Venmo, a mobile payment app popular among college students and recent grads, has security holes “you could drive a truck through,” according to an article posted on Slate this week. The report was largely based on one man’s story about how a grifter was able to steal $2850 from his account before he was ultimately reimbursed.
The fact that Venmo doesn’t offer two-factor authentication is indefensible, so I won’t defend it. But I’m also not going to delete the app off my phone and cancel my account.
In fact, I used Venmo last night — as I do fairly often — to reimburse my girlfriend for a magazine she bought for me because I didn’t have cash and it was the easiest way to pay her back. (Ostensibly I wanted the March issue of Vogue for the Apple Watch spread, but I was most interested in the cover story about Taylor Swift and Karly Kloss.)
I’m not going to stop using Venmo because its security is actually appropriate for the service it provides. In fact, I think it’s much more likely that my insecure magnetic credit card will get swiped by an ATM skimmer or through a security breach at a store like Home Depot. It’s simply not worth giving up Venmo’s convenience. And based on the number of transactions I saw in my Venmo social feed from last night, my friends agree.
Sure, Venmo might not have FDIC or credit card consumer protections, but it is legally required to help its customers recover funds from unauthorized transfers. One of the scariest details in the Slate story is that you have two business days under Venmo policy to contact the company after you spot fraud in order to limit your liability to $50 — even if the fraudsters stole close to $3000 (Venmo’s monthly limit.) After that, you could lose up to $500.
But those scary-sounding consumer protections aren’t exclusively Venmo policy — they stem from federal policy that covers unauthorized transfers for debit cards as well as smartphone transaction services like PayPal and Chase QuickPay. It is likely no different than what your bank offers for electronic transfers.
From the Federal Reserve’s regulation E:
Plus, it’s in Venmo’s interest to make sure its customers aren’t paying for fraudulent charges. Fraud is not part of its business model — in fact, fraud almost certainly leads to Venmo losing money, either because it has to pay or through bad PR. (If you’re a Venmo user who has had thousands of dollars stolen from you and you haven’t been made whole, I’d love to talk to you. Email me.)
Here’s the statement Venmo gave me:
At Venmo, our most important job is to protect our customers and provide a safe experience. We are continuously improving product and security measures but there is always more to do. We have teams dedicated to fraud prevention, customer support, and operations working tirelessly behind the scenes, and we always guarantee our users’ funds. Our customers put their trust in us and we take that responsibility seriously.
Just this morning, I changed the password on my account and immediately got an email from Venmo alerting me to the changes. It’s not perfect: A request to change email ended up sending a message requesting I verify the new email address, but nothing to my old one saying it had been changed.
One real issue is that Venmo’s support line is an email address and it doesn’t get back to customers quickly. Venmo clearly needs to improve that, but the fact that it doesn’t offer a phone line actually seems like a good thing to me, because it means a slick social engineer can’t get a call center employee on the line and sweet-talk him into giving up personal information.
Ultimately, I’m going to keep using Venmo for a few reasons:
- All my friends are already using it. If I’m trying to pay someone back for, say, a beer at a bar, I usually don’t need to ask her to download an app.
- It works and it’s easy — I’ve made hundreds of transactions and I haven’t had a problem yet. If I do, I feel confident in predicting that Venmo will eventually make it right.
- When you link it to a bank account, it’s free to both pay people and cash out.
If you’re really worried about security, you can unlink your bank account, as some of my colleagues have done. I added a PIN to my Venmo app — locking it with my fingerprint on my iPhone — but that seems superfluous because you need my PIN to get access to the phone’s contents in the first place. And when Venmo introduces two-factor authentication, I’m going to turn that on too. But I’m going to keep using Venmo, and frankly, I’m going to keep publicly posting many of my transactions.*
*For the record, I’ve labeled many Venmo memos as “drugs,” but never actually for a transaction that included drugs.
5:40PM: This article has been corrected to clarify the emails that Venmo sends when account settings are changed.