Skip to content
Naked Security Naked Security

Venmo mobile payment service under fire for security carelessness

Venmo is taking heat after a news report last week revealed security holes you could "drive a truck through," in the words of one aggrieved Venmo user whose account was drained of $2850.

Venmo under fire for security lapses.Venmo is taking heat after a news report last week revealed security holes you could “drive a truck through,” in the words of one aggrieved Venmo user whose account was defrauded to the tune of $2,850.

As Slate initially reported, Venmo – a mobile payment service – lacks some essential security safeguards against unauthorized account access, in particular two-factor authentication and sending users a notification when their password is changed.

The Venmo app allows people on the service to send payments to each other’s Venmo accounts, which are linked to their bank accounts or a debit card.

Owned by the payment giant PayPal, Venmo is still small – with about 1.5 million users – but growing fast.

The company’s rapid growth is perhaps outpacing its capacity to handle these concerns.

Venmo is especially popular among young people, who use the app in lieu of cash for things like splitting restaurant tabs and taxi fares, paying rent, and other transactions between friends.

If you want to pay your roommate back for buying beer last night, you send an electronic payment with a description of what it’s for, and they’ll instantly receive the payment.

Increasing its appeal with millennials, Venmo is also a social network – others on the service can see or comment on your transactions unless you set transactions to private (seen by only you and the other party) or “friends only.”

A website called Vicemo takes advantage of this social aspect to stream transaction messages containing keywords related to “drugs, booze and sex.”

Turning a payment app into a social network carries some risk, however, beyond the fact that anyone might find out you charged your friend for beer or perhaps something more sinful (or illegal).

Three MIT students noted some potential security concerns with the socially networked payment app in a paper published last May – arguing that because Venmo allows any user to send payment requests to any other user, it is vulnerable to social engineering attacks in which an attacker poses as a friend.

Venmo’s (in)attention to detail has come under regulatory scrutiny too – the California Department of Business Oversight last July demanded a response from Venmo about more than 20 unsafe practices, the New York Times reported.

Among the issues identified by the California regulators was the absence of a “compliance system for active suspicious activity monitoring.”

Part of that system, we hope, would include sending alerts to customers about suspicious activity on their accounts.

Chris Grey, a 30-year-old New Yorker, told Slate that he found out his Venmo and bank accounts had been debited $2850 after he was notified of a large transaction – not by Venmo, but by his bank.

The fraudster who gained access to Grey’s Venmo account changed his password and added a new email address and mobile device to the account, but Grey didn’t receive notifications about any of those changes.

Grey also didn’t have much luck getting customer support in a timely manner – according to Slate, he didn’t get a response from Venmo until a day and a half after reporting fraud on his account.

Despite handling billions of dollars in financial transactions, the company doesn’t have a customer support line, just an email address and Twitter account.

Although Grey disputed the charges with his bank and was eventually credited the money back, what he discovered about Venmo’s security protocols caused him – unsurprisingly – to quit Venmo.

In a blog post by General Manager Michael Vaughan, Venmo responded to the wave of bad publicity set off by the Slate article.

More precisely, Vaughan was responding to the idea that Venmo might not be all that secure, without directly addressing all of its security loopholes.

Vaughan stated that Venmo is compliant with the PCI-DSS payment industry standard, and provides a range of anti-fraud guarantees and security measures such as encryption of bank account details and transaction limits.

The company has fraud rates “favorable to industry standards,” Vaughan said, and Venmo is also working on “a bunch of things” to improve security that it will be unveiling soon.

Image of Venmo logo courtesy of Venmo and Google Play Store.


Wow, could Venmo’s response been any more vague or lackluster? That just guaranteed that I won’t consider an account with them and will tell all my friends to avoid them. Besides, why wouldn’t I use my regular PayPal account to pay a buddy like I’ve always been able to do?


Why would you want to broadcast your payments to the world? Do strangers need to know when you’ve bought beer?


Millennials, particularly in the U.S. are far too trusting of technology services to do the right thing. Why use a service like this when you can transfer cash for free to anyone using the tools provided to you by a Credit Union, even if the recipient isn’t a Credit Union member? Things like this happen frequently in the US market where there is a dearth of financial regulations.


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!