PayPal Accounts Are Getting Abused En-masse For Unauthorized Payments (zdnet.com) 34
Hackers have found a bug in PayPal's Google Pay integration and are now using it to carry out unauthorized transactions via PayPal accounts. From a report: Since last Friday, users have reported seeing mysterious transactions pop up in their PayPal history as originating from their Google Pay account. Issues have been reported on numerous platforms, such as PayPal's forums, Reddit, Twitter, and Google Pay's Russian and German support forums. Victims reported that hackers abused Google Pay accounts to buy products using linked PayPal accounts. According to screenshots and various testimonies, most of the illegal transactions are taking place at US stores, and especially at Target stores across New York. Most of the victims appear to be German users.
Paypal via Google Pay? (Score:1)
Geez people, just use a credit card.
Re: (Score:2)
Exactly. Damn Millennials with their Apple Pay linked to their wristwatches. Get some cash you hippies!
Re: (Score:2)
Re: (Score:1)
Yeah it's great. You get a few pennies while the corporate giants rake off a few percent plus sell your life details to the other corporate giants. But hey, in 10 years you will be able to afford a free Amazon Echo 32.
Re: (Score:3)
Re: (Score:2)
Re: Paypal via Google Pay? (Score:2)
Re: (Score:2)
tremendous data exposure
Pretty sure anybody who cares already knows I subscribe to Hulu and Netflix. If they really care who my cable and trash collection providers are, more power to them.
occasional large financial loss
You have to have a large amount of money for that to happen. Someone could do WAY more damage with my credit card than they could possibly do with my checking account, and that generally has a far larger exposure profile. (Thanks to the likes of Home Depot, Target, etc. who seem to enjoy giving out that information)
Re: (Score:3)
But hey, give everybody and their brother your bank account information. Companies never lose data and are completely trustworthy. And besides, what data is less important than your bank account information?
Re: (Score:3)
give everybody and their brother your bank account information
I'm not trying to be a dick here, but that's literally what you do every time you send a check to someone. And best I can tell, as long as things are reported timely and you exercise diligence in protecting your information you're not liable for EFT transactions or fraudulent checks. I guess we could argue if utilizing your information for a transaction would pass muster, but I'd have to imagine it would. If you posted the info to Facebook it would be a different story. (Found a few similar references t
Re: (Score:2)
This *really* depends on where you are in the world - in the UK, most banks will refund losses due to theft from bank accounts and debit cards, even when you are the victim of a phishing scam or another scam which involves you voluntarily handing over money.
I'd still put everything on a credit card, because then I have the Consumer Credit Act in my favour for anything that costs over £100 (so long as I put the first £100 on that card).
Re: (Score:2)
I avoid autopay if at all possible, and actually write checks for almost all our bills. Yeah, I could go online and check the receipts every month to make sure that T-Mobile or Comcast haven't added new charges without authorization again, or to make sure the water bill is still reasonable so I don't have a hidden leak somewhere, but I know that I'm too bloody lazy to actually do that. If I have the bill in front of me every month I can make myself look and verify that Comcast hasn't started charging me r
Re: Paypal via Google Pay? (Score:2)
I don't use autopay (except for mortgage) yet I still pay online every month.
I also have one checking account for bills, and that gets one month of bills transfered to it monthly.
Go ahead and hack my debit card you won't get far.
Re:Paypal via Google Pay? (Score:4, Interesting)
Having PayPal is a good in-between because it's linked to my checking account
Around 20 years ago, I released a shareware Pocket PC utility, and was using PayPal to process payments for the full version. At that time I had PayPal linked to my checking account, because as a "merchant" I had no other option (otherwise the amount of funds I had access to was very limited per month). Someone hacked my account in some way, and attempted to make a several hundred dollar purchase in a foreign country. PayPal withdrew those funds from my linked checking account, however they identified this as a fraudulent transaction and "froze" the funds. For months. And at that time it was a significant financial hardship for me to have money taken out of my personal account, and then frozen by PayPal. I basically had no recourse, since PayPal was not a bank or otherwise a financial institution. Eventually after a couple months PayPal released the funds back to me.
So from that day on, nope, never linking a checking account to PayPal ever again. Thankfully there are now much better options than PayPal for receiving payments for services.
Re:Paypal via Google Pay? (Score:4, Interesting)
That's actually pretty standard and why you never use a debit card online. Once the money is gone from your account, the bank rarely puts it back until they actually get it transferred to them. Actually scratch that - if you use a debit card anywhere, that can happen - a fraudulent debit transaction can take months to reverse.
Credit cards work differently which is why by law they can halt the transaction in the meantime.
The main problem with Paypal is that it works like regular banks except people don't realize that merchant accounts are special and work differently. If you have a regular merchant account, Paypal's policies don't really surprise - they're pretty much the same and merchants go through the same freezing of funds as well. It's just that since merchant accounts are qualified and all that, it's only a portion that's actually tied up at any one time.
Paypal's mistake is offering merchant accounts to the masses without the masses knowing what they were getting into.
Re: Paypal via Google Pay? (Score:2)
I haven't seen an auto-pay service in years that did not support ACH transfer from your bank account. Maybe take a closer look at those services.
Re: (Score:1)
Re:Paypal via Google Pay? (Score:4, Funny)
When I try to shove dollar bills into my computer to make payments it makes a terrible noise, and the coins just short everything out.
Re: (Score:2)
PayPal was really useful because it linked a card and a shipping address and third token security. The problem is that Google really sucks when it comes to security. It is an ad firm and focuses on making people’s data less secure.
Re: (Score:1)
Connect your google account (Score:3)
Re: (Score:2)
Not only you can checkout faster, your attackers can do so too!
La Casa de PayPal (Score:2)
PayPal needs to crash and burn! (Score:1)
2FA anyone? (Score:2)
My paypal account uses 2FA so I can't make a purchase without the second auth. I don't know if going through google would bypass that but I sure hope not.
Re: (Score:3)
2FA doesn't help in this situation.
PayPal supports authorization integrations with various merchants such as eBay, Google and Steam. If, after entering your PayPal authentication details, you've ever seen one of those "Check out faster in the future" messages and clicked the "Remember me" button then you've setup a permanent authorization from PayPal to the other party and they can make purchases without involving your credentials or 2FA in the future.
Annoyingly, as I discovered with Steam at one point, to
Security Gold. (Score:2)
"The CVC does not matter," he added. "Any is accepted."
paypal authenticator: What's the confirmation CVC pin?
theif: 'um, 123'
paypal authenticator: approved!
I never... (Score:1)
And they've known it for awhile (Score:2)
That's a handy idea (Score:2)
Mysterious unauthorized PayPal charges are an ideal way of soaking up the funds in your PayPal seller account which was mysteriously frozen and you can't talk to a real person to find out why.