Graduate student Dan Salmon has released online seven million Venmo transfers, scraped from the social payment biz in recent months, to call attention to the privacy risks of public transaction data.
Venmo, for the uninitiated, is an app that allows friends to pay each other money for stuff. El Reg's Bay Area vultures primarily use it for settling restaurant and bar bills that we have no hope of expensing; one person pays on their personal credit card, and their pals transfer their share via Venmo. It makes picking up the check a lot easier.
Because it's the 2010s, by default, Venmo makes those transactions public along with attached messages and emojis, sorta like Twitter but for payments, allowing people to pry into strangers' spending and interactions. Who went out with whom for drinks, who owed someone a sizable debt, who went on vacation, and so on.
"I am releasing this dataset in order to bring attention to Venmo users that all of this data is publicly available for anyone to grab without even an API key," said Salmon in a post to GitHub. "There is some very valuable data here for any attacker conducting [open-source intelligence] research."
In an email to The Register, Salmon said a snooper might be interested in data points like a Venmo user's mobile platform (useful for exploit targeting), personal associates, illicit sales (for blackmailing), and spending patterns that could be used for spear phishing.
If a Venmo user regularly reimburses a friend for Domino's pizza, he suggested, a fraudster could tailor a fake Domino's promotion as a way to increase the odds of duping the target.
The dataset, 10.87 GB uncompressed in BSON (Binary JSON) format, exported from a MongoDB instance, does not include the dollar amounts of transactions but does include names, dates, messages, and images that could facilitate social engineering trickery.
Time to pay, Paypal pal Venmo! Oh no, haha, put away that wallet – just promise to be niceREAD MORE
Salmon, a computer science grad student at Minnesota State University, Mankato, in the US, encouraged all Venmo users to switch their accounts to private through the Settings > Privacy menu by selecting "Private" and through Past Transactions > Change All to Private.
As mentioned above, Venmo makes person-to-person purchases through its mobile app public by default. Person-to-merchant payments made using the Venmo card or via mobile websites for retail transactions when Venmo is selected at checkout are deemed "sensitive transactions" and are private – merchants apparently want to keep sales data private from competitors.
Despite past criticism from privacy advocates and a settlement with the US Federal Trade Commission, Venmo has kept person-to-person purchases public by default.
In February 2018, Venmo parent PayPal settled a claim brought by the FTC that Venmo, up until 2014, hadn't made clear how its privacy settings worked and failed to warn users that purchases would show up on their social media profiles. The settlement prohibits misrepresentations and requires disclosures but does not require the company to make transactions private by default.
Last July, Berlin-based researcher Hang Do Thi Duc explored some 200m Venmo transactions from 2017 and set up a website, PublicByDefault.fyi, to peruse the e-commerce data. His stated goal was to change people's attitudes about sharing data unnecessarily.
When The Register asked about transaction privacy last year, after a developer created a bot that tweeted Venmo purchases mentioning drugs, a company spokesperson said, "Like on other social networks, Venmo users can choose what they want to share on the Venmo public feed. There are a number of different settings that users can customize when it comes to sharing payments on Venmo."
The current message from the company is not much different: "Venmo was designed for sharing experiences with your friends in today’s social world, and the newsfeed has always been a big part of this," a Venmo spokesperson told The Register in an email. "Our users trust us with their money and personal information, and we take this responsibility very seriously."
"I think Venmo is resisting calls to make their data private because it would go against the entire pitch of the app," said Salmon. "Venmo is designed to be a "'social' app and the more open and social you make things, the more you open yourself to problems."