Save over 40% when you secure your tickets today to TNW Conference 💥 Prices will increase on November 22 →

This article was published on August 2, 2016

Thanks to Siri, hackers could have drained your Venmo account in minutes


Thanks to Siri, hackers could have drained your Venmo account in minutes

Venmo is a PayPal-owned money transfer app that’s soared in popularity recently, as it allows you to settle bills and pay friends with just a couple of taps. In addition to sending money, you can request that people pay you.

And until recently, anyone could drain a Venmo account on a locked iPhone, just by using Siri. Awkward.

The flaw was discovered by Martin Vigo, a product security engineer for SalesForce. It takes advantage of the fact that iOS lets you perform a limited array of actions, like sending text messages and initiating phone calls, without actually having to unlock the phone with a PIN number or fingerprint.

In this scenario, an attacker would tell Siri to send a text message to 86753 saying “START”. This enables the Venmo SMS service. Then, the attacker has to issue a request for payment to the compromised device. The maximum amount that can be requested is $299.99, with a weekly limit of $2,999.99.

The 💜 of EU tech

The latest rumblings from the EU tech scene, a story from our wise ol' founder Boris, and some questionable AI art. It's free, every week, in your inbox. Sign up now!

Venmo will then ask the victim to confirm the request. It will do that by sending an SMS with a one-time code. The recipient has to text this back to Venmo in order for the payment to go through. But the attacker can do that by asking Siri to read the last message received, making a note of the number, and then telling Siri to send a text back to the Venmo shortcode with it.

To Venmo’s credit, the problem was fixed within 18 days of being notified by Vigo. This meant killing the “reply-to-pay” function. While this will undoubtedly inconvenience those using the service on feature phones and other unsupported platforms, there was apparently no secure way to keep it.

Get the TNW newsletter

Get the most important tech news in your inbox each week.

Also tagged with