Social Money Scams11.26.14 · ruby python
Last week, a buddy from b-school texted me about an “exciting new app idea”: P2P lending via Venmo. And while usury is awful, it got me thinking about the API’s Terms of Service and potential hacks. After some googling, I landed on Jaewoong Hwang’s Can you spare me a dollar? project.
As the name implies, CYSMAD asks all your friends to Venmo you a dollar. It’s a fun hack. However, it’s real purpose is to “creatively misuse an existing API in order to reveal something about the service,” (as an academic exercise).
Look at the command line options and you’ll see that Jaewoong has laid the groundwork for Venmo scams thanks to his script’s broad reach
-d, high upside
-c, and malleable messaging
For example, you could privately ask 5,000 people to donate $5 in order to “save the whales” — and to reduce your exposure, instead of asking your direct friends, ask their friends, their friends’ friends, and their friends’ friends’ friends):
./script.rb -a "private" -l 5000 -Fd 3 -c 5 -n "Let's save the whales, donate $5 today!" -t VENMO_TOKEN
With great APIs comes great responsibility, and that applies equally to providers, developers, and consumers. So don’t be a dick.