Selling Sentry MBA Configs| Facebook| Paypal| Walmart| Beats| Netflix| Origin| Hulu|.Fraudulent payments can be canceled through PayPal. A user has received information from Google that he does not see the debits in his system at all. According to several users, Google itself cannot do anything about the processes. Fenske sent me a screenshot showing an Amazon account “topped up with a card we read ten minutes ago via NFC from the phone.”įor those who have been impacted, German media reports that “Google refers to Paypal when it comes to canceling withdrawals. This might be because that mitigation relates to account management, or it. But this week “tried and could still use the virtual credit card for online payments.” That means, they told me, “the bug has not been fixed.”Īs regards the thefts, PayPal has said the risk has been addressed.īut in terms of the Fenske and Mayer disclosure, the researchers told me that this is not fixed, even after PayPal’s “mitigation” statement.
“After an initial rejection and several discussions, PayPal paid a bug bounty of $4,400.” The pair have not heard from PayPal, they say, since April 2019. “We reported this in February 2019 to PayPal via HackerOne,” they say. Just as with the CyberNews story, Fenske and Mayer complain that the issue was not dealt with as they expected.
This isn’t as difficult as it sounds in Germany, where “the first eight digits of the virtual card are always the same-leaving 7 digits to guess.” The virtual card itself launched in October 2018, “allowing for 17 possible expiration dates-making 170 million possible cards.” Those maths, as calculated by the researchers, result in “one in 170 guesses leading to a valid credit card.” Those cards “can be read from the mobile device using any NFC reader app.” The researchers suggest that the attackers have brute-forced credit card numbers to make the attack work. The researchers speculate but cannot know for sure that this flaw stems from the PayPal virtual credit card that enables such payments. Payments were made through a linked PayPal account from Target stores and Starbucks stores in the United States.”įenske and Mayer say they found that where PayPal is linked to Google Pay for contactless payments, an attacker “can read the card details of a virtual credit card from the mobile, if the mobiles device is enabled.” Such a vulnerability, the reports say, could be exploited online. “We are almost 100% sure,” Fenske told me, “that the recent fraudulent transactions are generated by this method.” But there is no confirmation from PayPal that this is the case.Īs to the detail behind the thefts, German media is reporting that multiple users “were charged for contributions via Google Pay, some of which were up to €1,000. I live in Germany and I have never been to Target nor to the U.S.” A number of PayPal users in Germany have reported attack s that do seem to fit the pattern, with fraudulent transactions on their PayPal statements linked to Google Pay.Īs one user complained, “I just received a notification on PayPal that three transactions to Target are waiting for authorization. If the recent thefts are linked to the Fenske and Mayer disclosure, then that would elevate the issue to a different level. Those issues, CyberNews said, put PayPal users at risk of account takeovers, albeit there were no claims the vulnerabilities had been exploited in the wild or that accounts had been taken over. Just days ago, I reported on a different set of “ critical PayPal vulnerabilities ” disclosed by CyberNews.