News Stay informed about the latest enterprise technology news and product updates.

Venmo struggles put spotlight on mobile payment security

The mobile payment app maker responds to criticism by stepping up security with better verifications and notifications for email and phone number changes.

After coming under fire for security vulnerabilities and concerns about customer response times, digital wallet...

application maker Venmo announced on Monday new security measures to better protect users.

The New York-based application developer, which allows users to make peer-to-peer payments via a mobile app, has become popular among college students. But Venmo came under fire recently following a Slate report that highlighted security flaws in the app, which led to the company issuing a public apology.

Specifically, Venmo has been criticized for not offering two-factor authentication, as well as for instances when the app's lack of confirmation about changes in name or email has led to customers realizing too late that their Venmo accounts had been compromised.

"To enhance the security of your Venmo account, any time there is a change to your primary email address, password or phone number, we will send you an email notification," Michael Vaughan, general manager of Venmo, wrote in the statement. "We're working to be more responsive to your support inquiries. We've made significant progress and will continue to improve in this area. We'll also be rolling out multifactor authentication (MFA) in the coming weeks, among other product features, to further enhance user security and experience."

Venmo's new policy is to deploy notifications to the old email whenever the primary email on the account is changed, as well as verification for the new email. Whenever the password is changed, the user will now receive email notification. And, whenever a phone number is changed, email notification will be sent, as well as verification of the new phone number.

Unlike parent company PayPal, Venmo doubles as a sort of social network with its public display of people's payments to each other. Much like in Twitter, whose API Venmo uses, there is a constantly updating feed that shows who paid whom and for what. But the publication of friends' monetary exchanges opens up potential security vulnerabilities.

"Part of the appeal of Venmo is it's a social payment app," Ben Kraft, a Massachusetts Institute of Technology student studying mathematics, said. "I think there are questions about, 'Should you really be sharing your transactions with the public?' and certainly Venmo encourages it. That's their whole model."

Kraft and fellow students Eric Mannes and Jordan Moldow published a paper last May exploring the security flaws of Venmo's app. Venmo complied by patching most of the vulnerabilities the report pointed out, such as the leaking of friend-only posts and the weak security on SMS charge confirmations. However, some of the vulnerabilities seem inherent to Venmo's social aspect.

Organizations that are building some of these platforms assume good behavior, or good security hygiene, on the part of end-users.
Eddie SchwartzChair of ISACA's Cybersecurity Task Force

"Some people make their transactions public, and if you're worried about it, you can just make your transactions private," Kraft said. Although the amount paid is always private, Venmo offers two separate privacy settings: who you share your trasactions with (yourself only, your friends only or everyone) and who can share transactions involving you (everyone or only you).

Kraft pointed out that he himself had his transactions set to private. "If people want to share their transactions, then they know what they're getting into -- or at least they should," he said.

But that doesn't always happen. ISACA recently released its "2014 IT Risk/Reward Barometer," which surveyed more than 1,600 business and IT professionals about various subjects, including mobile payment security. According to the survey, 37% of Millennials -- the sweet spot for companies like Venmo -- believe someone will hack into their mobile device and do something malicious, while 70% say that the benefits of digital devices outweigh the potential privacy risks.

Eddie Schwartz, chair of ISACA's Cybersecurity Task Force and president and COO of New York-based security firm WhiteOps, said mobile app developers are making a lot of assumptions about user behavior. "Organizations that are building some of these platforms assume good behavior, or good security hygiene, on the part of end users," Schwartz said. "[They assume] that end users are either going to use strong passwords, or that they're not going to share their PIN with somebody, or that they're not going to leave their phone unlocked."

The problem being: Most of the people who aren't careful with their passwords or their PINS are the same people who think telling the Internet who they are charging money to and what they are paying for is a good idea.

Other challenges Venmo still faces tend to arise from the habits of the end users and the third-party applications that they connect to Venmo with. Specifically, the use of the Twitter API is a security risk that is easily exploitable, according to Kraft et al.

"Twitter's design is not particularly secure -- or is designed in such a way that is hard to use it completely securely -- and indeed Venmo does not," Kraft said. "I can send you a link -- and if you've already authorized Venmo to use your Twitter -- that would pretend to be Venmo. It would look to you as if Venmo was using your Twitter, but actually I would be the one using your Twitter, if you click the link.

Kraft explained that a fraudster could easily create a phishing site that would encourage a victim to let Venmo use their Twitter.

"The reason this is possible, is because the Twitter API is designed in such a way that it requires that the services be authenticated with it," Kraft said. "Twitter wants to know that this is Venmo talking to Twitter and not some random other person, but it doesn't actually have any way for Venmo to securely prove that.

Founded in 2009, Venmo was purchased by Braintree in 2012 and acquired by digital wallet giant PayPal in 2013. The company is still relatively new and consists of about 70 employees. Venmo has been praised for its innovative social network approach to mobile finance and peer-to-peer payments. 

"When different platforms have come out in the past … the usability or attractiveness of those features always lead ahead of [security] of those features," Schwartz said. "That's not necessarily a bad thing. That's how innovation gets done and that's how projects get funded."

Kraft said he isn't too worried about Venmo security as long as the user didn't disclose too much personal information.

"After-the-fact security is the reason I still have no problem using Venmo even after all the things we found," he said. "It's not Venmo's job to figure out that the person with your username and password is not you. It's your job to keep your username and password secure by not using it on other sites."

Next Steps

Find out why mobile e-commerce fraud is leading to big losses for enterprises

Dig Deeper on Password management and policy