Jump to content
Intenso

PayPal Chargeback Feature Can Be Abused For Financial Gains

Recommended Posts

Posted (edited)

Web vulnerabilities are not always necessary to abuse a system for financial gains. A Romanian ex-greyhat hacker turned security researcher, who goes by the nickname Tinkode, recently described a method to make money by exploiting loopholes in PayPal's chargeback feature.

Chargeback allows the reversal of a PayPal transaction and can be initiated by users in several cases: non-arrival of the purchased item, the product being significantly different than advertised, or unauthorized usage of the credit card.

Chargeback requests are handled by the credit card issuer by contacting PayPal, who then returns the funds to the buyer and temporarily blocks the disputed amount in the seller’s account until the claim is investigated and resolved.

The scheme described by Tinkode involves a fraudster using three accounts: one verified with a personal card and used to pose as a buyer, and two others verified with virtual credit cards (VCC).

Ironically, virtual credit cards are a service designed to protect online shoppers against fraud. They consist in a credit card number that can be used instead of the real one during an online transaction.

One of the VCC accounts acts as a seller and is used to receive a payment from the buyer. The money is then transferred to the second VCC account in the form of a gift card.

A day or two later, a chargeback request is issued by the buyer, based on one of the reasons stated by PayPal’s chargeback policy.

PayPal will then launch an investigation, but with no response from the seller, the company should honor the buyer's request and retain the disputed amount from the seller’s account. Because at this point the seller has no available funds, the account is left with a negative balance, which leads to PayPal incurring the actual loss.

In the end, the fraudster keeps the initial money spent on the fake purchase and the gift card that can be then transferred to the real account and withdrawn.

Although chargeback fraud is known to PayPal, there are various methods to exploit the policy of the company regarding the feature.

Cybercriminals have sufficient imagination to adapt the scheme and make it harder to trace the money, according to Tinkode.

By creating PayPal accounts from a remote location and deleting them once the deed is done, cybercriminals could take advantage of the scheme and transfer money from their VCC accounts to accounts that belong to users whose computers are infected with credential-stealing malware and are part of botnets. Those accounts can be emptied at a later time, causing the fraudulent transactions to be traced to the botnet victims.

Tinkode, who now runs his own penetration testing company, Cyber Smart Defence, claims to have presented his proof of concept attack to PayPal by submitting it through the company's Bug Bounty program despite not involving a website vulnerability.

According to the hacker, the company responded to his submission more than one month later with the following reply:

“Thank you for your patience while we completed our investigation. After reviewing your submission we have determined this is not a Bug Bounty issue, but one of our protection Policy. While the abuse described here is possible in our system, repeated abusive behavior by the same and/or linked account(s) is addressed. Thank you for your participation in our program.”

Tinkode (R?zvan Cern?ianu) was arrested in 2012 after breaching computer systems belonging to several private and government organizations including Oracle, NASA, the United States Army, the Pentagon, the European Space Agency and the Royal Navy.

He was ordered to pay around $120,000 (89,000 EUR) for the losses he caused to the aforementioned organizations, although his actions did not bring him any financial gains.

We contacted PayPal for a request for comments, but the company did not immediately respond to our message.

Source: Softpedia

Edited by Intenso
Posted

Ba prietene, citeam articolul si brusc s-a rupt firul.........

"Tinkode (R?zvan Cern?ianu) was arrested in 2012 after breaching computer systems belonging to several private and government organizations ..................."

Ce draq cauta mizeria asta in articol?

EDITED: De fapt aia e incheierea :)))

Posted
  mah_one said:
Ba prietene, citeam articolul si brusc s-a rupt firul.........

"Tinkode (R?zvan Cern?ianu) was arrested in 2012 after breaching computer systems belonging to several private and government organizations ..................."

Ce draq cauta mizeria asta in articol?

EDITED: De fapt aia e incheierea :)))

Sa ma corecteze cineva daca gresesc, dar in tot cacatul asta, nu am remarcat decat vechea problema cu disputele abuzive de la PayPal si faptul ca au un staff idiot care nu stie sa verifice daca povestea e adevarata.

Acu' toata lumea face din prostia asta (sau management defectuos al unei afaceri, ca sa fim mai diplomati) o ultra-stire de securitate, ca sa-si faca reclama la site.

Maine-poimaine, mergem si la ProsTV la iLaicAITI si facem o stire bomba pe seama tampeniei asteia. Ia care are nevoie de reclama la site ?

Unde-i el Tepes, ca va spargea pe toti, doar ca in alta parte, ca site-uri nu existau pe vremea lui saracu'.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...