Venmo Mobile Payments May Be More Public Than You Expect
Venmo is one of the greatest mobile payments platforms around, thanks to its early-adoption use of peer-to-peer (P2P) payments systems, a massive market that not even Apple Pay was interested in exploiting until Venmo itself proved what a spectacular payday it represented. Yet new reports suggest that those who use Venmo may have a problem on their hands, in the form of just how much information the Venmo application programming interface (API) shares.
The new reports, by way of security researcher Hang Do Thi Duc suggest that the system shares data including real names, transaction dates, the intended target of the payment, and any comments sent along with the payment. Not exactly a security issue, but certainly a privacy issue. Do Thi Duc examined the public API to reach this determination, and found that the Venmo app’s settings are set to “Public” by default.
The good news is that the privacy issues here can be almost immediately blunted just by adjusting the privacy settings on your Venmo app. Simply move the security from “Public” to “Private,” reports note, and the issue clears up immediately.
Venmo issued a press release pretty quickly noting that “…the safety and privacy of Venmo users and their information is one of our highest priorities,” though it also notes that each user is responsible for changing default settings and rendering information private.
Of course Venmo’s right here in that it really is every user’s responsibility to make their information private via a settings change. However, it’s worth wondering: how many users knew that such a move would be necessary to begin with? I’m not saying that Venmo had to take the initiative here and set the default to private—though really, would that have been such a bad thing?—but some kind of notification to the user that, unless they flick a switch to “private”, there’s a very real potential that just about everything they do on the app will be tracked might have been worth doing.
Information generated from mobile payments tools is valuable stuff. Just ask any business engaging in analytics. But that information also needs to be protected, and in this case, one simple change makes all the difference. Now that people know about that switch, it should be done a lot more often.