If you want to feel like a private eye, scroll through the feed on your Venmo app. Thanks to Venmo’s social feature, you can see that Daniel and Josh split an order of tacos last week; you can assume who your exes are dating based on a series of heart emojis and frequent transactions; and now you know who Sasha’s roommates are—they split the internet bill every month.
Though it may be slightly intriguing to see who your ex is splitting pizza with on Saturday night, flaunting these transactions isn’t just obnoxious; it could be exposing users to cyberattacks. Venmo, (see also the verb, “to Venmo”) has made cash all but obsolete. Your roommates use it, your parents use it, and it makes splitting a check and paying bills profoundly convenient. But as we’ve learned with most apps and social platforms, convenience can come at a cost.
Venmo and privacy
It’s no wonder that most people still keep their Venmo transactions public when you consider the normalizing effect of social media on making the rest of our lives public. For those who are more conscious of digital privacy, Venmo itself may be partially to blame. When you sign up for Venmo, your transactions are set to public by default, and most users don’t know to go in and change their settings.
This has not gone unnoticed. The Federal Trade Commission (FTC) investigated the PayPal-owned app over a series of claims:
- Venmo did not properly disclose to users that transfers of funds were subject to review and could therefore take additional time, which led to financial hardships in some cases;
- Venmo claimed “bank-grade security” which was found to be misleading;
- Venmo was found in violation of the FTC’s Safeguards Rule and Financial Privacy Rule, meaning that they were not adequately protecting their customers’ information. According to the claim, Venmo failed to adequately inform users in the app that their transactions were set to public by default. The claim also states that Venmo failed to adequately disclose that once users do change their privacy settings, it only applies to future transactions, while past transactions remain public.
PayPal and the FTC came to a settlement agreement in 2018. PayPal would hire outside auditors to ensure the privacy of users’ transactions, and each subsequent violation would be subject to a hefty fine.
But the difference this settlement made is negligible. A year later in 2019, Dan Salmon, a masters graduate specializing in information security, “scraped” (meaning: extracted data from) hundreds of thousands of Venmo transactions to see how users’ data might be at risk. This came a year after privacy researcher Hang Do Thi Duc conducted the same study and was able to pry extensively into the private lives of many Venmo users.
What’s at stake
Venmo gives us an intimate look into each other’s lives; the amount of info we can glean from a series of transactions and their accompanying emojis is fascinating, but is it risky to share so much? When Salmon scraped users’ data, he thought about what information a cyberattacker might find useful.
This is just a sample of the data that hackers (or anyone) can collect with Venmo’s public API:
- Where you shop
- If you use illegal substances (this can be gleaned from emojis or slang words used in transactions)
- Which device you use to access Venmo (transactions include the note “Venmo for Android” or “Venmo for iPhone”)
How this can be used against you:
As Salmon pointed out for Wired, if a hacker knows the device you use for transactions, they could use that information to phish your credentials—like your Apple ID if your transaction says “Venmo for iPhone.”
Another common scam using information gathered from Venmo is spear phishing: when phishing is tailored specifically to you based on your information. Giving a “bad actor” or hacker a glimpse into your personal life might give them enough information to craft a spear phishing email posing as a friend or organization you trust in order to hack your credentials.
Your “friends” or contact list is also accessible by the public. According to Venmo’s own privacy statement, “In addition to any public information, your Venmo friends list may be seen by any logged-in Venmo user.” You might have noticed that your feed is not just full of contacts—Venmo will automatically pull users into your “friends” list if you have their number stored in your phone or if you are connected to them via Facebook—but also people that you “used to know” or are tangentially related to. So even if you deleted your Facebook account, you would still see former Facebook friends’ transactions if you authorized Venmo to pull from my Facebook list, as well as other third-party apps. Once that information was downloaded, Venmo continued to have access to it. The same is true for phone numbers you’ve since deleted from your smartphone contacts.
Hint: You can view your contacts list if you go into the Venmo app and click on the three horizontal lines in the upper right corner. Next to your username will be a number of your friends, which you can click on to view your contacts. The list may surprise you!
In 2019, Mozilla wrote an open letter to Venmo asking them to change their privacy settings to private by default and to make users’ contacts private, but the policies have yet to be changed.
Is my money safe?
Until 2015, Venmo did not have security measures in place to prevent unauthorized users from withdrawing your funds. Things have since improved, with the app telling users when new devices have been added, or when a password or email has been changed. The FTC’s complaint regarding Venmo and banking was that the app promised “bank-grade” security, which is misleading. While your personal data is not exposed during a transaction, like your credit card number or account number, the customer support that a bank may provide is not present with Venmo. For example, if you pay the wrong vendor or individual, it’s up to that individual to reverse the transaction. Venmo does have a measure in place to ask you to confirm that you’re paying the correct user, but accidents can still happen. Last year NPR’s Planet Money podcast delved into the process of trying to get your money back if you accidentally pay the wrong user. Unsurprisingly, it is neither simple nor fun to try and retrieve your money.
Your best defense
If you don’t opt out of the uber-convenient peer-to-peer payment app (and we don’t blame you), there are still ways to protect your information. For starters, you can set up Face ID or other biometric security on your mobile device for accessing the app, which will make it very difficult for an unauthorized user to access your account.
You can also set your transactions to private, which we highly recommend. Go into Settings on your Venmo app, then tap Privacy. You will see three options: Public, Friends, and Private. Tap Private. Remember, if you choose Friends, you might want to first check to see who your Venmo friends are!
Below that, you will also see More and the option to change the privacy for past transactions. Click Change all to private.
All in all, unless it’s very important that former friends and exes see who you’re hanging out with, it’s safest to keep your social life separate from Venmo.