Besides sending money, you might also request people to pay you.
They responded within 18 days of being notified by killing the SMS reply-to-pay functionality for prevent such attacks.
How did this vulnerability occur?
![Venmo’s flaw could have allowed anyone to use Siri on a locked iPhone to empty your account [Video]](https://www.techworm.net/wp-content/uploads/2016/08/venmo.png)
So, how does it work?
The SMS notification is not enabled by default in Venmo.
86753 is a short code number owned by Venmo and used for all the SMS notifications.
Then, the attacker has to put a request for payment to the compromised unit.
The maximum amount that can be requested is $299.99, with a weekly limit of $2,999.99.
The victim will be then asked by Venmo to confirm the request.
It will do that by sending an SMS with a one-time payment validation code.
In order for the payment to go through, the recipient has to text this back to Venmo.
And, voila its done.
Oops, you have just been looted!!!
Below is a demo video of Vigos attack.
Read More
source: www.techworm.net
