It's a familiar sinking feeling. What if the easy app you use all the time is leaving you vulnerable to a digital attack? Even worse, what if the features that make it easy to use are the same ones that make it vulnerable?
That's the case made in a Slate piece by Alison Griswold yesterday, taking Venmo to task for lax security practices. Griswold followed a user whose account had been compromised and drained of close to $3000. The subject didn't find out until a full day later, thanks to disabled notifications. It's unclear how the attacker got in, but the company does not support the two-factor protections that might have kept him out. (Venmo's parent company PayPal offers both two-factor authentication and mandatory notifications for every transaction and password reset.) The subject eventually got a refund from Chase, but deactivated his Venmo account shortly after. Reactions to the piece on Twitter show many users are responding to the story by doing the same.
What if the features that make it easy to use are the same ones that make it vulnerable?
Venmo is still weighing how it handles these incidents in the wake of the new publicity, but CEO Bill Ready says the company often prefers to address fraud without alerting the user, for simple experience reasons. "I think there are some valid points around how we can communicate more effectively on a couple of those issues," he told me, "but in many of these cases, we want to handle it seamlessly so we're working behind the scenes." That sort of behind-the-scenes fraud monitoring is common in the credit card industry, but for Griswold's subject, who had just 48 hours to report the compromise in order to secure a refund, that notification policy starts to look much worse. Even if Venmo was tracing fraud behind the scenes, the subject had no clear idea of what protections were in place. Even worse, he waited for days for an official Venmo response, suggesting a real breakdown in customer service.
"We want to handle it seamlessly."
But while Venmo has a lot of work to do on customer service, the app’s security is better than Griswold suggests. There's nothing in the piece that indicates Venmo accounts are particularly easy to hack, or that Griswold's subject fell victim to any attacks that wouldn't work on conventional banking apps. There’s also no evidence that Venmo has any issues in its handling of routing numbers. After the account is compromised, Chase recommends an entire new bank account, suggesting the account is unrecoverable, but the system isn’t as bad as it sounds. Venmo never makes routing or account numbers visible to a user — the information stays encrypted on company servers and is only used on the back end — so there's no reason to believe a compromised Venmo account would compromise a linked bank account.
The biggest security criticism is that Venmo doesn't support two-factor authentication, in part because of its mobile-first approach. But Venmo's hardly alone in missing out on the feature: Citibank, Capital One, and Wells Fargo don't offer it either. They should — they all should! — but it's hard to call it a unique vulnerability. And if Venmo users do want extra protection, the company offers an ATM-style PIN feature, which asks you for a persistent four digits every time you log in.
But maybe tapping in an extra four digits ruins the fun. This is the real meat of Griswold's criticism, and it's harder to shake. Venmo prides itself on seamless transactions — one tap and you're done — and users have gotten used to that convenience. (This may also be why the PIN settings are buried in the settings menu and aren't mentioned in the sign-up process.) It's been an extremely effective tactic: according to Ready, the company handled $900 million last quarter, inching up on a billion. For users and executives alike, extra security measures may start to feel like rain on an unusually successful parade.
It's too early to say how the company will react to the security concerns, but the message seems to have gotten through. "I think there's some valid feedback," Ready says, "and we're going to take a look at it." It's a difficult balancing act, but it may be time for the company to turn the corner toward something less convenient but more secure. Convenience is no good if people don't trust it, and after the latest criticism, users might welcome a few extra login steps.