Science/Technology

I Know What You Did On Venmo

A team led by USC Viterbi researchers has discovered millions of “privacy leaks” on the mobile social payments app.

November 28, 2022 Marc Ballon

The bizarre request came from her husband at 2 a.m.

In May 2021, Keighley Woodard’s out-of-town spouse asked her to send him $195 on the Venmo payment app. He included an electronic note simply saying that he would explain later.

The hour of the request, coupled with her husband’s strange message, raised her suspicions.

What Woodard didn’t know is that several of her husband’s friends received the same request at nearly the same time. According to WSMV News4 in Nashville, Tenn., his friends assumed he had some sort of emergency and transferred money from their Venmo accounts to his.

The problem? They had unwittingly given money to a hacker who had cloned their friend’s Venmo account, complete with his real picture and name.

Ditch the Default

The popular payment app makes user profiles, payment notes and friend lists public by default so anyone can see your information. Journalists have used the app’s search function to uncover President Joe Biden’s Venmo account and his network of associates—including other high-ranking officials. Researchers have found explicit messages between lovers and drug dealers.

And bad actors have repeatedly harvested information from unwitting users and created fake profiles of Venmo customers, sometimes just by adding a hyphen or an underscore to their names, to request money. It’s widespread enough that the Better Business Bureau warned users of the scam in August 2021: “Using the information visible in Venmo’s public feed, they figure out from whom this person had previously sent or received money. Then, scammers contact these users with requests for money.”

People [on Venmo] share addresses that can be misused [through] identity theft. Someone could even come and rob you or stalk you.

Jelena Mirkovic

Although Venmo allows users to make their transactions private, experts say many don’t have the technological wherewithal or presence of mind to change their settings. By making so much information publicly available, Venmo inadvertently puts users at risk. “People [on Venmo] share addresses that can be misused [through] identity theft. Someone could even come and rob you or stalk you,” says Jelena Mirkovic, research associate professor at the USC Viterbi School of Engineering and a project leader at the USC Information Sciences Institute.

“If you share something sensitive, like ‘Here’s money for drugs or drinks’ or ‘It was a great party in Vegas,’ that can have implications later on. For instance, it could affect your job prospects,” adds Mirkovic, co-author of “I Know What You Did on Venmo: Discovering Privacy Leaks in Mobile Social Payments,” an academic paper recently published in the Privacy Enhancing Technologies Symposium. Taken even further, victims of domestic abuse might have their whereabouts and activities unmasked whenever they exchange payments and messages with friends.

In the biggest quantitative study of its kind, Mirkovic and a team of researchers—including USC Viterbi PhD students Rajat Tandon and Pithayuth Charnsethikul; Dhiraj Murthy, director of the Computational Media Lab at the University of Texas at Austin; and Ishank Arora, a master’s degree student in computer science also at the University of Texas—detailed how millions of users reveal highly personal information about themselves on Venmo.

Because Venmo requires users to send messages with their payments, many unwittingly provide what the researchers call “privacy leaks” in their online communications. These include drug and alcohol use, political leanings, email addresses, phone numbers, and even Wi-Fi, bank account and Netflix passwords. By default, Venmo makes it all public.

In a contemporaneous study, Mirkovic, Tandon and their colleagues identified members of Alcoholics Anonymous, biker gangs and gamblers through their Venmo friend networks— even though many people in these groups went to extraordinary lengths to hide those affiliations by sending nonsensical messages with their Venmo payments.

“The notes of other users and sometimes the group’s display name on Venmo expose the sensitive nature of everyone’s membership,” Tandon says.

In other words, what happens on Venmo doesn’t necessarily stay on Venmo.

Strong Social Orientation

In 2009, Iqram Magdon-Ismail and Andrew Kortina, students at the University of Pennsylvania, came up with the idea for Venmo: a platform that would allow friends to send money to one another.

The pair initially set up Venmo as a private and textbased platform restricted to BlackBerry devices. Soon after, they decided to make payments publicly visible, although not the amounts. “I was thinking in the back of my head, ‘What if we made a feed for everybody?’” Magdon-Ismail told Wired in March 2017. “This kind of is like Facebook or Twitter for me.”

The company has grown considerably since PayPal acquired it in 2013—it now has 83 million users—but one aspect hasn’t changed: the money app’s strong social orientation.

Unlike competing payment apps, “Venmo provides a social way to pay your friends when you owe them money and don’t want to deal with cash,” the company says on its website.

Most Venmo accounts have a “friends list” that shares transaction details in social media-like feeds, including payment notes. Last year, Venmo made it possible for users to make their list of friends private.

Exploiting Venmo

The app’s social functions have won it legions of fans. Still, critics contend that malefactors have repeatedly abused Venmo to violate people’s privacy, accessing publicly available information to steal from and harass unsuspecting users.

In 2018, privacy advocate Hang Do Thi Duc reported that she had used Venmo’s public application programming interface (API) to sort through nearly 208 million transactions. Using that information, she homed in on five individual users, including a man in Santa Barbara, Calif., who sold marijuana.

Do Thi Duc uncovered “how countless Venmo users’ drug habits, personal finances and fights with significant others are available for all to see,” the Electronic Frontier Foundation said in an open letter to Venmo’s parent company PayPal.

BuzzFeed found President Joe Biden’s Venmo account in less than 10 minutes, using only the app’s search tool and public friends feature.

More recently, BuzzFeed found President Joe Biden’s Venmo account in less than 10 minutes, using only the app’s search tool and public friends feature. Additionally, the online news and entertainment business discovered nearly a dozen Biden family members and a social web of contacts that included the president’s children, grandchildren and senior aides—along with all their Venmo friends.

Although Biden made his Venmo transactions private, at the time there was no way for him to do the same with his contacts, which enabled BuzzFeed to identify his account. Biden’s Venmo account was deleted soon after because of national security concerns.

“The peer-to-peer payments app leaves everyone, from ordinary people to the most powerful person in the world, exposed,” BuzzFeed concluded in its May 2021 report.

In response to such high-profile incidents, Venmo tightened its privacy settings several times, including eliminating its global media feed and random users’ transactions that appeared in Venmo’s news feed.

“These are steps in the right direction, but more is needed,” Mirkovic says.

Quantifying Venmo’s Privacy Breaches

Against this backdrop, Mirkovic, Tandon and their research collaborators set out to ascertain the extent to which Venmo compromises users’ privacy.

In the most comprehensive analysis to date of Venmo transactions, they examined 389 million public messages over eight years, from 2012 to 2020. They found that 41 million transaction notes, or 10.5% of the electronic missives, leaked “some sensitive information such as [a] health condition, political orientation and drug and alcohol consumption,” according to the study. Astonishingly, nearly 40% of the data set’s users had publicly shared sensitive information on the financial app at least once.

Some of the Venmo messages exchanged between users included “Sexual pleasures”; “for aids treatment. Get well soon”; “Lesbian Activities”; “Bush did 9/11”; “weed and other very bad drugs”; “[Name] man, thank you 4 everything. The password to my Bank account is [Password.] take what you want”; “Call me [Phone number]”; and “Send it to my PayPal [Email@gmail.com].”

Using a powerful machine learning model, the researchers classified information contained in transaction notes as sensitive or nonsensitive. They further refined the data by grouping sensitive information into 14 categories, including criminal and violent behavior, sexual orientation, health and physical location.

I bet these people don’t know anyone can see these messages.

Jelena Mirkovic

“I was a little shocked by what we found, details about user payments from everything from birthday cupcakes to AA membership,” Mirkovic says. “I was thinking, ‘I bet these people don’t know anyone can see these messages.’”

The team found that an increasing number of Venmo users have opted to make their settings private. In 2013, 25% of users had nonpublic profiles. Five years later, that number had jumped to 37%, according to the study.

Other times, Venmo users, unable or unwilling to change their app settings to private, went to great lengths to obscure their activities. Around 25% of all notes reviewed contained only emojis. The researchers classified another 25% of notes as “cryptic,” meaning that they contained only random numbers, greetings such as “hi” and “hey,” or a single word like “too” or “the.” These patterns illustrate that users care about their privacy but are unsure how to reclaim it fully.

Leveraging a machine learning classifier to recognize and sort specific keywords, such as Alcoholics Anonymous-specific phrases (e.g., “7th tradition”), along with a high number of payments received from many users, Mirkovic and Tandon identified several AA groups. The researchers mapped out membership connections based on public notes to these groups.

“You can be careful, but if you’re not making your notes private, then whatever you do with that group has the potential of revealing your membership,” Mirkovic says.

The researchers attempted several times to speak to Venmo, but no highranking official ever responded. Neither did Venmo respond to interview requests from USC for this story.

Interestingly, Mirkovic and her team did receive money from PayPal’s Public Bug Bounty program, which rewards security researchers who discover vulnerabilities in its website, to find multiple security flaws in Venmo’s APIs, which the company has since addressed.

Private Time

Many, if not most, Venmo users appear to want greater privacy protections. A 2018 Mozilla-Ipsos poll found that 77% of Americans opposed public-bydefault settings on financial apps. That same year, Mozilla delivered a petition with 25,000 signatures asking Venmo to change its settings.

“[The poll made it clear] American users did not think payment information should be public by default. This all tracks with common sense,” says Gennie Gebhart, activism director of the Electronic Frontier Foundation in San Francisco.

Still, Venmo has resisted changing its default settings.

A company spokesperson told CNET in 2018 that “we make it [public by] default because it’s fun to share [information] with friends in the social world. People open up Venmo to see what their family and friends are up to.”

The company might be making a mistake, Gebhart says. “Social features may differentiate Venmo from other popular alternatives, but that’s a distinction that’s getting more and more negative as more users—including the president of the United States!—learn about Venmo’s failures here.”

There’s no real benefit in going public on Venmo. Users should make everything private, including their list of friends.

Jelena Mirkovic

Venmo insists that it’s relatively easy for customers to make their payment notes and friends lists private.

However, that hasn’t always been the case.

Consider that when Venmo is installed on a user’s phone, if the user consents, the app may download the user’s complete contact list from the phone. Venmo then automatically adds these contacts as friends. This creates significant implications for user privacy because anyone logged in can crawl Venmo to build a list of public phone contacts for any registered user.

In 2018, PayPal reached a settlement with the Federal Trade Commission partly because of Venmo’s confusing settings. In its complaint, the FTC charged that the financial app had “misled consumers about the extent to which they could control the privacy of their transactions.”

Mirkovic has a strong recommendation for the millions of fans of the mobile social payment app. “There’s no real benefit in going public on Venmo,” she says. “