PayPal scam lets you double your money in a few days

Security

by Jimmy Nicholls| 13 June 2014

Reformed hacker tells of fraud.

PayPal users can endlessly double their money because of a loophole in the payment company's protection policy, according to a security consultant.

Discovered by Razvan Cernaianu, chief operating officer at Cyber Smart Defence, the exploit uses the chargeback function used for reversing a cleared transaction if fraud is suspected by the buyer.

He said: "Back in the year 2010 I made a transaction using PayPal with a person who tried to scam me using the chargeback function. As I never held my money on that PayPal account, I transferred them to my other account.

"After a month when I re-checked the second PayPal account I noticed that my account balance was negative [at] -$50. That made me wonder a little bit."

To enact the scam one has to register three PayPal accounts, verifying one with a genuine credit card and the other two with virtual cards or bank accounts, tools normally used to protect customers from online fraud.

From the first account you pretend to buy an item from the second worth, for instance, £100, and then gift the money to the third. After 24 hours you use the chargeback function from the first account, claiming the item has not arrived.

Chargeback disputes are subject to evidence from both sides, but as you control both accounts you can ensure it is resolved in favour of the first account. As a result the first and third accounts have £100 apiece, while the second account has -£100.

After Cernaianu contacted PayPal about the exploit, the company said: "While the abuse described here is possible in our system, repeated abusive behavior by the same and linked accounts is addressed."

Before becoming a security consultant Cernaianu was a "grey hat" hacker who worked under the name TinKode, the sort who sometimes acts illegally in order to alert companies to vulnerable systems.

He received a suspended sentence with damages for attacking the likes of Oracle, Google and the US Department of Defence, after which he started offering his services professionally.

Comments
Post a comment

Comments may be moderated for spam, obscenities or defamation.

Join our network

740 people like this.
0 people follow this.

Security Intelligence

Privcy Policy

We have updated our privacy policy. In the latest update it explains what cookies are and how we use them on our site. To learn more about cookies and their benefits, please view our privacy policy. Please be aware that parts of this site will not function correctly if you disable cookies. By continuing to use this site, you consent to our use of cookies in accordance with our privacy policy unless you have disabled them.