Which problems has PayPal specifically solved

Google Pay and Paypal: Security problem had been known since 2019

A serious security gap in PayPal, which affects customers with the virtual credit card, which is available specifically for the use of Google Pay, is making headlines these days. The perfidious thing about it: The security gap may have been known for around a year, but has apparently not been closed until today.

Google Pay and Paypal, that was a good combination for all those customers whose bank will not support Google Pay shortly after the start of the contactless payment method based on smartphone. PayPal customers can still use the service on the basis of a virtual credit card that can be integrated into Google Pay.

For a few days now, the media have been reporting on unauthorized debits by some users, all of which follow a similar pattern. In all currently known cases, these are debits from the USA, which, according to forum users (here and here), are in most cases assigned to branches of a US retail chain called Target. Long strings of letters that do not make sense can also be used for the booking. Mind you: At Target, apparently only purchases were made, so the data could also have been sold to third parties via Darknet, so that there is very likely no connection with Target employees. The sums that have been debited vary greatly - from small, single-digit amounts to four-digit amounts.

So it can be Not only deal with those fished payments below the 25 euro amount that are possible without authentication by the customer. "

Customers who had properly configured their two-factor authentication were also affected. According to its own information, Google itself cannot see the initiated bookings and cannot reverse them either. PayPal, on the other hand, to which Google refers, does not forward the customers to the responsible banks, but apparently cancels the affected bookings from customers within 24 hours if things go well. In addition, both companies involved advise filing a complaint with the police, even if this is more of a formality in such cross-border transactions than it will help to clarify the situation. Paypal can be contacted outside of social media by phone or email.

PayPal vulnerability: these are possible vulnerabilities

But the phenomenon has apparently been known to at least some experts - and allegedly PayPal as well - for around a year. As Golem reports, the IT security expert Markus Fenske from Exablue already advised PayPal of security gaps last year. There are two weaknesses that make Google Pay particularly vulnerable in its combination in the PayPal variant described here: On the one hand, the virtual credit card is apparently not only activated for payment via NFC, but also open for online payment transactions - unlike, according to Fenske, for other providers. On the other hand, Paypal apparently does not check the name or the CVC verification number during processing in this case. Exablue wants to have proven this through a test payment.

There are basically two options:

1.Version 1: The data could have been physically collected in Germany by attackers reading the credit card number and the expiration date with any NFC-enabled device when the smartphone is switched on and the screen is unlocked. To do this, however, he must be in the immediate vicinity of the victim.
Tobias Weidemann, IT finance magazine
Tobias Weidemann is an editor and consultant for content, communication and digital ideas. Works for editorial offices, agencies and companies on technical and economic topics. Interested in trends in e-commerce and online marketing, digital transformation and Industry 4.0 as well as FinTech and security. Is on the road as a network journalist in social networks, at conferences and barcamps.
2.Variant 2: According to Exablue, attackers could also have guessed the data from a given number range: The first eight digits are the same for all virtual cards, the last digit is a check digit, so that seven digits remain. In addition, there are 17 possible expiry dates, as the system has not been around for too long and the cards were all issued within a certain period of time. Fenske has calculated that this results in 170 million variants - which of the two variants is more likely remains to be discussed, but in principle both would be possible.

PayPal loophole can still be used until recently

It is also noteworthy that Exablue declares that the vulnerability was reported to PayPal as part of PayPal's own bug bounty program in February of last year. Exablue explains that the security gap was initially denied and only paid a $ 4,400 reward to Exablue after it was shown within a video. Also noteworthy: Apparently the security hole worked in this form even after the first cases became known until this week.

We reported this problem to PayPal via Hacker One in February 2019. After an initial rejection and several discussions, PayPal paid a $ 4,400 error premium. We tried to keep in touch with PayPal until they resolved the problem, but PayPal largely ignored our requests. They told us in April 2019 to wait for more updates. That was her last message. "

Markus Fenske, Managing Director Exablue

We asked PayPal and above all wanted to know why the security gap existed in the first place and, above all, why it was not closed as soon as it was discovered. This has apparently only happened now, as the company also admits (and according to Heise still not really successfully closed). You don't want to explain why it took so long - and the company's statement is also brief and not very illuminating. Of course, nobody wants to be quoted personally - in a short statement it says:

We immediately set about fixing this problem. A very small number of PayPal customers who use Google Pay were affected. The problem has now been resolved. No personal or financial information was stolen from PayPal customers. Third parties also never had access to PayPal accounts. "

Written statement from PayPal

Even the statement "we immediately took care of the problem solving" is remarkable when you consider that the payments mentioned were apparently only recently made to the accounts of PayPal customers (albeit via the virtual debit card). Only the statement "in the areas of fraud prevention and risk management PayPal relies on modern technologies to protect its customers and enable secure payments" can be signed: Because the security gap, if it existed in the form described by Exablue, has little to do with the most modern and To do the most sophisticated deception strategies, but is basic IT security knowledge, the disregard of which one would not have expected a global corporation with sales of this magnitude to be. partly

You can find this article on the Internet on the website:

(2 Votes, average: 5,00 of a maximum of 5)
Loading ...

Interesting too