How Fraudsters Stole Money from Venmo Users
By Jon Coss, CEOApril 10, 2018
In yet another example of the creativity of fraudsters exploiting security flaws in commonly used services, the Federal Trade Commission recently announced a settlement with Venmo, the popular money exchange service. The charges, filed in 2016, include some surprisingly basic security flaws in Venmo, which boasts of “bank-grade security”.
One major problem was found in Venmo’s cash reconciliation process. It would notify users that money had been deposited in their accounts when, in reality, many of the transactions were still under review. This allowed fraudsters to “purchase” and receive products before their payments were validated. Sellers, assuming that cash had been received, would ship the product and then find themselves without an actual payment. One scammer used this technique over several years to steal over $125,000 before being discovered.
In addition to this security flaw, federal regulators also noted that Venmo neglected to notify users of username and password changes or when new devices were added to their accounts. This allowed hackers to hijack accounts without any warnings to the actual account owners.
While the FTC’s settlement does not include any cash damages, it is likely that Venmo will face a slew of upcoming lawsuits. Beyond this, Venmo’s issues are particularly concerning to consumers. We often assume a certain level of security and common-sense practices when we use well-known applications and services. Clearly, we should all be concerned about trusting our money and identities with any company—regardless of how safe it appears to be.