Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security

PayPal Accounts Are Getting Abused En-masse For Unauthorized Payments (zdnet.com) 34

Hackers have found a bug in PayPal's Google Pay integration and are now using it to carry out unauthorized transactions via PayPal accounts. From a report: Since last Friday, users have reported seeing mysterious transactions pop up in their PayPal history as originating from their Google Pay account. Issues have been reported on numerous platforms, such as PayPal's forums, Reddit, Twitter, and Google Pay's Russian and German support forums. Victims reported that hackers abused Google Pay accounts to buy products using linked PayPal accounts. According to screenshots and various testimonies, most of the illegal transactions are taking place at US stores, and especially at Target stores across New York. Most of the victims appear to be German users.
This discussion has been archived. No new comments can be posted.

PayPal Accounts Are Getting Abused En-masse For Unauthorized Payments

Comments Filter:
  • Geez people, just use a credit card.

    • by DogDude ( 805747 )
      But how are you going to give Google and PayPal for free data points if you don't route it through them?
      • Yeah it's great. You get a few pennies while the corporate giants rake off a few percent plus sell your life details to the other corporate giants. But hey, in 10 years you will be able to afford a free Amazon Echo 32.

    • by Pascoea ( 968200 )
      My issue with credit cards/debit cards... when one gets lost or stolen it takes a not-insignificant amount of time to change over everything I have on auto-pay. Having PayPal is a good in-between because it's linked to my checking account, which hasn't changed in the last 15 years. Granted, if they get hacked I'm pretty well screwed, but the joke's on them (jokes on them? That doesn't sound right either) I don't have that much money in there. As much as people like to bash on PayPal, and I know there are
      • by DogDude ( 805747 )
        You should have things on auto pay through your credit union. Your credit cards should be disposable. Connecting PayPay to a checking account, like you say, is asking for trouble. But, if the occasional large financial loss and the tremendous data exposure is worth the occasional small conveniences to you, then, good luck!
        • Good point, it's also easier to keep track of things all in one place. Some automatic payments in my area (car insurance, electric) alcan't use a credit card so I set them all up through credit union.
        • by Pascoea ( 968200 )

          tremendous data exposure

          Pretty sure anybody who cares already knows I subscribe to Hulu and Netflix. If they really care who my cable and trash collection providers are, more power to them.

          occasional large financial loss

          You have to have a large amount of money for that to happen. Someone could do WAY more damage with my credit card than they could possibly do with my checking account, and that generally has a far larger exposure profile. (Thanks to the likes of Home Depot, Target, etc. who seem to enjoy giving out that information)

          • by DogDude ( 805747 )
            You are not liable for money stolen from your credit card. You ARE liable for money stolen from your bank account. That alone should make a sound fiscal choice a no-brainer.

            But hey, give everybody and their brother your bank account information. Companies never lose data and are completely trustworthy. And besides, what data is less important than your bank account information?
            • by Pascoea ( 968200 )

              give everybody and their brother your bank account information

              I'm not trying to be a dick here, but that's literally what you do every time you send a check to someone. And best I can tell, as long as things are reported timely and you exercise diligence in protecting your information you're not liable for EFT transactions or fraudulent checks. I guess we could argue if utilizing your information for a transaction would pass muster, but I'd have to imagine it would. If you posted the info to Facebook it would be a different story. (Found a few similar references t

            • This *really* depends on where you are in the world - in the UK, most banks will refund losses due to theft from bank accounts and debit cards, even when you are the victim of a phishing scam or another scam which involves you voluntarily handing over money.

              I'd still put everything on a credit card, because then I have the Consumer Credit Act in my favour for anything that costs over £100 (so long as I put the first £100 on that card).

        • by cusco ( 717999 )

          I avoid autopay if at all possible, and actually write checks for almost all our bills. Yeah, I could go online and check the receipts every month to make sure that T-Mobile or Comcast haven't added new charges without authorization again, or to make sure the water bill is still reasonable so I don't have a hidden leak somewhere, but I know that I'm too bloody lazy to actually do that. If I have the bill in front of me every month I can make myself look and verify that Comcast hasn't started charging me r

          • I don't use autopay (except for mortgage) yet I still pay online every month.

            I also have one checking account for bills, and that gets one month of bills transfered to it monthly.

            Go ahead and hack my debit card you won't get far.

      • by Dan East ( 318230 ) on Tuesday February 25, 2020 @11:06AM (#59764934) Journal

        Having PayPal is a good in-between because it's linked to my checking account

        Around 20 years ago, I released a shareware Pocket PC utility, and was using PayPal to process payments for the full version. At that time I had PayPal linked to my checking account, because as a "merchant" I had no other option (otherwise the amount of funds I had access to was very limited per month). Someone hacked my account in some way, and attempted to make a several hundred dollar purchase in a foreign country. PayPal withdrew those funds from my linked checking account, however they identified this as a fraudulent transaction and "froze" the funds. For months. And at that time it was a significant financial hardship for me to have money taken out of my personal account, and then frozen by PayPal. I basically had no recourse, since PayPal was not a bank or otherwise a financial institution. Eventually after a couple months PayPal released the funds back to me.

        So from that day on, nope, never linking a checking account to PayPal ever again. Thankfully there are now much better options than PayPal for receiving payments for services.

        • by tlhIngan ( 30335 ) <slashdot&worf,net> on Tuesday February 25, 2020 @02:47PM (#59765946)

          PayPal withdrew those funds from my linked checking account, however they identified this as a fraudulent transaction and "froze" the funds. For months. And at that time it was a significant financial hardship for me to have money taken out of my personal account, and then frozen by PayPal. I basically had no recourse, since PayPal was not a bank or otherwise a financial institution. Eventually after a couple months PayPal released the funds back to me.

          So from that day on, nope, never linking a checking account to PayPal ever again. Thankfully there are now much better options than PayPal for receiving payments for services.

          That's actually pretty standard and why you never use a debit card online. Once the money is gone from your account, the bank rarely puts it back until they actually get it transferred to them. Actually scratch that - if you use a debit card anywhere, that can happen - a fraudulent debit transaction can take months to reverse.

          Credit cards work differently which is why by law they can halt the transaction in the meantime.

          The main problem with Paypal is that it works like regular banks except people don't realize that merchant accounts are special and work differently. If you have a regular merchant account, Paypal's policies don't really surprise - they're pretty much the same and merchants go through the same freezing of funds as well. It's just that since merchant accounts are qualified and all that, it's only a portion that's actually tied up at any one time.

          Paypal's mistake is offering merchant accounts to the masses without the masses knowing what they were getting into.

      • I haven't seen an auto-pay service in years that did not support ACH transfer from your bank account. Maybe take a closer look at those services.

    • Or......[GASP!] use CASH! Novel idea yes?!
    • by fermion ( 181285 )
      Credit cards are becoming very insecure. Even at gas stations I try to use the mobile App and get a code.

      PayPal was really useful because it linked a card and a shipping address and third token security. The problem is that Google really sucks when it comes to security. It is an ad firm and focuses on making people’s data less secure.

    • Imagine thinking CC are better than paypal or any other dumb service. How about just paying directly from where your cash is? Either your hand or straight from the bank, no middle men or other dumb services
  • by Synonymous Cowered ( 6159202 ) on Tuesday February 25, 2020 @10:04AM (#59764726)
    LOL. I just logged in to check after seeing this article (even though I don't have it linked to google pay) and got this message on login: "Connect your google account, checkout faster on your device". Uhhh, no thanks?
  • that says it all
  • They are by far the worst ever payment solution for a seller to ever use! Fees twice more than any other. Dated experience, i honestly get the feeling of something retro from the beginning of the internet. And when ever they feel like it they will give your money back. or just keep it. If you want to get scammed use paypal! Paypal or scammers will scam you. They are equally bad. They changed the rules and all of a sudden i was breaking them because i did not reread every endless iteration of the tos so the
  • My paypal account uses 2FA so I can't make a purchase without the second auth. I don't know if going through google would bypass that but I sure hope not.

    • 2FA doesn't help in this situation.

      PayPal supports authorization integrations with various merchants such as eBay, Google and Steam. If, after entering your PayPal authentication details, you've ever seen one of those "Check out faster in the future" messages and clicked the "Remember me" button then you've setup a permanent authorization from PayPal to the other party and they can make purchases without involving your credentials or 2FA in the future.

      Annoyingly, as I discovered with Steam at one point, to

  • "The CVC does not matter," he added. "Any is accepted."

    paypal authenticator: What's the confirmation CVC pin?
    theif: 'um, 123'
    paypal authenticator: approved!

  • ....use my smartphone to buy anything. Or to do banking. I'm too smart for that shit.
  • It happened to me about a year ago maybe. They told me to bugger off basically.
  • Mysterious unauthorized PayPal charges are an ideal way of soaking up the funds in your PayPal seller account which was mysteriously frozen and you can't talk to a real person to find out why.

Parts that positively cannot be assembled in improper order will be.

Working...