PayPal users can endlessly double their money because of a loophole in the payment company’s protection policy, according to a security consultant.
Discovered by Razvan Cernaianu, chief operating officer at Cyber Smart Defence, the exploit uses the chargeback function used for reversing a cleared transaction if fraud is suspected by the buyer.
He said: "Back in the year 2010 I made a transaction using PayPal with a person who tried to scam me using the chargeback function. As I never held my money on that PayPal account, I transferred them to my other account.
"After a month when I re-checked the second PayPal account I noticed that my account balance was negative [at] -$50. That made me wonder a little bit."
To enact the scam one has to register three PayPal accounts, verifying one with a genuine credit card and the other two with virtual cards or bank accounts, tools normally used to protect customers from online fraud.
From the first account you pretend to buy an item from the second worth, for instance, £100, and then gift the money to the third. After 24 hours you use the chargeback function from the first account, claiming the item has not arrived.
Chargeback disputes are subject to evidence from both sides, but as you control both accounts you can ensure it is resolved in favour of the first account. As a result the first and third accounts have £100 apiece, while the second account has -£100.
After Cernaianu contacted PayPal about the exploit, the company said: "While the abuse described here is possible in our system, repeated abusive behavior by the same and linked accounts is addressed."
Before becoming a security consultant Cernaianu was a "grey hat" hacker who worked under the name TinKode, the sort who sometimes acts illegally in order to alert companies to vulnerable systems.
He received a suspended sentence with damages for attacking the likes of Oracle, Google and the US Department of Defence, after which he started offering his services professionally.
