A few days ago, she received a notification message from Google that her “newly launched ad” was doing great. She immediately called her bank and cancelled her credit card. I logged into her account and discovered that 2 separate Ads accounts had been started with 2 campaigns each. I stopped all campaigns and cancelled the accounts. The accounts still exist when one enters the Ads interface, but they have a “cancelled” subtitle. I contacted Google’s Ads support regarding the issue and mentioned the scenario. They responded in a day, saying that they noticed a suspicious login on the Google account and I should secure the account. I had already changed the account’s password by then and 2 factor authentication was enabled for a long time before the incident. Nothing like what “they noticed” was reflected in the Google account’s login locations, devices, logs and my mother had not been asked to confirm a 2 factor authentication process in a long while. I double checked with her to see if she understands what 2 step auth is and why we do it and to my relief she handled the questions flawlessly, she'd never give any of the temporary info to a third party for any reason. Google though claimed that the situation indeed seemed fraudulent and that I shall contact my bank to settle the issue with the money.
I immediately felt weird about the handling of this on their end. For one, my mother's credit card was already disabled by the bank and I had just informed them about that fact. This meant that whatever had already been "charged" to the card had nowhere to "go back to" if they were to issue a refund. The other important thing I had just realised was that they literally approved not one but TWO new ads accounts to start billing a saved google pay card without ANY request for the CVC number or ANY 2 factor authentication. Even if someone used my mother's devices (which they did not, the network is monitored and I checked the devices myself) they should had been stopped by 1) the legal requirement for any bank transaction to request the CVC of the card and 2) the security requirement of 2 step authentication Google imposes to its users.
Both of these steps were skipped in whatever triggered the opening of those two recurring billing Ads agreements. Without professional legal background under my belt, this feels quite illegal, as the CVC request at least is something Google ought to obey in order to deal business legally with Mastercard and the bank that issued the card to my mother.
In a second attempt to convey my thoughts to them, they only replied with the boilerplate steps to secure my account and to contact the bank to settle this... So now my mother is at the mercy of the bank I guess(?)
Be warned... unsave your cards from google pay, because google does not require a CVC or 2 step authentication to start charging you in a service that scales up immensely.
As a security expert, after checking my mother’s understanding of auth procedures, I believe the issue was on Google’s side and a possible vulnerability. I don’t know how or what did it but saw similar unresolved stories on Google community questions.
Google. CVC. Ask for it. Every time.
Cheers and sorry for the long read hackers!
tl;dr Google pulls money off of saved Pay cards without requesting CVC or 2 step auth.