PayPal is the victim of a severe security breach. By exploiting this breach, hackers can take control of your account to make purchases without your knowledge. On social networks, many testimonials claim to have noticed unknown transactions in the last few days.
Hackers are using a security breach in PayPal to order items online. Over the last few days, the number of victim testimonials has increased on social networks, particularly on Reddit and Twitter. “I have just received a PayPal notification regarding 3 orders placed with Target. I live in Germany and have never been to TARGET or the US,” says a Reddit user.
Among the purchases made by the scammers are several pairs of AirPods. In total, the hackers have already managed to steal tens of thousands of euros. At the moment, most of the victims are living in Germany. Most of the fraudulent transactions, however, were carried out in US-based online shops. To deceive PayPal’s anti-fraud mechanisms, the hackers have probably equipped themselves with a VPN, a proxy, and anti-detection software such as FraudFox.
PayPal assures to be aware of the security flaw. The platform’s security team has launched an investigation into unauthorized transactions. “The security of customer accounts is the topmost priority for the company. We review and evaluate this information and will take any appropriate measures deemed necessary to protect our customers further,” said PayPal. Until the breach is corrected, you are encouraged to surprise the connection between your Google Pay account and your PayPal account as a security measure.
A flaw with the integration of Google Pay
Fraudulent transactions are credited from the victims’ Google Pay account. Since last June, it is indeed possible to link one’s Google Pay account with Paypal to make purchases on e-commerce sites. According to Markus Fenske, a cybersecurity researcher, hackers have exploited a loophole in the integration of Google Pay into PayPal. On Twitter, the expert claims to have warned the firm of the existence of a breach more than a year ago. Unfortunately, the group would not have taken into account Fenske’s discovery.
PayPal creates a virtual credit card when you link a PayPal account to a Google Pay account, with its card number, expiration date, and CVV, Fenske says. “PayPal allows contactless payments via Google Pay. If you set it up, you can read the card details of a virtual credit card from the mobile. No authentication is required,” regrets Markus Fenske. Under these conditions, hackers are then able to collect virtual card details. Thanks to this data, a hacker has no problem making purchases in stores on your account.