Venmo is an easy app for paying a friend for dinner. But, according to the Federal Trade Commission, it may even be too easy.
PayPal PYPL, +1.05% which owns Venmo, reached a settlement with the FTC this month stemming from charges that Venmo failed to protect users’ privacy and misled them about how and when money left their accounts.
In its complaint, the FTC said Venmo did not clearly explain the way money is transferred from a person’s Venmo account to his or her bank account, and did not have sufficient security safeguards. Scammers have been able to exploit those features, and, in some cases, take users’ money.
Venmo did not have to pay a financial penalty in the settlement. It just required PayPal and Venmo to better explain its policies and provide stronger protections for consumers.
Venmo has said in its communication with consumers that it uses “bank grade security.” However, the FTC said Venmo did not have sufficient security safeguards until March 2015, which violated the Gramm-Leach-Bliley Act. The FTC also said the default setting on the app is a public setting, and said this created confusion for users.
The default setting for the app is still “public,” and requires consumers to change that setting in their profile and for individual transactions.
“This brings to an end the investigation that included a focus on Venmo platform issues and practices prior to acquisition by PayPal,” a spokesman for Venmo said. The company says it’s taken steps to “significantly strengthen our privacy and data security practices.”
The settlement “should be a cautionary tale for companies that offer these peer-to-peer mobile payment apps,” said Adam Levin, the chairman and founder of security firm CyberScout and the author of “Swiped.” He added, “Convenience should never trump security.”
A common Venmo scam
Some of the worst scams happened when selling items, the FTC said. Here’s how it works: The seller hands over the item once Venmo said the money had been transferred to their Venmo account. But shortly after, the buyer could still ask Venmo to reverse the charge, and the seller would be left with no item and no payment.
In one incident, a seller handed over a set of limited-edition Yeezy Zebra sneakers, a collaboration between Adidas and Kanye West, for $13,550, The Verge reported. But the buyer was a scammer and reversed the payment on Venmo before the seller received the funds.
In fact, that’s exactly what happened to Apple AAPL, +1.72% co-founder Steve Wozniak when he sold approximately $70,000 worth of bitcoin BTC, -5.61% In that case, it was the credit card transaction that was canceled rather than the Venmo transaction.
Zelle, another peer-to-peer payment system, has also seen similar scams, said Al Pascual, a senior vice president and research director at the security firm Javelin. “It’s like writing a check,” Pascual said. “You can’t necessarily go back to the bank and say, ‘That was a mistake.’”
“Zelle is not a platform for buying goods and services,” a company spokeswoman said. “When a consumer sees unauthorized activity on their accounts, our financial institutions have processes in place to resolve that fraud on their behalf.”
Still, she said, “It is critical that Zelle users not use it with anyone with whom they are not familiar.”
How to avoid the scams
When buying or selling online, check the online platform’s insurance policy. StubHub, for example, offers replacement tickets if there are problems with an order. But using Venmo to sell tickets — or anything else, for that matter — doesn’t come with such a guarantee. “If there’s any question you’re buying from a stranger, you should think twice,” Pascual said.
And don’t use Venmo for buying and selling goods. In fact, using a personal Venmo account for business or commercial peer-to-peer payments is prohibited in Venmo’s terms of service unless the user receives specific authorization, a company spokesman said. “These payments are potentially high risk,” he said.