1) it was made via Google Pay 2) Google Pay is secure and cannot be hacked because it requires physical device authorization.
The issue I'm curious about - what could be the path the hacker used to make the payment?
This is not a issue of getting hold of the debit card number number/CVV, which is of course possible. The transaction was made via Google Pay. To be authorized, it would require either physical access to my mobile (obviously, I was not present in Sao Paolo today). Or this would require a physical login into my browser (Chrome). Which would require authorizing login from a new device, from new location etc. (and I did not get any warnings about that in my email).
Needless to say, I was not involved in fraudulent transaction at all: no SMS codes, no calls, no requests to authorize anything etc.
I am genuinely puzzled how could such an authorized Google Pay transaction happen and how can anyone protect themselves against attacks like this.