Say you go out to lunch or happy hour with your co-workers. That nice guy, Gary, from accounting picks up the tab and everyone pays him back through Venmo. Everybody appreciates how easy it is--especially Gary from accounting.
All good, right? Maybe not. Using Venmo--with co-workers or anyone else--could expose you and your employer to scams.
The “Privacy” Illusion
I hear you saying, “But Dave, I kept the amount I paid Gary through Venmo private so it’s OK.” Yes, the financial aspect of Venmo isn’t in question here. Paypal owns Venmo and assuming that you are practicing good cyber hygiene for your account, (strong, unique password and multi-factor authentication) that piece is buttoned up.
The issue is all the other information surrounding your Venmo account and activity may be enticing bait for cyber criminals. Venmo users’ friends lists and transactions are public by default. And while you can change the privacy settings for transactions, most people unfortunately do not.
The “public by default” posture for transactions has caused many privacy and security experts to warn about this approach. Recently the Electronic Frontier Foundation EFF and Mozilla (makers of Firefox) wrote an open letter to Venmo’s CEO and COO. The letter said "The list of people with whom you exchange money paints a startlingly clear picture of the people who live, date and do business with you” and it raised three fundamental concerns:
- Venmo transactions are not private by default. This is a long running concern and depending on what information you post in the comments, this can be a significant privacy concern
- Anyone can view your "friends" list
- As a result of issues one and two, Venmo users may be exposing data about their personal habits that would be better kept private
The EFF letter also references a report by computer science student Dan Salmon who was able to scrape data for millions of Venmo transactions over a six-month period. In an article for Wired, Salmon wrote “But the most likely cyberattack to be conducted using Venmo data is spearphishing—and the amount of specific information available via the app would make for a very convincing phish. An attacker could easily find a list of the people that their target most frequently interacts with, as well as that person's common spending habits.”
Venmo Under Fire
Unfortunately, this is not the first time that Venmo has come under fire for privacy related concerns. The Federal Trade Commission (FTC) prosecuted Venmo in 2018 for allegedly misleading users about the privacy of transactions and PayPal settled by agreeing to several conditions, including a requirement to make "clear and conspicuous" disclosures about information sharing.
Despite all this scrutiny, transactions are still public by default and there is no way to disable the public sharing of friend lists. This means that hackers can scrape readily available information from Venmo and use it in whatever way they’d like.
Consider this scenario: Once you complete a Venmo transaction, there’s a public record of you (and your named co-workers) paying Gary. An attacker could use the information to pose as Gary in an email and request that you provide him with a password, corporate information or other sensitive data. And who doesn’t trust Gary? He’s from accounting
Venmo No Go?
Venmo users concerned about privacy can turn off "public by default" for their transactions by going to Settings > Privacy, select Private > Change All to Private. If you choose to use Venmo, you should do this. Additionally, users can be careful about what they post in the comments of a transaction.
Is the convenience of Venmo worth the risk? Not in my book. I won’t use Venmo until they land on the side of privacy by making it the default (Sorry, Gary.) Is it something you should ask employees to avoid? That’s your call, but you can certainly be sure that your staff understands all the implications of using the app. In fact, you could just forward this blog post!