October 15, 2019
ICX Card Issuer Summit Report Out – October 2019 Chicago IL
On October 1st, a group of leading professionals from the…
LAS VEGAS–Mobile payments services have become a popular choice for consumers, but security researchers have been finding plenty of vulnerabilities in them, and Venmo is the latest one to take a hit.
A researcher was able to uncover a number of weaknesses in the Venmo mobile payment system recently, some of which enabled him to steal money from users, regardless of whether their devices were locked or open. The vulnerabilities have to do with the way that the system handles SMS notifications, and, combined with Siri commands and other methods, the flaws allow an attacker to force a victim to make a payment through the Venmo app.
Venmo is a service owned by PayPal, and it allows users to send money to one another and also to make payments to outside services. One of the app’s features is that it allows one user to “charge” other users for something, which results in an SMS notification being sent to the person who was charged. When that occurs, the recipient can reply to the SMS with a six-digit code that was sent in the original message, which completes the payment.
Security researcher Martin Vigo, who uses Venmo, noticed the SMS notifications for charges and thought about the fact that he didn’t have to authenticate to the service before replying to the message authorizing the payment. So he began looking at the way that the app handled notifications and how he might be able to mess with that process through Siri.
“I remembered that you can use Siri to send SMS when your device is locked. It is worth noting that this feature is on by default and became especially popular when the ‘Hey Siri’ feature was added in iOS 9,” Vigo wrote in a post explaining the bugs.
The SMS notification is not enabled by default in Venmo.
“Now that we know we can send SMS on locked devices, we need the code present in the SMS in order to reply and make the payment. Apple introduced the ‘Text Message Preview’ which allows you too see in the lock screen who sent you a text and part of the content. This is also on by default. If we combine these two, I am able to see the SMS with the code and can reply using Siri. All this without unlocking the device. All this out of the box.”
The SMS notification is not enabled by default in Venmo, Vigo said, so he tried to find a method to turn it on. It didn’t take long before he noticed that each SMS response from Venmo included a line that told him to text the command “STOP” to disable notifications. If that worked, why not try sending the command “START” to turn them on?
“You can activate the SMS notification service by sending an SMS to 86753 with the word ‘Start’. 86753 is a short code number owned by Venmo and used for all the SMS notifications. Now, I am able to activate Venmo’s SMS notification service, ask Siri to tell me the secret code and reply to make the payment. All that without unlocking the device!” he wrote.
In an email, Vigo said users might notice an email from Venmo about a payment, but by then the attack has already succeeded.
“When it comes to the Siri attack, the victim will usually receive an email that a payment was made. By then is already to late though,” he wrote.
The attack that Vigo devised isn’t entirely reliant on issues with Venmo’s app. Some of the problems have to do with the way that iPhones display texts and how Siri handles voice commands. An iPhone will display several lines of an incoming text message on the lock screen, which can include the short code that Venmo, or many other apps, send to users.
Vigo said that with the payment limits set up in Venmo an attacker could steal nearly $3,000 a day with his attack before it was patched. Vigo reported the flaws to Venmo in June and the company deployed fixes for them by mid-July.
Vigo also discovered a method that could possibly allow him to send the same payment request to as many as a million Venmo users at the same time.
“These attacks are theoretical and I did not try them. Venmo payments are known to be monitored and the last thing I want is someone knocking at my door asking why so many people owes me money,” Vigo said.
The methods Vigo described need physical access to the device, but he also found a way to exploit the bugs by brute-forcing the short code Venmo sends to users. He charged his own account, for the short code, and then began to reply with incorrect codes. Rather than canceling the payment, Venmo sent him a message saying he would have to wait to try again.
“Anyway, the point is, after 5 tries I had to wait about 5 minutes till I could try another 5 times. The codes are six digits long so we have 1 million possibilities and we can try 5 codes every 5 minutes. Do the math. Possible but not feasible,” Vigo said.