Submitted via IRC for BoyceMagooglyMonkey
Anyone can track a Venmo user's purchase history and glean a detailed profile – including their drug deals, eating habits and arguments – because the payment app lacks default privacy protections.
This was the finding of a Berlin-based researcher, Hang Do Thi Duc, who analysed the more than 200 million public Venmo transactions made in 2017. Her aim was to highlight the privacy risk from using a seemingly innocuous peer-to-peer app.
By accessing the data through a public application programming interface, Do Thi Duc was able to see the names of every user who hadn't changed their settings to private, along with the dates of every transaction and the message sent with the payment. This allowed her to explore the lives of unsuspecting Venmo users and learn "an alarming amount about them".
The default state for transactions when a user signs up to the app is "public", which means they can be seen by anyone on the internet. Users can change this to "private" by navigating to the app's settings, but it's not clearly highlighted during sign-up.
(Score: 3, Touché) by SomeGuy on Monday July 23 2018, @04:41PM (6 children)
Why do they even HAVE a public option? If they just give the data away then how do they expect to be able to sell it to the highest bidder like everyone else?
(Score: 4, Touché) by archfeld on Monday July 23 2018, @04:46PM
So they don't have to stage a hack to explain how the data got into the wild.
For the NSA : Explosives, guns, assassination, conspiracy, primers, detonators, initiators, main charge, nuclear charge
(Score: 3, Funny) by bob_super on Monday July 23 2018, @04:57PM (4 children)
Look at me, I'm giving to charity !
Look at me, i'm repaying Big Bubba, so please don't bother to kneecap me !
Look at me, I'm important because you're looking at me !
Look at me, I use smartphone apps, so I know I have no private life anyway ! Might as well cheerfully enjoy before it blows up in my face !
Look at me, I'm helping my hoes' pimps tally their share without beating them up !
Honestly, I don't know.
(Score: 2) by DannyB on Monday July 23 2018, @06:05PM (2 children)
Plausible reasons to have a Public option.
So next question: Why not make the private option the default?
(I don't use the ALT-RIGHT key, I use the ALT-LEFT and CTRL-LEFT keys because my right hand is usually on the moose.)
If you eat an entire cake without cutting it, you technically only had one piece.
(Score: 0) by Anonymous Coward on Monday July 23 2018, @08:51PM
Wait until someone finds plausible reasons for the Pubic option. Then you can inquire about it in conjunction with public/private.
(Score: 1, Insightful) by Anonymous Coward on Monday July 23 2018, @10:26PM
Look at all the people using Venmo.
(Score: 2, Insightful) by Anonymous Coward on Monday July 23 2018, @06:36PM
I am told that the reason these payments are "public" is so the others in the "group" (e.g., coworkers who want to dinner) see that everyone paid their share to Alice (who got the 1% cash back for putting the group's dinner on her credit card).
Why "public" and not just accessible to the "group"? Proper security is hard, and "sharing" is a feature if you bullet-point it.
(Score: 2) by rigrig on Monday July 23 2018, @04:42PM
Venmo [venmo.com] is a mobile payment service owned by PayPal. It allows users to transfer money to one another (within the U.S. only) using a mobile phone app.
No one remembers the singer.
(Score: 2) by archfeld on Monday July 23 2018, @04:44PM (8 children)
Anyone stupid enough to buy drugs, legal or not, using an APP deserves whatever comes their way. That is one of the best reasons against a cashless society that I can think of.
For the NSA : Explosives, guns, assassination, conspiracy, primers, detonators, initiators, main charge, nuclear charge
(Score: 0) by Anonymous Coward on Monday July 23 2018, @05:21PM (6 children)
You mean reasons for? Transactions can be set to private so the issue is that some folks are stupid and "Do Thi Duc" research sounds like quackery!
(Score: 3, Insightful) by insanumingenium on Monday July 23 2018, @05:35PM
A bad default is a problem, and that is a super common Vietnamese name.
(Score: 0) by Anonymous Coward on Monday July 23 2018, @06:00PM (1 child)
(Score: 3, Insightful) by maxwell demon on Monday July 23 2018, @08:31PM
Since the app probably isn't open source, you cannot even know the setting on your end. You have no idea whether in that app “private” really means “only seen by you”.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 3, Insightful) by archfeld on Monday July 23 2018, @10:00PM (2 children)
It doesn't matter if the transaction can be set to private. Buying drugs, legal or not using anything but cash is foolish. Why leave a trail, paper or otherwise for a transaction that has a high probability of coming back to bite you in the a$$ if it is made public. Haven't the huge number of 'recovered' email scandals and 'hacked' data exposures taught anyone anything ? There is a reason most drug dealers don't take American Express or checks, and it isn't Squares' card processing fees either...
For the NSA : Explosives, guns, assassination, conspiracy, primers, detonators, initiators, main charge, nuclear charge
(Score: 0) by Anonymous Coward on Tuesday July 24 2018, @09:37AM (1 child)
It's a good thing pharmacies don't require any paperwork because those meds can be really embarrassing.
(Score: 2) by archfeld on Tuesday July 24 2018, @08:50PM
Pharmacy deals that are really embarrassing are usually prescription and covered under HIPAA, so I won't have to hear about it over beers with co-workers at Fridays taco lunch hour.
https://en.wikipedia.org/wiki/Health_Insurance_Portability_and_Accountability_Act [wikipedia.org]
For the NSA : Explosives, guns, assassination, conspiracy, primers, detonators, initiators, main charge, nuclear charge
(Score: 4, Insightful) by DannyB on Monday July 23 2018, @06:10PM
What comes their way should be exactly what they ordered. Even when using an APP.
Control. Just like control of the internet. Just like government approved weak encryption and back doors. It is the very reason that WE WILL have a cashless society. (I doubt we'll ever see a revolution because . . . oh, look! a shiny! version 2.0! And it's on sale!)
If you eat an entire cake without cutting it, you technically only had one piece.
(Score: 2) by MichaelDavidCrawford on Monday July 23 2018, @06:23PM (2 children)
Members of the Caltech Community stick together: some complete stranger who is twenty years younger than I lent me $250 because he and I are both Old Scurves, that is, former residents of Caltech's Ricketts House.
(Named after Louis D. Ricketts. I Am Absolutely Serious.)
He wanted to do it with Venmo so I installed it from the App Store. And in fact it works real well for me too.
When I got paid, I repaid his loan through Venmo.
Doutblessly y'all can see my transactions with my fellow Old Scurve.
Now please explain to me just _what_ I need to do to enable privacy. For some reason I was only able to sleep for three hours last night so just now I'm not firing on all cylinders.
Yes I Have No Bananas. [gofundme.com]
(Score: 3, Informative) by insanumingenium on Monday July 23 2018, @06:34PM
Settings->Privacy->Default Privacy Setting->Private While you are there you can also hit Past Transaction and make all your old transactions private.
(Score: 2, Informative) by Anonymous Coward on Monday July 23 2018, @06:40PM
Here you go [publicbydefault.fyi] MDC.