I Know What You Did on Venmo

by Marc Ballon

(Image/Courtesy of the Dashlane Blog)

The bizarre request came from her husband at 2 a.m.

In May 2021, Keighley Woodard’s out-of-town spouse asked her to send $195 on the Venmo payment app. He included an electronic note simply saying that he would explain later.

The hour of the request, coupled with her husband’s strange message, raised suspicions in her mind.

What Woodard didn’t know, according to WSMV News4 in Nashville, Tennessee, is that several of her husband’s friends received the same request at nearly the same time. Assuming that he had some sort of emergency, they transferred money from their Venmo accounts to his.

There was only one problem: They had unwittingly given money to a hacker who had had cloned their friend’s Venmo account, replete with his real picture and name.

Because the popular app makes user profiles, payment notes and friend lists public by default, bad actors have repeatedly harvested this information from unwitting users and created fake profiles of Venmo customers, sometimes just by adding a dash or an underscore to their names.

As the Better Business Bureau warned in an Aug. 27, 2021 alert: “Scammers are taking advantage of generous friends by changing their username and profile pictures to impersonate real app users. Using the information visible in Venmo’s public feed, they figure out from whom this person had previously sent or received money. Then, scammers contact these users with requests for money.”

Although Venmo allows users to make their transactions private, many don’t have the technological wherewithal or presence of mind to change their settings, experts say. By making so much information publicly available, Venmo inadvertently puts users at risk.

I know what you did on Venmo

Jelena Mirkovic, research associate professor at USC Viterbi and a project leader at the USC Information Sciences Institute (Photo/Courtesy of Jelena Mirkovic)

Jelena Mirkovic, research associate professor at USC Viterbi and a project leader at the USC Information Sciences Institute (Photo/Courtesy of Jelena Mirkovic)

Journalists have used the app’s search function to uncover a president’s Venmo account, along with his network of associates, including high-ranking officials. Researchers have found explicit messages between lovers and drug dealers.

“There are risks to oversharing. People [on Venmo] share addresses that can be misused, either in identity theft or someone could even come and rob you or stalk you,” said Jelena Mirkovic, research associate professor at USC Viterbi and a project leader at the USC Information Sciences Institute.

“If you share something that’s sensitive, like ‘Here’s money for drugs or drinks’ or ‘It was a great party in Vegas,’ that can have implications later on. For instance, it could affect your job prospects,” added Mirkovic, co-author of “I Know What You Did on Venmo: Discovering Privacy Leaks in Mobile Social Payments,” an academic paper will soon be published in the Privacy Enhancing Technologies Symposium. Taken even further, victims of domestic abuse might have their whereabouts and activities unmasked whenever they exchange payments and messages with friends.

In the biggest quantitative study of its kind, a team of researchers — including Mirkovic; UCS Viterbi Ph.D. students Rajat Tandon and Pithayuth Charnsethikul; Dhiraj Murthy, director of the Computational Media Lab at the University of Texas at Austin; and Ishank Arora, a master’s degree student in computer science also at the University of Texas — detailed how millions of Venmo users reveal extremely personal information about themselves on Venmo.

Because Venmo requires users to send messages along with their payments, many users unwittingly provide sensitive information in their online communications, which Venmo by default makes public. What the researchers call “privacy leaks” include drug and alcohol use, political leanings, email addresses, phone numbers, and even Wi-Fi, bank account and Netflix passwords.

In a contemporaneous study, Mirkovic, Tandon and their colleagues identified scores of Alcoholics Anonymous and biker gang members, as well as gamblers, through their Venmo friend networks — even though many people in these groups went to extraordinary lengths to hide those affiliations, including sending nonsensical messages with their Venmo payments.

“The notes of other users and sometimes the group’s display name on Venmo expose the sensitive nature of everyone’s membership,” Tandon said.

In other words, what happens on Venmo doesn’t necessarily stay on Venmo.

Strong social orientation

USC Viterbi Ph.D. student Rajat Tandon (Photo/Courtesy of Rajat Tandon)

USC Viterbi Ph.D. student Rajat Tandon (Photo/Courtesy of Rajat Tandon)

In 2009, Iqram Magdon-Ismail and Andrew Kortina, students at the University of Pennsylvania, came up with the idea for Venmo. Why not, they thought, create a platform that would allow friends to send money to one another?

The pair initially set up Venmo as a private and text-based platform restricted to BlackBerry devices. Soon thereafter, they decided to make payments publicly visible, although not the amounts. “I was thinking in the back of my head, ‘What if we made a feed for everybody,’” Magdon-Ismail told Wired in March 2017. “This kind of is like Facebook or Twitter for me.”

Acquired by PayPal in 2013, Venmo has grown considerably since then. One aspect that hasn’t changed, though, is the financial app’s strong social orientation. Most Venmo accounts have a “friends list” that publicly shares transaction details in social media-like feeds, including payment notes. (Last year, Venmo made it possible for users to make their list of friends private.)

Unlike competing payment apps, Venmo combines social media with financial transactions. With 83 million users, “Venmo provides a social way to pay your friends when you owe them money and don’t want to deal with cash,” the company says on its website.

Many millennials like the social aspect, experts said. They use Venmo to check in, sometimes sending one another small monetary gifts, say $1, accompanied with a message like “Thinking of you.” Others send silly jokes, along with a rent payment.

Exploiting Venmo

Although the app’s social functions have won it legions of fans, critics contend that malefactors have repeatedly abused Venmo to violate people’s privacy. Over the years, bad actors have accessed publicly available information on Venmo to steal from and harass unsuspecting users.

In 2018, privacy advocate Hang Do Thi Duc reported that she had used Venmo’s public API to sort through nearly 208 million transactions. Using that information, she honed in on five individual users, including a man in Santa Barbara, California, who sold marijuana. Do Thi Duc uncovered “how countless Venmo users’ drug habits, personal finances and fights with significant others are available for all to see,” the Electronic Frontier Foundation said in an open letter to PayPal, Venmo’s parent company.

One year later, information security expert Dan Salmon wrote a 20-line Python script and scraped millions of public Venmo transactions, downloading 115,000 per day. In an opinion piece in Wired, Salmon said that public data isn’t “innocuous.”

“A quick search for a few drug names and slang terms turns up hundreds of transactions. Though it’s possible that many of these were jokes — admittedly, my friends do this — if those descriptions were accurate, an attacker may be able to use such information for blackmail,” he wrote.

More recently, BuzzFeed found President Joe Biden’s Venmo account in less than 10 minutes, using only the app’s search tool and public friends feature. Additionally, the online news and entertainment business discovered nearly a dozen Biden family members and a social web of contacts that included the president’s children, grandchildren and senior aides — along with all of their Venmo friends.

Although Biden had made his Venmo transactions private, at the time there was no way for him to do the same with his contacts, which enabled BuzzFeed to identify his account. Biden’s Venmo account was deleted soon after because of national security concerns.

“The peer-to-peer payments app leaves everyone from ordinary people to the most powerful person in the world exposed,” BuzzFeed concluded in its May 14, 2021, report.

Venmo has tightened its privacy settings several times in response to such high-profile incidents and made it more difficult to access massive amounts of data at one time. It also began allowing users to make their friends list private after the exposure of President Biden’s account. It eliminated its global media feed, or random users’ transactions that had appeared in Venmo’s news feed, as well.

“These are steps in the right direction, but more is needed,” said Mirkovic.

Quantifying Venmo’s privacy breaches

Against this backdrop, Mirkovic and Tandon and their research collaborators set out to ascertain the extent to which Venmo compromises users’ privacy.

In the most comprehensive analysis to date of Venmo transactions, they examined 389 million public messages over an eight-year period from 2012 to 2020. They found that 41 million transaction notes, or 10.5% of the electronic missives, leaked “some sensitive information such as [a] health condition, political orientation and drug and alcohol consumption,” according to the study. Astonishingly, nearly 40% of the data set’s users had publicly shared sensitive information on the financial app at least once, in many cases inadvertently.

Some of the Venmo messages exchanged between users included “Sexual pleasures”; “for aids treatment. Get well soon”; “Lesbian Activities”; “Bush did 9/11”; “weed and other very bad drugs”; “[Name] man, thank you 4 everything. The password to my Bank account is [Password.] take what you want”; “Call me [Phone number]”; and “Send it to my PayPal [[email protected]].”

The researchers, using a powerful machine learning model, classified information contained in transaction notes as sensitive or non-sensitive. They further refined the data by grouping sensitive information into 14 categories, including criminal and violent behavior, sexual orientation, health and physical location.

“I was a little shocked by what we found, details about user payments from everything from birthday cupcakes to AA membership,” Mirkovic said. “I was thinking, I bet these people don’t know that anyone can see these messages.”

The team found that an increasing number of Venmo users have opted to make their settings private. In 2013, 25% of users had nonpublic profiles. Five years later, that number had jumped to 37%, according to the study.

Other times, Venmo users, unable or unwilling to change their app settings to private, went to great lengths to obscure their activities. Around 25% of all notes reviewed contained only emojis. The researchers classified another 25% of notes as “cryptic,” meaning that they contained only random numbers, greetings such as “hi” and “hey,” or a single word like “too” or “the.” These patterns illustrate that users care about their privacy, but are not sure how to fully reclaim it.

Leveraging a machine learning classifier to recognize and sort certain keywords, such as AA-specific phases (e.g., 7th tradition), along with a high number of payments received from many users, Mirkovic and Tandon identified several specific AA groups. Based on public notes to these groups, the researchers mapped out membership connections.

“You can be careful, but if you’re not making your notes private, then whatever you do with that group has the potential of revealing your membership,” Mirkovic said.

In the course of their research, they attempted several times to speak to Venmo, but no high-ranking official ever responded. “We tried through multiple channels but couldn’t get anyone,” Mirkovic said.

Venmo did not respond to interview requests from USC Viterbi.

Interestingly, the team did receive money through PayPal’s Public Bug Bounty program for finding multiple security flaws in Venmo’s APIs. Venmo has since addressed those issues.

Private time                                                                                                                                                               Many, if not most, Venmo users appear to want greater privacy protections. A 2018 Mozilla-Ispsos poll found that 77% of Americans opposed public-by-default settings on financial apps. That same year, Mozilla delivered a petition with 25,000 signatures asking Venmo to change its settings.

“Previous work has made it very clear that users don’t want public defaults,” said Gennie Gebhart, activism director of the Electronic Frontier Foundation in San Francisco. “Mozilla and Ipsos ran a poll with pretty clear results that American users did not think payment information should be public by default. This all tracks with common sense.”

Still, Venmo has steadfastly resisted changing its default settings.

A company spokesperson told CNET in 2018 that “We make it [public by] default because it’s fun to share [information] with friends in the social world. People open up Venmo to see what their family and friends are up to.”

The company might be making a mistake, Gebhart said. “Social features may differentiate Venmo from other popular alternatives, but that’s a distinction that’s getting more and more negative as more users — including the president of the United States! — learn about Venmo’s failures here.”

Venmo has also insisted that it’s relatively easy for customers to make their payment notes and friends lists private.

However, that hasn’t always been the case. Consider that when Venmo is installed on a user’s phone; if the user consents, the app may download users’ complete contact list from the phone. Venmo then automatically adds these contacts as friends. This creates large implications for user privacy because anyone logged in can crawl Venmo to build a list of phone public contacts for any registered user.

In 2018, PayPal reached a settlement with the Federal Trade Commission in part because of Venmo’s confusing settings. In its complaint, the FTC charged that the financial app had “misled consumers about the extent to which they could control the privacy of their transactions.”

Mirkovic, Tandon and Charnsethikul would still like to meet with Venmo executives for wide-ranging discussions. “We therefore encourage Venmo and other social platforms to proactively work with researchers to collaboratively develop better, pro-privacy policies,” the researchers write in their study.

In the meantime, Mirkovic has a strong recommendation for the millions of fans of the mobile social payment app.

“There’s no real benefit in going public on Venmo,” she said. “Users should make everything private, including their list of friends.”

Published on April 20th, 2022

Last updated on April 27th, 2022