Computer Science Student Scrapes Seven Million Venmo Mobile Payments Transactions

June 18, 2019         By: Steven Anderson

Security has always been one of the major impediments—if not the major impediment—to the widespread adoption of mobile payments. Though that’s improved in recent days, there are still issues to address. This was demonstrated marvelously, if not in a welcome fashion, by Dan Salmon, a computer science student who took six months to scrape seven million Venmo transactions and prove there are still problems afoot.

Salmon staged the six-month scraping to raise awareness of the issue, and reveal the fairly simple protection that would help against such matters: users need to set their Venmo payments to private.

Something similar was tried by former Mozilla fellow Hang Do Thi Duc back in 2018, when Duc downloaded 207 million transactions. Since Venmo payments are public by default—part of the social media side of the app—such scrapings are both possible and likely unwelcome. One derivative work actually served as a bot that would tweet every time someone used Venmo to buy drugs, a point that both buyer and seller likely rather wished would be kept quiet.

Despite Duc’s work, Salmon’s illustrates that the issues that made all of the preceding possible in 2018 are still in play a year later in 2019. Users can still readily use Venmo’s own developer application programming interface (API) to download large numbers of transactions, reports note, and all without even needing to download the app itself, let alone seek user permission.

While Venmo is still a popular app, it’s been losing ground in recent months to Zelle, a peer-to-peer mobile payments app that has the backing of some of the largest banks in the world. Reports like this likely won’t help, especially given that the issue in question has gone largely unaddressed for so long. But then, it’s likewise possible that the issue just isn’t that big a deal after all. Who particularly cares if someone used Venmo to pay for dinner last week? It could be that Venmo’s even leaving this information available to show the sheer range of use cases Venmo has, even the illicit ones like drug purchases.

Regardless of the reasoning behind it all, it still doesn’t look good for Venmo. Sometimes you just want your data kept quiet without you having to make adjustments.