Making Digital Payments? Watch Out for Hackers |

Making Digital Payments? Watch Out for Hackers

A slew of reports surfaced online since last Friday about shady transactions on PayPal accounts of users in the United States


At a time when the government in India is actively promoting digital payments as a means to make financial transactions more transparent comes the news that digital payment accounts of several users were found compromised with unauthorized transactions being recorded on PayPal accounts.

A report published on says victims reported that hackers abused Google Pay accounts to buy products using linked PayPal accounts. According to screenshots and various testimonies, most of the illegal transactions are taking place at US stores, and especially at Target stores across New York.

And where’s the loophole that hackers found? It appears to be in PayPal’s Google Pay integration though the company reported yesterday that the issue got fixed. The issues got reported on several platforms, specifically on PayPal forums, social media and Google Pay’s support forums in Russia and Germany.

Though there is no specific estimate of how many accounts got hacked into or the value of spurious transactions, initial data suggests that some of the transactions were above the 1000 Euro mark. Both Google Pay and PayPal were aware of the outage on Friday though a solution came forth only on Monday.

Once the issue gained notoriety, a few security researchers have surfaced who claim that they had intimated the concerned organisations about the security bug as far back as a year ago, which was either ignored or fell in the priority list of bug fixes.

A security researcher who goes under the name of iBlue on Twitter states that he and a fellow researcher had brought the issue up before PayPal last February but they didn’t do anything. “PayPal allows contactless payments via Google Pay. If you have set it up, you can read the card details of a virtual credit card from the mobile, if the mobiles device is enabled. No auth,” the researcher says via his social handle.

The article quotes the researcher Markus Fenske to suggest that the bug he found stems from the fact that when you link a PayPal account to a Google Pay account, the former creates a virtual card, complete with its own card number, expiry date and CVC. And when Google Pay users make digital payments using funds from PayPal, the transaction is charged via this virtual card.

Now, one isn’t really sure how Indian digital payments companies structure such transactions – do they use virtual cards too? If so, could the protocols hold some threat to users who are making transactions via Google Pay?

TAGS: Digital Payments, Digital Payments App, PayPal, Google Pay, Hacking, Cybercrime