ISC StormCast for Wednesday, February 26th 2020
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
SANS ISC Handlers
4.9 • 754 Ratings
🗓️ 26 February 2020
⏱️ 6 minutes
🧾️ Download transcript
Summary
Transcript
Click on a timestamp to play from that location
| 0:00.0 | Hello, welcome to the Wednesday, February 26, 2020 edition of the Science and its Storm Center's Stormcast. My name is Johannes Ulrich, and today I'm recording from San Francisco, California. |
| 0:13.9 | Yesterday, German tech website Heiser reported that some odd fraudulent PayPal charges are hitting users in Germany. While PayPal |
| 0:24.6 | initially didn't comment a security researcher, Marcus Fenske reported to Heise that he reported a security |
| 0:33.9 | issue to PayPal that he actually received a bug bounty form, PayPal said they had |
| 0:40.5 | fixed, but he believes isn't completely fixed and that's related to virtual credit cards. |
| 0:47.0 | Now if you get a credit card from PayPal, PayPal works with MasterCard on that, then you can assign the virtual credit card number to your |
| 0:58.5 | Google Pay account. |
| 1:00.1 | And this number is supposed to be only useful with Google Pay. |
| 1:04.5 | So if it gets compromised, well, the thief cannot use it for anything because it's sort |
| 1:10.7 | of linked to your Google Pay account, and it should really be useless. |
| 1:15.4 | Now, one issue with these credit card numbers is that, first of all, they apparently can be used with other payment methods. |
| 1:24.1 | For example, with Amazon pay and such, and also the CVV number, the three digits on the |
| 1:30.3 | bag, are never actually verified with these virtual credit card numbers. So that makes it a little bit |
| 1:37.8 | easier to guess them, in particular since the first eight, so the first half of the six digits are fixed for these credit card numbers. |
| 1:48.0 | Now the first four to six numbers, they're usually referred to as the bin or the bank identification numbers, |
| 1:55.0 | and they would be linked to PayPal here in this case, but with these virtual credit card numbers, well, PayPal then |
| 2:03.8 | fixed a couple additional numbers, so the first eight numbers are always the same. |
| 2:09.6 | Also, there is a chance that these virtual credit card numbers leak via NFC from your Android devices if you're using them as part of Android of Google Pay. |
| 2:22.1 | So that way they could also potentially be leaking. |
| 2:26.3 | Hard to tell what exactly happened here. |
| 2:30.0 | PayPal eventually responded to Hisei saying that none of their systems here were compromised, |
| 2:36.0 | but just brute forcing credit card numbers or that leaking via NFC, of course, that wouldn't |
... |
Please login to see the full transcript.
Disclaimer: The podcast and artwork embedded on this page are from SANS ISC Handlers, and are the property of its owner and not affiliated with or endorsed by Tapesearch.
Generated transcripts are the property of SANS ISC Handlers and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.
Copyright © Tapesearch 2026.