14 DAY TRIAL // Web vulnerabilities are not always necessary to abuse a system for financial gains. A Romanian ex-greyhat hacker turned security researcher, who goes by the nickname Tinkode, recently described a method to make money by exploiting loopholes in PayPal's chargeback feature.
Chargeback allows the reversal of a PayPal transaction and can be initiated by users in several cases: non-arrival of the purchased item, the product being significantly different than advertised, or unauthorized usage of the credit card.
Chargeback requests are handled by the credit card issuer by contacting PayPal, who then returns the funds to the buyer and temporarily blocks the disputed amount in the seller’s account until the claim is investigated and resolved.
The scheme described by Tinkode involves a fraudster using three accounts: one verified with a personal card and used to pose as a buyer, and two others verified with virtual credit cards (VCC).
Ironically, virtual credit cards are a service designed to protect online shoppers against fraud. They consist in a credit card number that can be used instead of the real one during an online transaction.
One of the VCC accounts acts as a seller and is used to receive a payment from the buyer. The money is then transferred to the second VCC account in the form of a gift card.
A day or two later, a chargeback request is issued by the buyer, based on one of the reasons stated by PayPal’s chargeback policy.
PayPal will then launch an investigation, but with no response from the seller, the company should honor the buyer's request and retain the disputed amount from the seller’s account. Because at this point the seller has no available funds, the account is left with a negative balance, which leads to PayPal incurring the actual loss.
In the end, the fraudster keeps the initial money spent on the fake purchase and the gift card that can be then transferred to the real account and withdrawn.
Although chargeback fraud is known to PayPal, there are various methods to exploit the policy of the company regarding the feature.
Cybercriminals have sufficient imagination to adapt the scheme and make it harder to trace the money, according to Tinkode.
By creating PayPal accounts from a spoofed remote location and deleting them once the deed is done, cybercriminals could take advantage of the scheme and transfer money from their VCC accounts to accounts that belong to users whose computers are infected with credential-stealing malware and are part of botnets. Those accounts can be emptied at a later time, causing the fraudulent transactions to be traced to the botnet victims.
Tinkode, who now runs his own penetration testing company, Cyber Smart Defence, claims to have presented his proof of concept attack to PayPal by submitting it through the company's Bug Bounty program despite not involving a website vulnerability.
According to the hacker, the company responded to his submission more than one month later with the following reply:
“Thank you for your patience while we completed our investigation. After reviewing your submission we have determined this is not a Bug Bounty issue, but one of our protection Policy. While the abuse described here is possible in our system, repeated abusive behavior by the same and/or linked account(s) is addressed. Thank you for your participation in our program.”
Tinkode (Răzvan Cernăianu) was arrested in 2012 after breaching computer systems belonging to several private and government organizations including Oracle, NASA, the United States Army, the Pentagon, the European Space Agency and the Royal Navy.
He was ordered to pay around $120,000 (89,000 EUR) for the losses he caused to the aforementioned organizations, although his actions did not bring him any financial gains.
We contacted PayPal for a request for comments, but the company did not immediately respond to our message.
[UPDATE, June 13]: A PayPal represenative contacted us with the folowing statement:
The short version of it is: don't try to pull this unless you are ready to face legal trouble.