Mobile pay apps are all the rage these days. Whether you’re dining out, shopping for clothes, or paying a friend back, there’s nothing more convenient than pushing a few buttons on your phone to send cash in an instant. When these apps first emerged, their use was typically limited to smaller, independent merchants. Now, they’re a major part of the retail ecosystem — and the preferred way for people to send money locally and online.
Because of their popularity and ease of use, mobile payment apps are becoming a prime target for cybercriminals. In fact, a recent security vulnerability was discovered inside one of the most popular pay apps in the world. With zero authentication, a hacker can easily download information about thousands of users in a matter of minutes — including transaction history and contacts!
Though not a security breach in the traditional sense, this security flaw casts a major shadow over a rapidly growing marketplace of software. Without reasonable security provisions, could these financially sensitive apps pose more risk to us than reward?
How Venmo’s infrastructure leaves your data wide open
Venmo, owned by e-commerce giant PayPal, is one of the most popular peer-to-peer payment apps on the marketplace today. Because of this, it boasts a higher number of users and daily transactions than its competition.
This also makes it a potential objective for hackers and cybercriminals — who could easily take advantage of the personal and financial information that flows freely between users.
With Venmo, users are able to attach detailed info about the circumstances of their transaction. This information is then shared with all of their contacts in a “timeline” format. In a way, it’s almost a “social network” for finances.
It’s where you’d be able to see if your brother, for example, paid for basketball tickets, or if your mother paid for a hair appointment. On top of this, the pay recipient automatically has their name displayed, so even if a user avoids writing a description for the transaction, the parties involved are still clearly visible.
In response to Venmo’s popularity, security researcher Dan Salmon took it upon himself to do a little investigating. As a security researcher and “bug bounty hunter,” he attempted to download logs for millions of user transactions (as another security researcher had done in the past year.)
Surprisingly, the company’s developer software gave him easy access to the information, which allowed him to view individual transactions, as well as usernames and the amount of cash exchanged.
Am I at risk for using Venmo? Has my data been stolen?
Thankfully, Mr. Salmon is what’s called a “white hat.” These computer-savvy individuals intentionally break into systems without doing any harm — usually to illustrate a finer point about security or to help developers improve their defenses.
In this case, he wanted to illustrate the fact that Venmo’s API (the platform’s software development kit) doesn’t require any authentication when accessing non-private transactions. In fact, you don’t even need the official app to do it, just the API!
His hope is that users will now be more aware of what kind of data is unprotected by Venmo’s systems. On his personal social media profiles, he’s urged individuals to change their Venmo account settings to private. That way, someone doing what he did won’t be able to access their information.
Right now, Venmo hasn’t given any indication that it plans on changing its systems in light of this discovery.
In the meantime, however, you can easily change your Venmo account to private by tapping the “three lines” icon in the upper left-hand corner of the app, tapping on Settings, and then opening Privacy on the next screen. In the Privacy menu, you can change your account settings to “Private,” which will keep your transactions visible only between you and your recipient.
Hopefully, since finances are involved, we’ll see companies like Venmo make user privacy a priority in the future. Until then, all we can do is be smart about what we choose to share online. It could make the difference between a full bank account and an empty one, after all.