Mobile payment service Venmo is improving security measures after a user’s account was compromised and nearly $3,000 siphoned out of his bank account.
The theft was possible because Venmo did not notify users when account details were changed.
The first thing victim Chris Grey new of the compromise was when his bank notified him of a $2,850 payment via Venmo to a recipient that was not known to him, according to news site Slate.
According to Grey, he was not notified that his password had changed, that another email was added to his account, that another device was added to his account, or that a lot of his settings had changed.
The theft is another case of an online service that is not as secure as it could be by default or design, but is forced to take action when users are compromised.
Within weeks of the compromise of the New York developer’s account, Venmo has introduced email notifications of any changes to a user's email address, password or phone number.
The mobile payment service is also implementing multi-factor authentication for user logins in the coming weeks, reported The Verge.
Venmo’s initial response to the compromise was to list the security features that were already in place, but the company gave no explanation of why it had not used multi-factor authentication from the start.
Some commentators have suggested Venmo may have avoided introducing multi-factor authentication sooner because of fears it would slow down transactions.
Read more about mobile payments
- Companies jumping on the mobile payment bandwagon need to tread carefully as consumers are still skeptical about the security of their data
- More payments will be made using smartphones in the UK than those made by cards by 2020, according to 33% of Brits
- Samsung kicks off Mobile World Congress 2015 with launch of latest Galaxy S6 smartphones and mobile payment service
- More than 1.8 million people have registered to make payments to people using only their mobile phone number
Venmo is very keen to preserve the easy user experience, with chief executive Bill Ready saying the company usually preferred to address fraud without alerting the user for experience reasons.
"In many of these cases, we want to handle it seamlessly so we're working behind the scenes," he told The Verge, but he said his team would take a look at changing their policy.
The fact that at least one user account has been compromised illustrates the danger of service providers neglecting security in favour of making services easier to use.
In a blog post shortly after reports of the account compromise, Venmo general manager Michael Vaughn said the company maintained fraud rates “favourable to industry standards”.
For this reason, he said Venmo was “comfortable” guaranteeing users’ money if they were hit by fraud or unauthorised transactions.
Vaughn said security measures included fraud protection algorithms, encryption of all financial information, encryption of payment card information, payment limits, and automatic logout after a period of inactivity.
Vaughn added that prior to the user account compromise, the company had been compliant with the payment card industry data security standard.
He also attempted to deflect blame from Venmo by saying users were responsible for their own security.
Vaughn said users should use a strong and unique password, set a passcode lock on the Venmo app in addition to a phone lock, and set options to receive notifications of transactions and a “wide range” of other app activities.