Woops, I hijacked your Venmo account

A worrisome oversight in Venmo authentication

Posted by RDJ on April 30, 2016

Image is Shelf by Bryce Bradford used under license CC BY-NC-ND

I recently moved to the U.S. (more on that later!) and people have introduced me to Venmo, which doesn’t exist in Canada. It seems to be very popular here. Although…part of me thinks that when I can read the Wikipedia page for something without scrolling, it hasn’t hit the big time yet.

Venmo is an app and website that lets people transfer money to each other. It’s primarily designed for small exchanges, with fairly limited transaction caps.

Somebody asked me for payment through Venmo, so I decided to sign up. I tried to create an account on my phone, using my new U.S. phone number, only for the app to tell me that my number was already in use.

Huh. I can see where this is going…

Sam Elliot

This ain’t my first rodeo

I clicked on reset my password, which took me to a page that asked for my phone number. Which I then dutifully entered. Venmo then sent me a verification code. To my phone.

Facepalm

And that’s all she wrote

Sorry man. I just clicked through and followed the easiest, most intuitive path. Which was taking your account.

Hopefully this didn’t need to be said: I didn’t take any money or abuse this person (who shall remain unnamed). I wouldn’t, and couldn’t. It’s not even an active account (as evidenced by it having a recycled phone number attached to it). Let’s not freak out.

I didn’t have to verify the email address, account name, date of birth, mother’s maiden name, or know any other information whatsoever. Not that those things guarantee much protection. Say what you will about the clunkiness of Canada’s widely used internet transfer system, but at least it looks pretty legit and has tighter authentication.

My advice to anybody giving up their phone number is to purge any information that Venmo will let them purge, and close out the account. My advice to any criminals actively abusing this (or thinking of doing so) is to be cognizant of how easily traceable it is.

I presume this easy reset is a design feature for Venmo, a willing trade-off between convenience and security. This is a company where many of the top Google results indicate a litany of criticism.

Venmo’s CEO offered the tepid response of “I think there’s some valid feedback and we’re going to take a look at it.” It’s still a young company and they’ve prioritized easy of use.

Venmo advises that “if you have a Venmo account, we’ll send you a password reset link that you can use to sign into Venmo!” The first six words are redundant.