Venmo’s broken security
I just changed the password on an account that is not mine – but it had my email address and frequently sent me financial transaction reports in the clear. This is a lesson for how insecure online services are today – and the severe privacy problems inherent in sloppy cloud computing businesses.
Someone entered my email address for their account at Venmo. Month’s ago. Apparently Venmo NEVER VERIFIED the email address. Consequently, I receive their emailed financial transaction correspondence – for several months. Guess their customer never noticed they were not receiving emails? (Or is Google broken and one email address is being delivered to different people? Anything is possible!)
See Updates at the bottom of this post – I will be updating this post
Venmo sent me financial updates like this one – sending me the name and photo of the person that I had just paid (Privacy? Hello? Remember, I am not and have never been a customer of Venmo!)
Financial records are protected by law (which law, depends on various factors). At a minimum, disclosure of your personal financial information to governments is covered by the Financial Privacy Act of 1978 and other disclosures by the Gramm-Leach-Bliley Act of 1999. They are also subject to privacy policies – Did Venmo disclose to their customers that their personal financial information may be disclosed to completely random strangers on the Internet?
Then again, Venmo, I think, may be a social network for money transactions, where it posts all of your transactions online. Judging from a search for Venmo on Twitter, Venmo is used mostly for paying off sexual favors/sugar daddy transactions/pictures of private body parts. It may well be that the purpose of Venmo is to share one’s financial transactions with everyone else! There is no financial privacy on Venmo!
Unable to Contact Venmo
Months ago I attempted to notify Venmo of this problem but they ignored me. Venmo only enables customers to contact them – see their Contact Us page. If you do not have an account number, you cannot contact them to fix this! I had no way to contact them!
I sent a description of the problem to them on Twitter. They never replied.
This is not my problem to solve and I did not want to waste a lot of time dealing with trying to fix their problem – both the customer – and me – are the victims of their defects. I never volunteered to become a party to their financial correspondence and they do not provide an obvious way for me to get rid of it or fix this for their actual customer.
Months later, as I reviewed old email I ran across this problem again.
Trying to Fix the Problem
Keep in mind – non customers cannot contact Venmo (see their Contact Us page link, above).
Today I figured I’d try to log in to the account, possibly find the individuals phone number and call them directly to let them know. (I’ve done this previously as I receive erroneous correspondence from other vendors who never verified customer entered email addresses – there is literally no easy way for drive by victims to correct this – especially when my own email address is abused this way every week.)
Today, I went to the account – entered my own email address which they’ve used incorrectly – and said I’d forgotten my password. They sent me a password reset link. I changed the account password. I should never have been allowed to do this without a secondary authentication step!
I cannot log in to the account because they do have two-factor authentication set up (good!). Their password change should have used 2FA, but they did not.
The owner of the account cannot log in either because it let me change the password – Venmo should never have allowed me to do that. I’ll be happy to give the password to Venmo if they care enough to follow up with me and fix their serious security flaws.
Venmo then emailed me to let me know that the account had been changed.
Now that I have done this, I have again attempted to notify Venmo of their poor security through their Twitter support account. Venmo is a service of Paypal.
- This is scary when a financial service does not verify the email address and sends correspondence to the wrong person, and further enables anyone with a reset link to reset the password.
- You should not use a financial service that does not respond when someone notifies them of a security problem – months ago.
- I am hopeful this finally gets their attention, they fix the problem, and they enable their actual customer to get their account set up properly.
- All companies need to provide a simple way for “drive by victims” of incorrect email addresses an easy way to fix this problem. This is a serious issue; my email account generally receives emails intended for other people many times per week, including documents marked confidential. Yet I often have no way to contact anyone to get them to fix the problem.
- These are extremely serious security problems, not just at Venmo.
- If I do not hear from them, I will print out this blog post and mail it to the CEO of the company and the Federal banking regulator. No one should have to go to such lengths to get them to fix their security problems. Good grief. I am hopeful this post might get someone at Venmo to care about this.
Details and Screen Shots
First, I said I forgot my password and they emailed me a link to reset the password, with no attempt to verify my credentials, nor use the two factor authentication they have set up on the account:
I then successfully began the log in process:
The following confirms they had two-factor authentication set up for the account – but they did not use this for the password change. Further, this screen appears after I have “logged in” using the email address and new password I created for their customer’s account:
Basically, Venmo has significant security problems. Will be interesting to see if they FINALLY contact me and fix their broken security. I have sent them a link on their Twitter support account explaining what was done and a link to this web page. I want them to fix this and I hope they want to fix this too.
Been dealing with several levels of security problems today and information and security are two words that should never appear in the same sentence. The tech sector is a mess.
I will update this post in the future if I hear anything.
UPDATES 10 MARCH 2018
The problem is I am not a customer and I do not have an account on file with Venmo!
After I replied that I am not a customer, they have provided me with this information which may be of use to others:
UPDATES MARCH 11 2018
Late in the day, Venmo Support emailed me to say they have removed my email address from the account and I should no longer receive emails from Venmo. Their response did not explain how my email address became associated with the account, nor did it explain what steps they are doing to protect passwords being changed by non-Venmo customers. At this time, I strongly recommend not opening an account and not using Venmo due to their security and privacy problems – which appear to remain unresolved.