Venmo And Amazon Hit By Breaches And Fraudsters (#GotBitcoin?)

A spike in fraudulent activity earlier this year led to higher losses than the payments company had expected.

Venmo was hit by a wave of payments fraud earlier this year that helped push losses higher than the company previously expected and prompted it to shut down some user features to control the damage.

In the first three months of 2018, the digital money-transfer service owned by PayPal Holdings Inc. recorded an operating loss of about $40 million—nearly 40% larger than the loss for which the company had budgeted, according to internal documents reviewed by The Wall Street Journal.

Expenses related to fraudulent transactions were a big factor. The so-called transaction loss rate, which includes losses related to fraudulent charges, rose from about 0.25% of overall Venmo volume in January to 0.40% in March. The company had been shooting for a rate of roughly 0.24% in those periods, according to the documents.

“Fraud levels are on the rise across the board,” Venmo executives wrote in an internal presentation from March that was reviewed by the Journal.

Venmo’s fraud difficulties, which haven’t been previously reported, illustrate how innovations designed to make it easier for consumers to send money have also emboldened scammers to exploit their weaknesses. Banks and financial-technology companies alike have been grappling with how to fend off fraudsters as customers move toward digital payments.

The spike in fraud caught Venmo by surprise, and its responses gummed up the service for many genuine users, according to the documents and people familiar with the matter. Additionally, losses were big enough that executives worried they would push PayPal to miss first-quarter earnings estimates, according to emails reviewed by the Journal.

“This would have a major impact on our stock, brand, and position in the market,” wrote Benjamin Mills, Venmo’s top product executive, in an email to employees on March 22. “We cannot let that happen.”

Venmo introduced new features in the first quarter, a PayPal spokeswoman said, adding that short periods of higher losses typically accompany such rollouts. She said that Venmo’s loss levels for the entire first quarter were less than 0.35% and have declined since then. “Venmo loss levels are lower than the overall average for PayPal and compare favorably to the industry,” she said. Ultimately, PayPal’s per-share earnings beat analysts’ estimates for the first quarter.

To deal with the losses, Venmo stopped allowing customers to transfer funds instantly to their bank accounts and blacklisted tens of thousands of users deemed suspicious by algorithms. It also stopped letting customers send and receive money through its website (though most customers use Venmo on their mobile phones).

Those measures helped cut fraud but angered users whose legitimate transactions were declined. Many flooded Venmo’s customer-service hotline with calls and left angry reviews on mobile app stores.

“I’m pissed that it’s come to this and that we have to hurt our customers to try and get our loss numbers under control,” Mr. Mills wrote in the March 22 email.

Fraud can take different forms on Venmo. Criminals can load stolen credit cards onto new Venmo profiles and send money to accomplices. Hackers can take over accounts of existing Venmo users and pilfer their money. The company generally reimburses users who lose money in such transactions. It isn’t clear what caused the first quarter’s increase in fraudulent activity, or whether any culprits have been identified.

Since it became part of PayPal in a 2013 acquisition, Venmo has been a financial drain. In addition to fraud losses and personnel expenses, Venmo bears the cost of most money transfers through its network since it doesn’t charge fees to most users. Those costs have risen alongside Venmo’s payments volume, which expanded from $1.3 billion in the first three months of 2015 to $12.3 billion in the same period this year.

Venmo recently introduced new services aimed at generating more revenue. Users can now pay a fee to take their money out of Venmo instantly and use Venmo to pay at Uber Technologies Inc., Grubhub Inc. and roughly two million other online retailers. In June, PayPal announced it would start issuing plastic Venmo debit cards allowing users to draw on their funds at bricks-and-mortar retailers.

Some of those initiatives, including instant transfers, were paused during Venmo’s fraud-fighting response. Others have had slow starts. For instance, payment volume related to commercial transactions was just $16 million in the first quarter, about half of what Venmo had expected in its budget, according to an internal presentation.

Venmo has since restored users’ ability to transfer funds instantly. The company said last month that Venmo processed more than $1 billion in instant-transfer volume in September, the first time it disclosed that number. It also said that nearly one in four Venmo users completed a transaction that generates revenue.

But executives ultimately decided keeping money-transfer features on Venmo’s website wasn’t worth the fraud risks. One Venmo executive said in a May email to staffers that the website accounted for about 2% of overall volume but about 15% of total net losses.

Venmo began informing users about that change in May and June. At the time, the company said it wanted to focus on the mobile app since that was where most user activity took place.

What’s Wrong With Your Venmo Account, and How to Fix It

You’re sharing more than you think via the payment app. Here’s how to tighten up your privacy settings.

Few social-media experiences have made me cringe more than viewing my “friend” list on the peer-to-peer payment app Venmo for the first time. Seeing the names of people I’d been on dates with years ago was jarring. Seeing someone I’d blocked on Facebook was unsettling. Seeing names I didn’t recognize and couldn’t find in my contacts was baffling. But one name horrified me above all others: my former therapist.

I went to her profile, clicked on her friend list and saw another name I recognized, the friend who initially referred me. It hit me that I was scrolling through a list that included a psychologist’s patients.

Venmo does well what it’s supposed to do: let friends exchange money quickly and easily. By default, it posts those transactions in a social-media-style feed—seeing who shared meals and drinks with whom, and which emojis they favor, can make an otherwise boring process mildly entertaining.

Theoretically, Venmo lets users control who sees those posted items. But Venmo has a spotty record on privacy and transparency: In February, the FTC announced a settlement with Venmo’s parent company, PayPal Holdings Inc., after finding Venmo “misled consumers about the extent to which they could control the privacy of their transactions.” PayPal didn’t pay a fine but agreed to make privacy-policy updates and to make sharing controls clearer.

Still, Venmo has so far been unwilling to make privacy adjustments to some of the features many users have issues with. Between the uproar this past summer over the app’s public-by-default settings, the enduring inability to make your “friend” list private, and my feeling like a potential victim of a HIPAA violation, I started wondering if I—or anyone else—should really be using the app. Figuring that out took far more digging than users should reasonably have to deal with.

Here’s what I learned, and what you can do to protect yourself on Venmo:

1. Venmo Transactions Are Public by Default

Because Venmo’s Default Privacy Setting Is Public—Allowing All Transactions To Be Seen By Venmo Users—You Should Go In And Change It To Friends Or, Better Yet, Private.

Venmo’s social feed is populated by transactions between users. All these posts are publicly visible by default. That means unless you change your settings, anyone (researchers included) can see whom you paid.

To change that, tap the three lines in the app’s top left corner, select settings and then hit Privacy. You can choose Friends or Private, which means a transaction will be visible only to you and the person you exchanged money with. To change who can see your old posts, go to Privacy > Past Transactions.

2. Contact Syncing Isn’t Mandatory (But Appears to Be)

When Signing Up For A Venmo Account, You Have The Option To Skip Facebook Friend Syncing By Tapping Not Now, But There Is No Similar Button For Phone-Contact Syncing.

When users create a Venmo account, they’re asked to sync their contacts. You can go back or forward, but there’s no Skip or Not Now button.

If iPhone users select Next, they see an iOS popup asking for contact access. You might assume you have to click Allow, but you can hit Decline and still create an account.

I don’t normally sync contacts, but when I signed up for Venmo in 2015, I enabled syncing. To check your syncing status—and switch it off—go to Settings > Friends & Social.

3. Your Friend List Is Always Visible

Venmo friend lists are visible to other users and can’t be made private. Don’t feel bad if you didn’t know this: The company didn’t mention it in its privacy policy until September.

Venmo’s definition of “friends” is very loose, as evidenced if you sync your contacts. Unlike Facebook or LinkedIn, which search your phone book and give you the option to add connections, Venmo automatically adds to your friend list any saved contacts who also sync their phone books with the app.

If you have contact syncing turned on, the app checks your phone book regularly—every 28 days for iOS, every week for Android. Venmo adds any new contacts, but won’t remove phone contacts you’ve deleted. That’s why some “friends” might look like strangers.

You can’t hide your friend list, regardless of your privacy settings. This means that you’re publishing your phone book. It won’t show everyone, but it will include anyone in your phone who also synced contacts on Venmo. That might include your boss or, well, your therapist.

Why can’t we make this private? “Because Venmo was designed for sharing experiences with your friends in today’s social world, we try to make it as easy as possible to connect with other Venmo users,” a spokeswoman said.

4. You Can Cull Your Friend List

Additional Ways To Make Your Venmo Account More Private: Turn Off Facebook Connect And Contact Syncing,
Change The Privacy Settings Of Past Transactions, And Unfriend Anyone You Don’t Want To Share Information With. 

What you can do is unfriend people—but you’ll have to find your friend list first! Clicking on your profile won’t display it to you. Instead, tap the three lines and go to Search People. Scroll past Top People to see them all. Remove people by tapping their profiles and unchecking the friend icons.

It’s important to review your friend list if you’re sharing transactions with friends, since that list may be longer than you realize. If you never synced contacts, the list could be virtually empty.

5. There’s a Difference Between Facebook Connect and Facebook Contacts

Go to Settings > Friends & Social and you’ll see Facebook Connect and Facebook Contacts.

The first creates a link between your two accounts. I suggest disabling this. Facebook recently had a security breach, and like many apps, when you agree to connect, you’re sharing information in both directions that may not be apparent. No, thanks.

The second simply adds Venmo-using Facebook friends to your account who’ve also synced. Like contacts, they’ll stay in your Venmo friend list even after you unfriend them on Facebook.

6. Bank Account Syncing Isn’t Mandatory, Either

In a fairly recent addition to its privacy policy, Venmo says, “If you connect your Venmo account to other financial accounts…we may have access to your account balance and account and transactional information, such as purchases and funds transfers.”

Given that Venmo is a payment app, it makes sense that the company would need to access some financial information to facilitate payments and confirm you have the funds to cover your transactions. Venmo’s spokeswoman told me the company doesn’t actually access users’ transaction information.

It’s a small relief. The company has privacy issues and has framed the social aspect of the app as core to its existence. Meanwhile, that FTC complaint alleged that Venmo “misrepresented the extent to which consumers’ financial accounts were protected by ‘bank-grade security systems.’” (The company said it made “appropriate changes” in response.) And lately, Venmo has been grappling with a spike in fraud.

If you’re really concerned, you could unsync your bank account. The app won’t be as functional, and you’ll have to use incoming funds to pay for things. But if Venmo is just a pizza-and-beer slush fund for you, that might be all you need.

Venmo’s hold on its users is pretty strong. So strong that I don’t feel like I can stop using it yet, because no one has ever asked me to “Square” or “Zelle” them. But I’ll be happy to jump ship if and when a more privacy-minded app comes along.

Amazon Hit With Major Data Breach Days Before Black Friday

Customers’ names and email addresses posted on website, tech giant confirms.

Amazon has suffered a major data breach that caused customer names and email addresses to be disclosed on its website, just two days ahead of Black Friday.

The e-commerce giant said it has emailed affected customers but refused to give any more details on how many people were affected or where they are based.

The firm said the issue was not a breach of its website or any of its systems, but a technical issue that inadvertently posted customer names and email addresses to its website.

In a short statement, Amazon said: “We have fixed the issue and informed customers who may have been impacted.”

Customers who received the email were told: “Our website inadvertently disclosed your email address or name and email address due to a technical error. The issue has been fixed. This is not a result of anything you have done, and there is no need for you to change your password or take any other action. The impacted customers have been contacted.”

It added: “Amazon takes all security-related matters very seriously and your account security is our top priority. We have policies and security measures in place to ensure that your personal information remains secure.”

UK data regulator the Information Commissioner’s Office, which Amazon must inform of any data breach as part of the general data protection regulation (GDPR) introduced this year, said it was following the situation.

The timing of the breach could not have been worse for Amazon. While Black Friday predominantly takes place in the US around the Thanksgiving holiday, hundreds of UK retailers now also take part on what has become a multi-billion pound shopping day.

Richard Walters, chief technical officer of cybersecurity firm CensorNet, said those affected should ignore Amazons’s advice and consider changing their passwords.

“If the reports are correct, the information leaked – names and email addresses – is less significant than some of these other breaches, which saw card details leaked,” he said. “However, it would be wrong to assume that this makes the breach inconsequential. Cyber-criminals can do a lot of damage with a large database of names and emails.

“A large majority of people still use predictable passwords, and thanks to previous high-profile breaches many people’s passwords are also readily available on the dark web. For cyber-criminals, it then just becomes an exercise in joining the dots.

“If you’ve been affected, make sure you change your passwords quickly.”