| Author: TinKode a.k.a Razvan Cernaianu @ CyberSmartDefence.com |
| Name  : Safely double your money with PayPal                   |
| Impact: Critical                                               |
| Date  : 11.06.2014                                             |
| Email : info@cybersmartdefence.com                             |

[ Intro ]
In the following lines I will explain to you a method by which you can double the
money in your PayPal account... endlessly. You probably believe that I have found
a web vulnerability of some sort. Unfortunately, it's something much worse.
To be more exact: it's a problem with their TOS.

[ The Story ]
Back in the year 2010 I made a transaction using PayPal with a person who tried
to scam me using the chargeback function. As I never held my money on that PayPal
account, I transferred them to my other (real) account. After a month when I re-checked
the second PayPal account I noticed that my account balance was negative; respectively:
-50$. That made me wonder a little bit. Why? Because it made me think of a situation
which would later prove to be the perfect method of doubling your money through PayPal services.

[ Reporting ]
I reported the method to PayPal through their Bug Bounty, thinking they would offer
some feedback and that they would take note of it; even though it does not represent
a web vulnerability. But as I expected, their answer was the following (after around
one and a half months):

Thank you for your patience while we completed our investigation. After reviewing
your submission we have determined this is not a Bug Bounty issue, but one of our
Protection Policy. While the abuse described here is possible in our system,
repeated abusive behavior by the same and/or linked account(s) is addressed. Thank
you for your participation in our program.

eBay, Inc Bug Bounty Team

Receiving such an answer, I consider there is nothing wrong in making these details public.

[ Proof Of Concept ]
Let's begin. In the first phase, you need three Paypal accounts as shown in the image below:

One account is the real one (verified with our personal card) and the other two are verified using
a VCC or VBA (VCC = Virtual Credit Card / VBA = Virtual Bank Account).

What is a VCC / VBA?

Virtual credit cards (sometimes called controlled payment numbers) are one service
offered by some banks and credit card companies to help online shoppers protect against
fraud. While they have their disadvantages, they are one of the best online safety
measures currently available.

Read more: http://www.ehow.com/about_7228358_virtual-credit-card_.html

So for example, you have 500$ on your account. You transfer the money to the second account
with the pretext of buying a phone. From the second account you again transfer the money to
the third account as a gift. After 24 hours, use the chargeback function from the first account
(the real one) to get the money back, with the excuse that the phone did not arrive on time.
Paypal will initiate a process where both sides bring evidence for their defence. Obviously
you will only send evidence from the first account showing that you were scammed. At the end
of the trial the money will be restored to the primary account and the second account will
have a negative balance of -500$. This way, you doubled the initial amount of money because
you still have 500$ in the third account. As the second account is only a virtual one, it will
not have real money from which Paypal can extract. Therefore you are left with 500$ restored by
PayPal, and 500$ in your third account.

If we consider this on a grander scale with 20 people for example, each with 500$ -- they would make roughly 10,000$ in 3 weeks.

Note: For professional Cyber Security Consultancy do not hesitate to contact us at info@CyberSmartDefence.com