Convicted NASA hacker Razvan Cernaianu, better known by his handle TinKode, has disclosed a loophole that takes advantage of PayPal’s Terms of Service (TOS) and could allow scammers to pilfer funds by way of the company’s chargeback function.
Cernaianu says the scam can be accomplished with three PayPal accounts – the first as a legitimate buyer verified with a personal card, the second used as a seller, and the third as a “mule” account – the last two using virtual credit cards.
“You transfer the money to the second account with the pretext of buying a phone. From the second account you again transfer the money to the third account as a gift. After 24 hours, you use the chargeback function from the first account to get the money back with the excuse that the phone did not arrive on time,” Cernaianu wrote.
“As the second account is only a virtual one, it will not have real money from which Paypal can extract. Therefore you are left with $500 restored by PayPal, and $500 in your third account.”
Cernaianu said he reported the scam technique to PayPal through their Bug Bounty program, even though the exploit was not based on a coding-based vulnerability, but PayPal’s response seems to indicate that the company believes they already have the proper controls in place to prevent abuse of the chargeback function.
“Thank you for your patience while we completed our investigation. After reviewing your submission we have determined this is not a Bug Bounty issue, but one of our Protection Policy,” Cernaianu says the PayPal response stated. “While the abuse described here is possible in our system, repeated abusive behavior by the same and/or linked account(s) is addressed.”
After receiving PayPal’s reply, Cernaianu decided to make the details of the scam public.
Read More Here…