Skip to content
Naked Security Naked Security

Venmo users: time to hide your drug deals and excessive pizza consumption

To its fans, Venmo is a hassle-free P2P app that lets anyone living in the US send money to friends, split a restaurant bill, pay for a ride on Uber, or buy a hotel room. To the security conscious, it's a privacy nightmare.

To its fans, Venmo is a hassle-free P2P app that lets anyone living in the US send money to friends, split a restaurant bill, pay for a ride on Uber, or buy a hotel room.
If you owe someone a small sum of money, or just want to pay an odd amount without going to an ATM, you can do that using Venmo in a matter of seconds as long as the recipient is willing to join too.
This convenience (coupled with its ownership by payments giant PayPal) has helped it attract seven million users who in 2017 shifted a reported $18 billion. Did we mention that transactions not involving a credit card are free?
If this is starting to sound like an advert, it’s time to mention a quirk that some find a bit harder to swallow – transactions conducted through Venmo appear to be public by default.
This doesn’t include the dollar amounts but does show who sent something to whom. The service does offer a setting which makes transactions private to all but a user’s friends but it isn’t on by default and it seems a lot of people never turn this on.
We know this because a privacy campaigner has conducted an analysis that underlines how easy it is to find out about the lives of Venmo users simply by peering closely at the data from its public API for 2017.
Writes researcher Hang Do Thi Duc:

Since all Venmo activity is public by default, it’s incredibly easy to see what people are buying, who they’re sending money to, and why.

According to Do Thi Duc, this includes “first and last names, profile picture, the time of the transaction, the message and more.”


Do Thi Duc was able to trawl the API and – from a total of 207,984,218 transactions – managed to spot a cannabis retailer in California who took payments 920 times in 2017.
She also pieced together love affairs and arguments from the public messages sent between Venmo users, and analysed the eating habits of one woman who washed down 209 pizzas with 280 transactions for Coca Cola – all in one year.
By the time you read about the couple who use the service to pay for their dog’s vet bills, refuel their car at a Chevron gas station every fortnight, as they drive to eat Asian food or shop at Walmart, paranoia starts to set in.
Extraordinarily, this data isn’t only available to other Venmo users but to anyone. So why, you ask, is the service designed this way?
The answer almost certainly has to do with the service’s original design as part payment system and part social network. It isn’t that privacy was forgotten by Venmo so much as it being seen as beside the point – it’s as if Venmo thinks its users want friends to see with whom they’re transacting.
The service is open about this design although it’s also possible that many users don’t realise how public their use of the service is to anyone with the time and inclination to look.

One would think that when it comes to money, privacy by design is of greater importance and higher demand. One would be disappointed in this particular case.

Curiously, a quick check on Google reveals that this isn’t the first time that Venmo’s open privacy settings have been questioned. This has, in fact, been a live issue for a while without the app changing its design. Further back, in 2015, the app was also criticised for its security.

What should Venmo users do?

If you want to adjust your Venmo privacy, this can be achieved by logging into the website and changing the global settings, as set out in these instructions.
It also appears to be possible to hide past payments by navigating to the app’s Settings > Privacy > set past transactions to private (a change that is permanent and can’t be undone).
We strongly advise users to do this. Just because you have nothing to hide doesn’t mean someone won’t one day be interested in taking a peek at your life for any number of reasons.

4 Comments

I think it’s fair to say that everything you sign up for defaults to public so I always look for it. As soon as I signed up for Venmo I looked and changed mine to private.

It’s always amazed me that Venmo users don’t mind publicizing their transactions, but maybe they somehow don’t know that public is default and more than just friends!?

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?