Just say Ven-NO

July 27, 2018//Ellen Neveux

Last Updated: November 19, 2020

Almost everyone has poor personal password and security habits. Few of us change our passwords frequently, and most of us won’t change a password unless we’re forced. It might not seem like a big deal, but it’s well documented that weak passwords are one of the easiest ways for someone to gain access to a personal account, like email or social media. Because of this, many companies have implemented password requirements. This is one small, but important, way that companies show that they care about their consumer’s private information. Especially since the recent implementation of GDPR people have become more aware of how they, and enterprises, treat their sensitive information.

But what happens when consumers become more aware of protecting their personal information and it doesn’t align with how companies vision for displaying information? This is a very real situation for Venmo, a popular payment mobile app, who has recently been under fire because their default settings are set to public. This means that anyone using the Venmo platform, not just your friends, can see your name, picture, and who you’re paying if you don’t change your settings.

Venmo put privacy on the backburner

Venmo, which is owned by PayPal, is a payment app that people use for buying goods and sending or receiving money among friends. For example, it’s a great way to split bills and pay people back on-the-spot. Just in 2017, Motherboard reports that users sent and received 207,984,218 public transactions on Venmo. That’s right—public. That means that anyone can scrape this data to do whatever they want with it. Venmo’s reasoning behind this? A Venmo representative told CNET that, “we make it default because it’s fun to share [information] with friends in the social world. [We’ve seen that] people open up to Venmo to see what their family and friends are up to.” To a layperson, this might seem weird. Forbes makes a good point when they say how money is relatively taboo and private to talk about and to have this information public by default shows that Venmo doesn’t care about their users’ privacy.

Sure, it sounds great to quickly get your $10 back from lunch with your friend who forgot their wallet. According to the researcher Do Thi Duc, this simple transaction may carry significant risk and she points out that you might think you have nothing to hide, like grabbing drinks with your friend after work, but after she spent time with the data she realized what we really should be asking about is if we need to share the data. Companies aren’t putting their users’ data protection first which can make a private life public and opens up a world of both invasive advertising and tracking, or even having, or you might end up getting in trouble with your employer after a late night out on a work night if you keep your feed public.

What’s worse is that this data can be used and manipulated further, as was highlighted by a now-deactivated Twitter account that used the platform to post first names and profile pictures of people who had made transactions that involved drug or alcohol terminology in their payment descriptions. The programmer (Joel Guerra) created a Twitter bot and told Motherboard, “I wanted to demonstrate how much data Venmo was making publicly available with their open API and their public by default settings and encourage people to consider their privacy settings.”

How this affects the cybersecurity world

There are some glaring issues with Venmo having their default setting as public. We live in a society that has become aware, if not obsessed, with protecting data because so many breaches have happened. Things like sharing passwords and Venmo’s public feed create bad habits that make their way into the cybersecurity world.

  • Mind the Data: If people aren’t taking care of their own personal data, how likely is it that they are acting mindfully in their handling of another’s data. In other words, how are users supposed to trust an enterprise to properly protect their data from bad actors when poor security habits are so pervasive at the individual level?
  • Lack of Trust: Consumers already have a hard time trusting what is going on behind closed doors when entrusting their sensitive information to enterprise organizations. If companies like Venmo allow by default make each day to day interaction public, imagine what can happen without us knowing? The recent Facebook and Cambridge Analytica privacy debacle was simply a peek behind the curtain.

Update: Since the writing of this blog post, Venmo has updated their privacy where the public feed is no longer the default and the user can choose their privacy settings: public, friends only, or public.

About SecureLink

Our sole focus is secure third-party remote access. For highly regulated enterprise organizations, SecureLink Enterprise has pioneered a secure remote access platform. SecureLink for enterprise allows an organization to identify, control, and audit third-party vendors. For vendors, SecureLink is the gold standard remote access support platform because it is easy, efficient, and ensures compliance and reduces liability when supporting customers.

Subscribe to the SecureLink Blog.
close close