Money Transfer App’s Default Public Setting Leaves Users Exposed

A Berlin-based researcher analyzed more than 200 million public Venmo transactions made in 2017 and was able to glean an alarming amount of information from them.

By accessing the data through a public application programming interface, Do Thi Duc was able to access information on every user who hadn’t changed their settings to private – the app’s privacy setting is set to ‘public’ by default – including their names, the dates of every transaction and the message sent with the payment.

Users can change the setting to “private”, but they would have to navigate the app’s settings menu. The default setting is not clearly highlighted during sign-up either.

The mobile payment service is owned by PayPal. It allows individuals based in the US to transfer money to one another. Venmo handled $12 billion in transactions in the first quarter of 2018.

Some of the things that Do Thi Duc was able to access were private conversations that reveal a great deal of amount about users’ private lives, including transactions made by a person that sells cannabis in Santa Barbara and a lovers’ quarrel. Those examples were illustrated in Do Thi Duc’s findings website ‘Public by Default’. The names in the report have been anonymized.

Venmo is particular in the sense that it combines features from money transfer apps and social media platforms according to the Electronic Privacy Information Center’s Christine Bannon. “One of those is usually fairly public and one is usually very private, so it’s hard to gauge consumer expectations of privacy,” she said.

The transactions and conversations might seem trivial, but they uncover a lot of information that can be used to embezzle individuals, including who is in their network, how much they pay for rent, and even who they went out to dinner with.

Do Thi Duc’s project shows just how important it is to go through privacy setting before using any app you install. Some online services place more care on these issues (most after having their fingers burnt), but not all of them do. And as this example has shown, even apps that handle such critical processes are not immune to slacking when it comes to privacy.