Hackers have found a bug in PayPal's Google Pay integration and are now using it to buy products online and incur unauthorized charges to PayPal accounts. Since last Friday, users have reported seeing mysterious transactions pop up in their PayPal history as originating from their Google Pay account.
Victims report that hackers are abusing their Google Pay accounts to buy products using linked PayPal accounts. According to screenshots and various testimonies, most of the illegal transactions are taking place at US shopping stores, and especially at Target stores.
Most of the victims seem to be German users. Estimated damages are in the range of tens of thousands of euros, based on public reports. Some transactions go over €1,000. What bug hackers are exploiting being not yet clear.
When a Google Pay user choose to make a contact's payment using funds from his PayPal account, the transaction is charged via this virtual card.
"If the virtual card was locked to POS transactions only, there would be no issue, but PayPal allows this virtual card to be used for online transactions." security researches believes hackers found a way to discover the details of these virtual cards and are using their details for unauthorized transactions online.
The researcher said there could be three ways in which an attacker could get a virtual card's details. First, by reading the card details from a user's phone/screen. Second, grammatically, by using malware that infected a user's device. Third, by guessing it.
PayPal said to reporters that, "The security of customer accounts is a top priority for the company. We are reviewing and assessing this information and will take any appropriate actions that are deemed necessary to further protect our customers."