As Slate initially reported, Venmo – a mobile payment service – lacks some essential security safeguards against unauthorized account access, in particular two-factor authentication and sending users a notification when their password is changed.
The Venmo app allows people on the service to send payments to each other’s Venmo accounts, which are linked to their bank accounts or a debit card.
Owned by the payment giant PayPal, Venmo is still small – with about 1.5 million users – but growing fast.
The company’s rapid growth is perhaps outpacing its capacity to handle these concerns.
Venmo is especially popular among young people, who use the app in lieu of cash for things like splitting restaurant tabs and taxi fares, paying rent, and other transactions between friends.
If you want to pay your roommate back for buying beer last night, you send an electronic payment with a description of what it’s for, and they’ll instantly receive the payment.
Increasing its appeal with millennials, Venmo is also a social network – others on the service can see or comment on your transactions unless you set transactions to private (seen by only you and the other party) or “friends only.”
A website called Vicemo takes advantage of this social aspect to stream transaction messages containing keywords related to “drugs, booze and sex.”
Turning a payment app into a social network carries some risk, however, beyond the fact that anyone might find out you charged your friend for beer or perhaps something more sinful (or illegal).
Three MIT students noted some potential security concerns with the socially networked payment app in a paper published last May – arguing that because Venmo allows any user to send payment requests to any other user, it is vulnerable to social engineering attacks in which an attacker poses as a friend.
Venmo’s (in)attention to detail has come under regulatory scrutiny too – the California Department of Business Oversight last July demanded a response from Venmo about more than 20 unsafe practices, the New York Times reported.
Among the issues identified by the California regulators was the absence of a “compliance system for active suspicious activity monitoring.”
Part of that system, we hope, would include sending alerts to customers about suspicious activity on their accounts.
Chris Grey, a 30-year-old New Yorker, told Slate that he found out his Venmo and bank accounts had been debited $2850 after he was notified of a large transaction – not by Venmo, but by his bank.
The fraudster who gained access to Grey’s Venmo account changed his password and added a new email address and mobile device to the account, but Grey didn’t receive notifications about any of those changes.
Grey also didn’t have much luck getting customer support in a timely manner – according to Slate, he didn’t get a response from Venmo until a day and a half after reporting fraud on his account.
Despite handling billions of dollars in financial transactions, the company doesn’t have a customer support line, just an email address and Twitter account.
Although Grey disputed the charges with his bank and was eventually credited the money back, what he discovered about Venmo’s security protocols caused him – unsurprisingly – to quit Venmo.
In a blog post by General Manager Michael Vaughan, Venmo responded to the wave of bad publicity set off by the Slate article.
More precisely, Vaughan was responding to the idea that Venmo might not be all that secure, without directly addressing all of its security loopholes.
Vaughan stated that Venmo is compliant with the PCI-DSS payment industry standard, and provides a range of anti-fraud guarantees and security measures such as encryption of bank account details and transaction limits.
The company has fraud rates “favorable to industry standards,” Vaughan said, and Venmo is also working on “a bunch of things” to improve security that it will be unveiling soon.
Image of Venmo logo courtesy of Venmo and Google Play Store.