You can double your money by bilking PayPal with a loophole in its terms of service, according to a Romanian man convicted in 2012 of temporarily blocking the systems of the US Army, Pentagon and NASA.
Cernăianu Manole Răzvan, who has published under his hacker handle TinKode in the past, was released a few months after Romanian law nabbed him.
He was fined €93,000 (about $120,000 or £112,000 at the time) to cover the costs suffered by his breached victims, and he was given a two-year suspended prison sentence.
Well, that time’s up at this point.
He’s now working at CyberSmartDefence.com, whose site says it originated from a web development company incorporated in Romania in 2004.
Let’s make one thing clear before we even get into the details: Cernăianu’s method of cheating PayPal to get double your money back consists of fraud.
Essentially, whatever crook wants to do this needs three PayPal accounts: one as a legitimate buyer, another disposable account as a fraudulent seller, and the third as a mule.
The second two accounts link to virtual credit cards – a service offered by some banks and credit card companies to help online shoppers protect against fraud, ironically enough.
A fraudster starts with an amount in their first account, allegedly purchases from the bogus seller account and transfers the money there, and then issues a “gift” payment to transfer the money to this third account.
I’m not going to link to Cernăianu’s site, in spite of PayPal’s assurances that they’re on top of the situation.
I don’t want anybody to get encouraged by Cernăianu’s promise that this is “safe”.
If you give it a go, you’re committing a crime, and the police could well come knocking on your door very soon after.
But at any rate, here’s what Cernăianu had to say about “safely” doubling your money with PayPal:
You transfer the money to the second account with the pretext of buying a phone. From the second account you again transfer the money to the third account as a gift. After 24 hours, you use the chargeback function from the first account to get the money back with the excuse that the phone did not arrive on time.
OK, so first, you lie about there being a phone to buy, then you lie about being a seller with a phone to sell. Got it. What comes next in this lie-fest?
Well, then you lie again and say you never got your fictional phone, he says:
Paypal will initiate a process where both sides bring evidence for their defence. Obviously you will only send evidence from the first account showing that you were scammed.
Obviously! Can’t send evidence of having sent a fictional phone, after all.
PayPal will refund the first account, and the money will be in the third, “gifted” account, so you double your money.
Enjoy it while you can.
In spite of this loophole not being a web vulnerability, Cernăianu brought it to PayPal’s attention through its Bug Bounty program, thinking he’d get some feedback, he said.
This is the reply he received after one and a half months:
Thank you for your patience while we completed our investigation. After reviewing your submission we have determined this is not a Bug Bounty issue, but one of our Protection Policy. While the abuse described here is possible in our system, repeated abusive behavior by the same and/or linked account(s) is addressed. Thank you for your participation in our program.
As many have pointed out, PayPal’s statement addressed repeat offenders, but it didn’t have anything to say about widespread, one-off acts of fraud.
PayPal assures me that it’s aware of Cernăianu’s claims and works hard to keep money in its coffers and to prosecute those who come after it.
The statement I received from a PayPal spokesperson:
PayPal is aware of reports being made by a security researcher about a way to potentially commit fraud on the PayPal system. This report is not related to a bug or vulnerability in the PayPal system, but is a claim to have found a means to commit fraud, which is a crime. PayPal employs multiple fraud prevention measures, so in the majority of cases attempts to commit fraud are usually caught before the money ever leaves the PayPal system. PayPal also dedicates significant resources to combat the use of our secure payment platform for illegal activities and works collaboratively with law enforcement agencies around the world to support both the detection of crime and the conviction of criminals.
I wrote to CyberSmartDefence to see if they could offer further comment. I will update the story if I hear back.
But seriously, kids, don’t try this at home.
It’s fraud. It’s illegal.
Neither PayPal nor the police will look kindly on anybody who pulls the scam, regardless of it being published by a researcher who works for a security firm.Follow @NakedSecurity