Venmo, PayPal’s free digital wallet service, has come up with major service changes that address vulnerabilities as a result of one security researcher’s experience.
Martin Vigo posted the story behind his involvement in the recent patches. It all started from him noticing that, when the wallet was used, the SMS feature kicked in even though it had not been explicitly authorized. The SMS gave him the option to reply with a six-digit code to make a payment to another person using Venmo. Whomever was being given this payment had to re-enter this code for the payment to progress.
iOS Quirks Could Lead to Problems
However, the iOS environment handles SMS messages in multiple ways. For example, Siri can send an SMS message even when a device is locked. This feature is on by default in iOS and became routinely used when the “Hey Siri” modification was added in iOS 9.
There is also a text message preview, which allows users to see in the lock screen who sent a text along with part of the content. This is also enabled by default. Vigo explained that these two features, along with the ability to reply to texts using Siri, allowed him to complete transactions without unlocking the device.
He also found that Venmo had operational problems in how it implemented SMS. Vigo discovered that one can activate the SMS notification service by sending an SMS to 86753 with the word “start.” The number 86753 is a short code owned by Venmo and used for all of its SMS notifications.
What this means was summarized by Softpedia: “Someone could pick up your iPhone, activate the SMS notification settings, ask for a payment from their Venmo account, tell Siri to read the SMS message that was just received, tell Siri to input the payment validation code inside a new SMS, send the SMS and voila — the attacker has just stolen your money.”
Self-Mitigation for Venmo Issues
Let’s say that the user was able to disable Siri in the lock screen as well as the SMS preview feature. All should be OK, right? Wrong.
Vigo thought of another way in: He tried to steal money remotely without access to the targeted user’s device. It involved brute-forcing the six-digit authorization code. But Venmo had already implemented a rate-limiting mechanism allowing users to try only up to five codes every five minutes, SecurityWeek noted.
Further research showed that each charge request had its own authorization code and generating a new request did not invalidate the previous code. An attacker would be able to send multiple requests directed to a single victim (or a single request to multiple victims) in an effort to increase the chances of finding the right authorization code.
Vigo contacted the company, and after some hemming and hawing it pulled the SMS feature from the product in its entirety.
This step by Venmo is in line with NIST’s recent report that depreciates two-factor authentication when done by SMS. The institute found too many conceptual vulnerabilities — not to mention the man-in-the-middle possibilities — to recommend the method.