14 July 2013

Money Stolen from DBS Bank Account Via PayPal

Source

Based on her article, Chanise seems to be holding on to a Debit Card from DBS and she has an iBanking account so there should be Two Factor Authentication (2FA) for any transaction made. But the problem is that for transaction made through PayPal, there isn't any 2FA. Anybody can add a new debit/credit card in PayPal and start using it for payment. You may argue that there is a sending limit if the PayPal account is unverified, that's true, but confirming your debit/credit card in PayPal is not the only way to get verified; you can also add a bank account to get verified status hence removing all limits.

And also for the limit, according to this FAQ, the sending limit (buying limit) for unverified account is USD2000,

PayPal Send Limit USD2000

That means an attacker can steal up to USD2000 before hitting the limit.

So what exactly happened in Chanise case?

Hence I rushed back home immediately to login to my ibanking account and found out that there were 2 pending transactions made to AirAsia of amount $797.79 and PayPal $1 without my knowledge.

The PayPal $1 is USD1.00 charged by PayPal, in her case, it should be for adding Chanise's debit card to the attacker's account. This is just a card validity check on PayPal's part to make sure the card added is valid.

USD1.00 PayPal Card Validity Check

Actually I did a test since I have recently changed my debit card and I haven't updated into my PayPal account, so let's see whether what I'm saying is correct. I removed my old card from PayPal so now you'll see only one card and that is my new card.

Added my new debit card

As you can see, there is a Confirm My Card link under Action, I added but I didn't confirm it because there is no need to since my account is still Verified. I still have my bank account linked to my PayPal, no change to that.


My PayPal is linked to my bank account

My PayPal is still verified


This proves that I can maintain verified status with just a bank account. And by adding my new card, all I did receive was an SMS saying,

The 1st txn on your DBS Card ending XXXX was USD1.00, PAYPAL XXXXXXXXXX SGP on 14 JUL 14:30 SG time. If you did not use the card, pls call +65 6327 2265.

Next thing I did was check my iBanking account,

PayPay charged USD1.00 to my debit card

This proves that PayPal is allowed to make charges to my debit card without 2FA i.e. without Chanise's control. And if I'm the attacker, I can now officially make payment using Chanise's debit card since in PayPal's view, the card is valid and ready for use.

This is a major loophole and I can understand why people are losing confidence, I think DBS should make it compulsory to have 2FA for any transactions charged to cards, be it debit or credit cards, it really puzzles me why transactions from PayPal can go through without the user's control, it really defeats the purpose of 2FA.

What we can do to protect ourselves is this, from what I know, PayPal only allows one debit or credit card to one PayPal account, that means if you link your debit or credit card to your PayPal account, an attacker won't be able to link and abuse it, but provided you have a PayPal account.

As for the charges for card linkage, it's actually free, PayPal will charge USD1.00 (validation) and SGD3.00 (card confirmation code) for the linking, it will be charged to your debit or credit card, the USD1.00 will be removed in a few days depending on the bank and the money will go back to your bank account, and the SGD3.00 will be refunded to your PayPal account within 24 hours.

Oh by the way, I have confirmed my debit card, so if you have a PayPal account, please do the same for your own safety, as for people who don't have a PayPal account, try not to keep too much money in the bank and make sure you log in to iBanking daily to check.

No comments: