NurPhoto via Getty Images
“We have found a serious issue in PayPal's contactless payment,” security researcher Markus Fenske explained to me. He claims that when using PayPal there is a vulnerability that Fenske and colleague Andreas Mayer say enables an attacker “near your mobile phone [to have] a virtual credit card which deducts money from your PayPal account.”
According to multiple reports, the issue is behind thefts over recent days from numerous German PayPal users—fraudulent transactions with U.S. stores. Both issues appear linked to the way Google Pay is set up on a PayPal user’s account.
There is no official confirmation that the two are related.
The security researchers say the attack vector they disclosed “is not limited in validity or amount.” And the thefts in Germany are reported to run to as much as €1,000 per transaction. All users should check their statements for unfamiliar transactions and consider unlinking Google Pay until there is more clarity around the issue and any resolution.
In the meantime and in relation to the thefts, PayPal told me that “the security of customer accounts is a top priority for the company. Our teams have actively addressed the situation and mitigated the issue.”
Google welcomed PayPal’s action, with a spokesperson telling me “we understand the frustration of our users when any type of fraudulent activity occurs on their accounts. We’re glad PayPal took swift action to address the issue. Security has always been the center of our approach with Google Pay. Payment fraud is a complex challenge, and the team remains committed to supporting our partners in making sure users are protected.”
Just days ago, I reported on a different set of “critical PayPal vulnerabilities” disclosed by CyberNews. Those issues, CyberNews said, put PayPal users at risk of account takeovers, albeit there were no claims the vulnerabilities had been exploited in the wild or that accounts had been taken over.
If the recent thefts are linked to the Fenske and Mayer disclosure, then that would elevate the issue to a different level. A number of PayPal users in Germany have reported attacks that do seem to fit the pattern, with fraudulent transactions on their PayPal statements linked to Google Pay.
As one user complained, “I just received a notification on PayPal that three transactions to Target are waiting for authorization. All three were made through Google Pay. I live in Germany and I have never been to Target nor to the U.S.”
“We are almost 100% sure,” Fenske told me, “that the recent fraudulent transactions are generated by this method.” But there is no confirmation from PayPal that this is the case.
As to the detail behind the thefts, German media is reporting that multiple users “were charged for contributions via Google Pay, some of which were up to €1,000. Payments were made through a linked PayPal account from Target stores and Starbucks stores in the United States.”
Fenske and Mayer say they found that where PayPal is linked to Google Pay for contactless payments, an attacker “can read the card details of a virtual credit card from the mobile, if the mobiles device is enabled.” Such a vulnerability, the reports say, could be exploited online.
The researchers speculate but cannot know for sure that this flaw stems from the PayPal virtual credit card that enables such payments. Those cards “can be read from the mobile device using any NFC reader app.” The researchers suggest that the attackers have brute-forced credit card numbers to make the attack work.
This isn’t as difficult as it sounds in Germany, where “the first eight digits of the virtual card are always the same—leaving 7 digits to guess.” The virtual card itself launched in October 2018, “allowing for 17 possible expiration dates—making 170 million possible cards.” Those maths, as calculated by the researchers, result in “one in 170 guesses leading to a valid credit card.”
Just as with the CyberNews story, Fenske and Mayer complain that the issue was not dealt with as they expected. “We reported this in February 2019 to PayPal via HackerOne,” they say. “After an initial rejection and several discussions, PayPal paid a bug bounty of $4,400.” The pair have not heard from PayPal, they say, since April 2019. But this week “tried and could still use the virtual credit card for online payments.” That means, they told me, “the bug has not been fixed.”
As regards the thefts, PayPal has said the risk has been addressed.
But in terms of the Fenske and Mayer disclosure, the researchers told me that this is not fixed, even after PayPal’s “mitigation” statement. This might be because that mitigation relates to account management, or it. might be the two flaws are unrelated. Fenske sent me a screenshot showing an Amazon account “topped up with a card we read ten minutes ago via NFC from the phone.”
For those who have been impacted, German media reports that “Google refers to Paypal when it comes to canceling withdrawals. According to several users, Google itself cannot do anything about the processes. A user has received information from Google that he does not see the debits in his system at all. Fraudulent payments can be canceled through PayPal.”
PayPal’s advice, according to German media, is to “report transactions immediately... They can then be canceled.” Assuming there is a link, and to avoid the flaw even if not, Fenske and Mayer recommend PayPal users avoid using the contactless facility and remove Google Pay from their PayPal accounts.
—
Updated later on February 25 with responses from PayPal and Google, and also with feedback from the security researchers who claimed the flaw they had disclosed had not been patched, even after mitigating action had been taken.
