PayPal settles Federal Trade Commission (FTC) charges over security and privacy flaws in its peer-to-peer (P2P) payment app Venmo.
As part of the settlement, Venmo agrees to prevent any misrepresentations and to protect the privacy, confidentiality, and security of the information involved in using its service. In addition, the company commits to make explicit disclosures to its users about how it handles their transactions.
It also pledges compliance to the Gramm-Leach-Bliley Act, which requires financial companies to explain their information sharing practices to their customers and to safeguard sensitive data.
Thirdly, Venmo agrees to obtain biennially third-party assessments of its compliance with the settlement rules for the next 10 years.
This ends a two-year investigation by the Federal Trade Commission that started back in early 2016 when PayPal revealed through a SEC (US Securities and Exchange Commission) filing that the FTC was looking into its business operations.
Venmo security flaws
Venmo is a free digital wallet that allows users to transfer money to one another (within the US only) using a mobile phone app or web interface. Users sign up and create an account which they link to their bank accounts, debit or credit cards.
Venmo claimed it uses bank-grade security systems and that personal and financial data are encrypted and protected on secure servers to guard against any unauthorized transactions. These security claims have been questioned by security researchers, journalists and consumers.
In his blog, security geek Martin Vigo explains how to steal $2,999.99 in less than 2 minutes with Venmo and Siri (Apple intelligent personal assistant). The scheme is to use the Siri voice activation on locked iPhones to send a payment request via SMS and then steal the person’s funds.
In another case, professional poker player Mohsin Charania told ABC News that his account was hacked and funds stolen. He said “It was frustrating. I had over $2,000 on there from various transfers that I received from friends and I had no way of finding out what happened to my account,”
Despite Venmo security representations and the many cases reported, the FTC had reasons to believe that Venmo failed to implement sufficient safeguards to protect the security, confidentiality, and integrity of consumers’ information.
The regulator cited an instance where Venmo failed to provide their customers with security notifications regarding changes to settings from within their account. In addition to not informing them that their password or e-mail address had changed, or that a new email address had been added, or that a new device was added to their account.
As a result and in some instances, unauthorized users successfully took over customers’ accounts, changed the passwords or email addresses associated with their account and withdrew funds, all without any notifications to them.
Acting FTC Chairman Maureen Ohlhausen said that Venmo did not live up to the promises it made to its users who suffered real losses. Before adding “The payment service also misled consumers about how to keep their transaction information private. This case sends a strong message that financial institutions like Venmo need to focus on privacy and security from day one.”
PayPal has agreed to be more transparent and honest about Venmo’s vulnerabilities in the settlement.
The Venmo investigations and settlement strongly reveal that potential security risks from peer-to-peer (P2P) payment apps are greater than most users realize.
Fraud risks on P2P payments apps
Zelle, another popular P2P payment solution touted as the Venmo alternative and backed by a consortium of American banks is also plagued by security flaws and frauds.
In a recent article, TechCrunch explains how Zelle users are finding out the hard way there’s no fraud protection they would expect from banking institutions or PayPal.
Fraudsters actually encouraged their victims to use Zelle for payments. Criminals directed people to open Zelle accounts for transactions advertised on Craigslist.
The victims transferred the funds in order to buy something like concert tickets using Zelle, believing the banks would stop fraud or the transactions were insured. Once the fraudster received the money he or she shut down their Zelle account, and no tickets were delivered.
When victims contacted their banks they learned that the transaction was uninsured and the money was gone. Some victims were upset because the Zelle app was actually recommended on some banks’ websites.
Whether Zelle, Venmo, PayPal or any other peer-to-peer payments service succeeds in winning consumers’ heart or not, they will certainly need to embed the most important feature in their service – Security.