Despite it popularity, peer-to-peer (P2P) payment app Venmo has some gaping holes in its security that are cause for concern for the apps’ 180 million monthly users, according to a recent report from Slate. Venmo’s security issues have already allowed cyber thieves to steal thousands from Venmo users. With more than $700 million worth of transactions made through Venmo in Q3 2014, these security hole could pose a big risk to the apps’ users and their bank accounts.
Venmo User Had $2,850 Stolen, Forced to Close Chase Bank Account
Chris Grey is a New York City web developer whose Venmo account was recently used to steal money from him to the tune of $2,850, which is just under Venmo’s weekly $2,999.99 transaction limit, reports Slate. Venmo didn’t notify him of the missing money, but his bank, Chase, did.
Grey tried to log into Venmo to figure out why this charge occurred, but his password didn’t work. The hacker had gained access to Grey’s account and changed the address, the authentication email address and turned off notifications. The $2,850 transaction, labeled “for about time,” had been sent the day before to a user Grey didn’t recognize.
Grey took the issue to Chase Bank and was told that since Venmo uses a bank account’s routing number rather than the number of a debit or credit card, his bank account was completely compromised. Grey had to close his bank account and dispute the charge with Chase, cutting off access to his funds until the issue was resolved more than 24 hours later and Chase reimbursed Grey for the full amount.
Grey also contacted Venmo’s customer service right away but it took 24 hours to receive a response, which only included simple security steps like changing passwords and adding a PIN option to his account. Grey canceled his account with Venmo.
5 Venmo Security Flaws to Watch Out For
Venmo has declined to comment on Slate’s article, though a customer service representative did tell Grey that the app is “working to prevent this unauthorized account access in the future.” For now, here are the five major security concerns you should be aware of on Venmo.
No Email Warnings for Account Changes
As of now, Venmo does not send emails to a user if account information is altered. This gives hackers plenty of time to access an account, lock out the account’s owner, and send fraudulent payments before a Venmo user even knows his account has been compromised.
Lack of Two-Step Verification
Two-step verification requires a user to authorize account changes through text as well as with login information, and has become the new security standard, being used on major sites like Google and Facebook. But though Venmo carries a greater and more direct risk of loss if an account is compromised, it doesn’t offer two-factor verification — making it easier for hackers to change login information or settings and lock a Venmo user out of the account.
Linking Capability to Bank Accounts
Venmo offers two options to fund payments: a credit or debit card, or a bank account. But since virtually every bank account comes with a debit card, it seems unnecessarily risky for Venmo to link to bank accounts directly.
Debit or credit cards are easy to cancel and act as a buffer between your money and the merchants who charge you. But entering your routing number and linking your bank account to Venmo removes that buffer and puts your bank account and all the funds in it at direct risk. Because his Venmo account was linked to his bank account, Grey had to take a much more drastic action than canceling a card; he had to close his account and freeze his funds.
Optional PIN Security
“If you want to keep your Venmo account safe, you can set a PIN code in your account as another layer of security,” states the Venmo Help Center. PIN codes are an easy way to increase security, yet Venmo has made this feature optional rather than mandatory, and users who don’t bother to set a PIN are needlessly at greater risk.
Keep reading: Square Cash Review: An Alternative to Venmo, Paypal
Some Payment Information Is Public
When Venmo users make transactions they tag them with a description indicating what the payment is for. But this also makes user’s payment habits easier to track and observe, which raises both privacy and security concerns.
Editorial Note: This content is not provided or commissioned by the bank advertiser. Opinions expressed here are author’s alone, not those of the bank advertiser, and have not been reviewed, approved or otherwise endorsed by the bank advertiser. This site may be compensated through the bank advertiser Affiliate Program.