PayPal account vulnerabilities, refund transactions fraud, account hacking
I want to talk about a real case of fraud with a Paypal account.
The incident happened to one of my friends, who as a result lost several hundred euros. Repeated calls to the support service, the PayPal conflict commission did not lead to anything, the money was not returned, and this vulnerability remains.
The situation was as follows: My friend, Vladimir, transferred 560 euros as an advance payment for renting a certain Dmitry (with whom he had previously worked).
A few days later the reservation was canceled and Dmitry transferred this amount back to Vladimir.
It is worth noting that Dmitry returned the money to Vladimir by a simple transfer, i.e. without associating this action with the original transaction. I must say that in PayPal there is such an operation as a "refund", in Russian reimbursement. According to the original plan, the refund was most likely invented for online stores that deliver goods by mail to return money to the buyer in case the goods are not delivered within a month. This operation must occur with the permission (with confirmation) of the seller, i.e. the person who received the money upon request from the buyer (sender).
So here. After nearly a month, Vladimir received a letter with the following content:
Subject: “Hacking your Paypal account”
Text (slightly modified):
Good day, my name is Maxim. I have gained access to your PayPal account - info@******.ru which currently contains the amount of 5896 EUR. As proof, a payment was returned with ID ******** 94J ******** mail .ru in the amount of 560 EUR. Changing the password will not help. I could withdraw all your money, but I won’t do it, I can offer you a deal, for half the amount in this account I will tell you how to prevent this.
At the same time, a refund transaction related to the return operation by Dmitry 560 EUR appeared in the list of transactions. Accordingly, Vladimir’s account decreased by this amount. Vladimir, of course, did not confirm this operation and did not receive any mail notification, which always happens for any transaction during normal operations with the account.
Vladimir immediately contacted the PayPal support service, where for this case there is a topic “Report the fact of fraud or prohibited use”, he also wrote about this to Dmitry.
Dmitry did not receive this money in his account. PayPal has included the standard procedure for blocking an account and re-checking the identifications in such cases. I must say right away that the trial did not lead to anything, the money was not returned, but it was no longer lost.
PayPal, apparently, in such cases, takes no action at all and does not check anything, although there is an obvious hole in the system: an unauthorized transaction.
I was invited to assess this situation, as At one time he was engaged in the integration of payment systems for the site of Vladimir.
Judging by the letter of the hacker who transferred the money, he did not get real access to Vladimir’s account, otherwise he would simply withdraw all the money silently. However, somehow he was able to find out the balance of Vladimir’s account and refund Dmitry’s transactions. Since Vladimir did not confirm the transaction and did not receive any notifications, the operation was carried out using some kind of refund transaction vulnerability, on the last day of a month after the initial operation. Most likely, the hacker received some information about Dmitry’s operations and was able to use them using the existing vulnerability. Since Dmitry did not receive the money either, they went to an unknown account or remained frozen somewhere in the bowels of the system.
I wrote a detailed letter in English for PayPal support, in which I explained the situation in detail and attached a hacker letter and its translation (at their request). Obviously, security experts could track down a fraudulent transaction, where the money went, etc. But that would be a recognition of the flaw in their system.
The answer was brief: we did not find sufficient evidence of fraud.
The conclusion for all PayPal users from this story: if possible, monitor the status of all received payments, try to immediately withdraw them from the system or transfer them to buffer accounts. In case of disputes, do not rely on the help of the system administration, it’s easier for them to do nothing at all (an example with e-bay account leakage) and generally it is better to stay away from it (PayPal-a).
I will add screenshots of letters:
The incident happened to one of my friends, who as a result lost several hundred euros. Repeated calls to the support service, the PayPal conflict commission did not lead to anything, the money was not returned, and this vulnerability remains.
The situation was as follows: My friend, Vladimir, transferred 560 euros as an advance payment for renting a certain Dmitry (with whom he had previously worked).
A few days later the reservation was canceled and Dmitry transferred this amount back to Vladimir.
It is worth noting that Dmitry returned the money to Vladimir by a simple transfer, i.e. without associating this action with the original transaction. I must say that in PayPal there is such an operation as a "refund", in Russian reimbursement. According to the original plan, the refund was most likely invented for online stores that deliver goods by mail to return money to the buyer in case the goods are not delivered within a month. This operation must occur with the permission (with confirmation) of the seller, i.e. the person who received the money upon request from the buyer (sender).
So here. After nearly a month, Vladimir received a letter with the following content:
Subject: “Hacking your Paypal account”
Text (slightly modified):
Good day, my name is Maxim. I have gained access to your PayPal account - info@******.ru which currently contains the amount of 5896 EUR. As proof, a payment was returned with ID ******** 94J ******** mail .ru in the amount of 560 EUR. Changing the password will not help. I could withdraw all your money, but I won’t do it, I can offer you a deal, for half the amount in this account I will tell you how to prevent this.
At the same time, a refund transaction related to the return operation by Dmitry 560 EUR appeared in the list of transactions. Accordingly, Vladimir’s account decreased by this amount. Vladimir, of course, did not confirm this operation and did not receive any mail notification, which always happens for any transaction during normal operations with the account.
Vladimir immediately contacted the PayPal support service, where for this case there is a topic “Report the fact of fraud or prohibited use”, he also wrote about this to Dmitry.
Dmitry did not receive this money in his account. PayPal has included the standard procedure for blocking an account and re-checking the identifications in such cases. I must say right away that the trial did not lead to anything, the money was not returned, but it was no longer lost.
PayPal, apparently, in such cases, takes no action at all and does not check anything, although there is an obvious hole in the system: an unauthorized transaction.
I was invited to assess this situation, as At one time he was engaged in the integration of payment systems for the site of Vladimir.
Judging by the letter of the hacker who transferred the money, he did not get real access to Vladimir’s account, otherwise he would simply withdraw all the money silently. However, somehow he was able to find out the balance of Vladimir’s account and refund Dmitry’s transactions. Since Vladimir did not confirm the transaction and did not receive any notifications, the operation was carried out using some kind of refund transaction vulnerability, on the last day of a month after the initial operation. Most likely, the hacker received some information about Dmitry’s operations and was able to use them using the existing vulnerability. Since Dmitry did not receive the money either, they went to an unknown account or remained frozen somewhere in the bowels of the system.
I wrote a detailed letter in English for PayPal support, in which I explained the situation in detail and attached a hacker letter and its translation (at their request). Obviously, security experts could track down a fraudulent transaction, where the money went, etc. But that would be a recognition of the flaw in their system.
The answer was brief: we did not find sufficient evidence of fraud.
The conclusion for all PayPal users from this story: if possible, monitor the status of all received payments, try to immediately withdraw them from the system or transfer them to buffer accounts. In case of disputes, do not rely on the help of the system administration, it’s easier for them to do nothing at all (an example with e-bay account leakage) and generally it is better to stay away from it (PayPal-a).
I will add screenshots of letters: