Now-a-days PayPal is being used by most of the users worldwide for transferring money, online transactions and a loophole has been detected in its systems that can easily double your amount, and this loophole found in the PayPal service called ‘Chargeback.’
Author at cybersmartdefence.com “TinKode a.k.a Razvan Cernaianu” found that loophole in the paypal system and doubled $500 to $1000. I know you are curious to know how it is possible, read below for further details.
Ebay’s PayPal is an international e-commerce business allowing payments and money transfers to be made through the Internet. Online money transfers serve as electronic alternatives to paying with traditional paper methods, such as checks and money orders. It is subject to the US economic sanction list, and subject to other rules and interventions required by US laws or government.
Chargeback is the service provided by PayPal by which you can reverse the payment you made to, e.g., you made a payment to a company for purchasing a mobile phone and the product is not delivered on time or any other claims related to the product gives you an option to reverse the money in your account you sent.
How Tinkode achieve his Goal to Earn Double
This Loophole came in his mind after he saw his paypal account with the balance -$50, this is because of a person to whom Tinkode did the transaction in the year 2010 and the person used to scam him using chargeback service. The Balance turned into -$50 because Tinkode transferred all of the money to his real account.
The above scam opened a way in Tinkode’s mind to double the paypal amount and he used the same technique to achieve his Doubling amount.
Tinkode described in his own words
So for example, you have 500$ on your account. You transfer the money to the second account with the pretext of buying a phone. From the second account you again transfer the money to the third account as a gift. After 24 hours, use the chargeback function from the first account (the real one) to get the money back, with the excuse that the phone did not arrive on time. Paypal will initiate a process where both sides bring evidence for their defence. Obviously you will only send evidence from the first account showing that you were scammed. At the end of the trial the money will be restored to the primary account and the second account will have a negative balance of -500$. This way, you doubled the initial amount of money because you still have 500$ in the third account. As the second account is only a virtual one, it will not have real money from which Paypal can extract. Therefore you are left with 500$ restored by PayPal, and 500$ in your third account.
As Tinkode described above, to make the double exploit work, you need three paypal accounts, One account is the real one (verified with our personal card) and the other two are verified using a VCC or VBA (VCC = Virtual Credit Card / VBA = Virtual Bank Account).
Tinkode alerted Paypal about this issue, and they replied him back:
Thank you for your patience while we completed our investigation. After reviewing your submission we have determined this is not a Bug Bounty issue, but one of our Protection Policy. While the abuse described here is possible in our system,repeated abusive behaviour by the same and/or linked account(s) is addressed. Thank you for your participation in our program.
eBay, Inc Bug Bounty Team