could have been obtained through guesswork, reading card details from a user device (the person has to be close to you) or using hacking tools through malware in a target’s device. In this case, the CVC is not needed.
A few days ago, CyberNews published some issues it discovered on the payments platform. For instance, it was noted that bypassing the platform’s 2FA was not challenging for talented people. Secondly, people can actually get phone verification without a one-time pin. The publication also reported that you could send money and still bypass security measures, such as when a person is using a new device or is sending cash from a different location or IP address.
PayPal is reviewing the case.