Sophos Cloud Optix
You can double your money by bilking PayPal with a loophole in its terms of service, according to a Romanian man convicted in 2012 of temporarily blocking the systems of the US Army, Pentagon and NASA.
Cernăianu Manole Răzvan, who has published under his hacker handle TinKode in the past, was released a few months after Romanian law nabbed him.
He was fined €93,000 (about $120,000 or £112,000 at the time) to cover the costs suffered by his breached victims, and he was given a two-year suspended prison sentence.
Well, that time’s up at this point.
He’s now working at CyberSmartDefence.com, whose site says it originated from a web development company incorporated in Romania in 2004.
Let’s make one thing clear before we even get into the details: Cernăianu’s method of cheating PayPal to get double your money back consists of fraud.
Essentially, whatever crook wants to do this needs three PayPal accounts: one as a legitimate buyer, another disposable account as a fraudulent seller, and the third as a mule.
The second two accounts link to virtual credit cards – a service offered by some banks and credit card companies to help online shoppers protect against fraud, ironically enough.
A fraudster starts with an amount in their first account, allegedly purchases from the bogus seller account and transfers the money there, and then issues a “gift” payment to transfer the money to this third account.
I’m not going to link to Cernăianu’s site, in spite of PayPal’s assurances that they’re on top of the situation.
I don’t want anybody to get encouraged by Cernăianu’s promise that this is “safe”.
If you give it a go, you’re committing a crime, and the police could well come knocking on your door very soon after.
But at any rate, here’s what Cernăianu had to say about “safely” doubling your money with PayPal:
You transfer the money to the second account with the pretext of buying a phone. From the second account you again transfer the money to the third account as a gift. After 24 hours, you use the chargeback function from the first account to get the money back with the excuse that the phone did not arrive on time.
OK, so first, you lie about there being a phone to buy, then you lie about being a seller with a phone to sell. Got it. What comes next in this lie-fest?
Well, then you lie again and say you never got your fictional phone, he says:
Paypal will initiate a process where both sides bring evidence for their defence. Obviously you will only send evidence from the first account showing that you were scammed.
Obviously! Can’t send evidence of having sent a fictional phone, after all.
PayPal will refund the first account, and the money will be in the third, “gifted” account, so you double your money.
Enjoy it while you can.
In spite of this loophole not being a web vulnerability, Cernăianu brought it to PayPal’s attention through its Bug Bounty program, thinking he’d get some feedback, he said.
This is the reply he received after one and a half months:
Thank you for your patience while we completed our investigation. After reviewing your submission we have determined this is not a Bug Bounty issue, but one of our Protection Policy. While the abuse described here is possible in our system, repeated abusive behavior by the same and/or linked account(s) is addressed. Thank you for your participation in our program.
As many have pointed out, PayPal’s statement addressed repeat offenders, but it didn’t have anything to say about widespread, one-off acts of fraud.
PayPal assures me that it’s aware of Cernăianu’s claims and works hard to keep money in its coffers and to prosecute those who come after it.
The statement I received from a PayPal spokesperson:
PayPal is aware of reports being made by a security researcher about a way to potentially commit fraud on the PayPal system. This report is not related to a bug or vulnerability in the PayPal system, but is a claim to have found a means to commit fraud, which is a crime. PayPal employs multiple fraud prevention measures, so in the majority of cases attempts to commit fraud are usually caught before the money ever leaves the PayPal system. PayPal also dedicates significant resources to combat the use of our secure payment platform for illegal activities and works collaboratively with law enforcement agencies around the world to support both the detection of crime and the conviction of criminals.
I wrote to CyberSmartDefence to see if they could offer further comment. I will update the story if I hear back.
But seriously, kids, don’t try this at home.
It’s fraud. It’s illegal.
Neither PayPal nor the police will look kindly on anybody who pulls the scam, regardless of it being published by a researcher who works for a security firm.
Image of piggy banks courtesy of Shutterstock.
banks should work a little harder to keep fraud at bey
And really don’t do it now it’s been published!
Paypal will be keeping an even closer eye on it, and it’s all to easy to link all the accounts back to you.
Not that Sophos readers are silly enough to try that. 🙂
I cannot see how this works. PayPal will not refund a transaction if the seller has no money in their PayPal account. I know because I bought an item which I never received. After initiating a dispute PayPal found in my favour but refused to refund me as the seller had no money in their PayPal account!
Actually, as far as I know they’ve implemented a measure to where if the seller receives a charge-back, and they have no money in their Paypal account, the seller’s balance is in the red and they cannot use their account until the outstanding debt is paid.
I can confirm this. Sold an old guitar on eBay a while ago, and months after I had spent the money in the account, I get a notification that my account is in the negatives because the buyer initiated a chargeback with the credit card company. Paypal refused to do anything, and I was out both the guitar and I had debt collectors harassing me for my -$400 balance.
Paypal isn’t very good with deciding where their policies should be implemented. It seems like their policies are shaped to expect the worst out of sellers and innocence out of buyers.
A dispute won’t trigger it. That’s between you and the seller.
This scam works by using the chargeback process. Chargeback is a not-well-advertised method of resolving disputes between cardholders and sellers. It’s done through the credit card company, not through the seller.
There are quite a few restrictions (like you have to say you tried to contact the seller), but it could work in cases like this if the scammer is willing to lie (again).
Search for “chargeback” on the Internet to learn more. Neither the credit card companies nor sellers will tell you about this unless you bring it up. It’s a requirement under US federal law, but it’s not well-known and information about it is never volunteered.
And it is likely a Class C Felony under U.S. law (wire fraud), meaning you would be subject to imprisonment for up to 20 years and/or a fine of up to $250,000 USD.
Fishing for traffic with this sort of post, and title when you are writing for a security company is unbecoming. Don’t ruin your credibility for the sake of traffic.
I have to assume this would be a person to person purchase and not through something like eBay. PayPal already puts funds into a pending status until the item has been delivered and no negative feedback has been issued. That is until you’ve sold 25 or more items, and have sold over $250 worth of merchandise.
I think anyone who has a store that uses PayPal knows how much of a despicable company they really are. Their “fraud prevention” is a complete joke.
They don’t care at all about protecting transactions, they just want the small fee you pay to “protect yourself from fraud.”
The easiest and almost guaranteed way to steal from sellers is by paying with direct deposit then going to your bank and claiming someone else used your PayPal account. PayPal will simply allow the reversal, charge the seller and either force them to provide mountains of evidence that they shipped the item or to just claim responsibility and suffer their losses. If they can prove the item was shipped then they might get refunded by PayPal, but I’ve almost never heard of this happening.
There is literally no way to dispute bank reversals and if you go to the police they’ll tell you to deal with it through a civil trial. PayPal could not care less about fair transactions and doing what they promise.
Best of all, they offer an iOS credit card reader to accept PayPal purchases in person. What they don’t tell you is that your customer can simply file a chargeback and win with almost 100% success. PayPal even says their seller protection is only for physically shipping items, not in-person transactions or purchases for digital goods (ie buying a song on iTunes).
So word of advice for everyone: avoid PayPal. As far as sellers are concerned, the brand recognition of PayPal is not worth the losses you’ll suffer from fraudulent buyer complaints.
This has been a common “Scam” as far back as 2004 and probably even earlier using eBay/PayPal. A Vicar in Nottingham tried it on me once and some relatives in Canada lost a lot of money to a German scammer. Fortunately I used to live in the German town where he operated and sent some “friends” round…..got almost all the money back.
How did you manage to contact paypal, I have tried, all they do is ignore me or I get dumped by their system.
I sent money as a gift to a friend, the reply from paypal to me was, it would be there in a day, yet refused to give it, it presumed its a buyer to seller relationship, the response to the receiver was, not send the goods – they do not sell anything, its was impossible to receive the money – did nott receive the money, they expected answers to some questions, yet would not allow that information to be sent. The only way to solve the problem was to have the money returned – finally they did, they only allow or notice what they like to do.
Since January I have this money stuck there, can not use it, to buy or send to my bank account, they expect my bank account information, yet once again they refuse to let me send the information they ask for.
I was buying things for years with my bank card then when some one cheated me (misleading product) I asked to get my money back, I had to answer questions for near a month, then finally they sent me a sticker to mail it to seller, yet they sent it to the wrong person, therefore sent the money after I proved its undeliverable – the tracking number. Then the package came back as undeliverable now I have both – this misstated item and the money – the seller disappeared.
I sent them information and received it at my email address yet they only want information about my email address – when its on file there and sent some emnail to that address.
Now at ebay they they keep trying to get me to buy things there, the email writes I will miss out on this “great offer” and they do this in facebook too. Its impossible they do not allow me to buy there if I was interested, as it wrote only if I use a different credit card.
1. The title was chosen to realize the impact of the story…
2. Everyone knows that it’s pure illegal, but the information must be free for anybody, not a privilege. Who said that was made public to encourage others to do frauds?
3. I think that Razvan made this story public because he didn’t get a good answer from PayPal… Why I say this? Because the “fraud prevention” is a bullsh… how another guy said up. They make money from this kind of transactions.
4. We can learn many things at finally. And by the way maybe PayPal will stop this kind of fraud.
Note: Why in the US, UK, etc the paypal accounts can be verified instantly with any Bank account / Credit Card without be necessary a first transaction between PayPal and the Bank Account? Because someone want this s..t for other things.
“regardless of it being published by a researcher who works for a security firm.” – Yes, he wants to change something.
***OBVIOUSLY*** the post left by “Doesn’t matter” is 100% on target; Only one that makes complete sense …The other posts are either part goofy or complete BS …People need to sharpen ability to ‘read between lines’.