Social Money Scams

Last week, a buddy from b-school texted me about an “exciting new app idea”: P2P lending via Venmo. And while usury is awful, it got me thinking about the API’s Terms of Service and potential hacks. After some googling, I landed on Jaewoong Hwang’s Can you spare me a dollar? project.

As the name implies, CYSMAD asks all your friends to Venmo you a dollar. It’s a fun hack. However, it’s real purpose is to “creatively misuse an existing API in order to reveal something about the service,” (as an academic exercise).

Look at the command line options and you’ll see that Jaewoong has laid the groundwork for Venmo scams thanks to his script’s broad reach -d, high upside -c, and malleable messaging -t.

For example, you could privately ask 5,000 people to donate $5 in order to “save the whales” — and to reduce your exposure, instead of asking your direct friends, ask their friends, their friends’ friends, and their friends’ friends’ friends):

bash ./script.rb -a "private" -l 5000 -Fd 3 -c 5 -n "Let's save the whales, donate $5 today!" -t VENMO_TOKEN

With great APIs comes great responsibility, and that applies equally to providers, developers, and consumers. So don’t be a dick.

Do you even comment bro?
2017 Neal Shyam