Is Gumroad a scam

Unauthorized direct debits at PayPal: Who is affected and what can be done

The security problem, which is presumably responsible for the current fraud cases in connection with PayPal and Google Pay, has been known to PayPal for a long time.

Users of the popular online payment service PayPal are worried about a security gap in connection with virtual credit cards. According to current reports, this means that unauthorized debits in the three to four-digit amount are made.

Who is affected by the problem? There is much to suggest that the debits only occur in connection with a link between the PayPal account and Google Pay. Among other things, Google Pay is used to pay for purchases using an NFC chip (“NFC” = “Near Field Communication”) on a mobile device.

Where is the security flaw? As Heise Online reports, the virtual PayPal credit card automatically created with this link can also be used with other Google Pay installations than the one through which it was created, since only the card number is checked and no further security measures such as the check digit or the expiration date would be used.

How do the fraudsters get their credit card details? Presumably using a brute force method, i.e. by trying out different combinations of numbers. In the case of PayPal credit cards, this is made much easier because their first eight digits are always identical, as security researcher Markus Fenske points out in the following Twitter post.

Link to Twitter content

Problem known for a year

According to Fenske, PayPal pointed out the problems about a year ago. PayPal stated in a current statement that the loophole had been closed, but Fenske contradicted this.

How can you protect yourself? According to Heise, Fenske recommends deactivating the corresponding direct debit agreements with Google Pay at PayPal. To do this, you have to proceed as follows:

  1. After logging into the PayPal account, open the settings using the gear wheel in the top right corner.
  2. Select the "Payments" option
  3. Next to »Manage direct debit payments« click on »Display«
  4. Deactivate direct debit agreements from Google Inc.

Until it is clear whether the problem has been resolved, new links between PayPal and Google Pay should also be refrained from.

to the comments (85)