A security hole in connection with virtual credit cards worries users of the popular online payment service Paypal. According to current reports, unauthorized debits of three to four digits are made.
Who is affected by the problem? There are many indications that the debits only occur in connection with a link between the PayPal account and Google Pay. Among other things, Google Pay is used to pay for purchases via an NFC chip ("NFC" = "Near Field Communication") using a mobile device.
What is the security flaw? As Heise Online reports, the virtual PayPal credit card created automatically with this link can also be used with other Google Pay installations than the one via which it was created, since only the card number is checked and no further security measures such as the check digit or the expiration date would be used.
How do the fraudsters get their credit card details? Probably using the brute force method, i.e. trying different combinations of numbers. This is made much easier in the case of PayPal credit cards because their first eight digits are always identical, as security researcher Markus Fenske points out in the following Twitter post.
Hey @paypal, the 90s called. They want their security back.
1. Generate random 7 digits
2. Your new credit card: 5356 8001 XXXX XXXY, where X is from 1, Y is check digit.
3. Expiry date, CVC, card holder are not verified. 1 in ~ 100 cards are assigned to random PP accnt.– iblue (@iblueconnection) February 26, 2020
Problem known for a year
According to Fenske, Paypal had already pointed out the problems about a year ago. Paypal stated in a current statement that the gap was closed, but Fenske contradicts this.
How can you protect yourself? According to Heise, Fenske recommends deactivating the corresponding debit agreements with Google Pay on PayPal. To do this, proceed as follows:
- After logging into the PayPal account, open the settings via the gear in the top right.
- Select the "Payments" option
- Next to "Manage direct debit payments" click on "Show"
- Deactivate debit agreements from Google Inc.
Until there is clarity as to whether the problem has been resolved, new links between PayPal and Google Pay should also be avoided.
