NASHVILLE, TN (WSMV) - A trained hacker told News4 Investigates that the popular payment app Venmo’s default setting, that makes payments automatically public, is causing people to fall for criminals’ schemes to steal their money.
News4 Investigates has documented cases where Venmo users fell for hackers’ schemes and all have one thing in common: all of their transactions were public.
For Keighley Woodard, it happened at a strange time with a strange message.
“I got a Venmo request from him at 2 in the morning.” Woodard said.
The Venmo request came from her out-of-town husband and stated simply that he would explain later.
“The amount was for $195,” Woodard said.
What she didn’t know at the time is that several of his friends and family also got the same request at the same time.
Because her husband made all his transactions public, a hacker was able to see who he knew well enough to pay or receive money from.
That hacker then set up a fake account with his picture, sent to the people in his network, and in several instances, got the money.
“Some of his friends fell for it because they got an alarming Venmo request at 2 in the morning and thought, something is wrong with him, I’ll Venmo him right away,” Woodard said.
For News4 producer Kirby Wiley, a hacker tricked her in a different way: by ghosting Venmo’s own customer service number and calling her, saying there was a questionable payment on her account.
The hacker then said that they would send her a code to verify.
“As soon as we got off the phone, they had already charged to my account over $3,000,” Wiley said.
Wiley’s transactions were also public as well.
Venmo’s payment are set to public by default and, like other social media, you can even comment on them.
Dan Salmon, a trained hacker who worked in security engineering, said that public default makes it a fertile hunting ground for hackers.
“Any information that I can gleam from a target is valuable to me,” Salmon said.
Salmon wrote an article for the news site Wired, entitled, “I Scraped Millions of Venmo Payments. Your Data Is at Risk.”
“Would you say Venmo is attractive to hackers?” asked News4 Investigates.
“It would be very attractive to attackers,” Salmon said. “Hackers are incredibly creative. And they fill find a way to use any information about you.”
Salmon said once hackers know who you pay or receive money from, they can easily clone your profile – as they did for Woodard’s husband.
News4 Investigates asked for an interview with Venmo asking why they make the payment public by default.
A spokeswoman declined the request, but wrote in an email, “We have always made preventing bad actors from using our platform a top company priority, and Venmo combines technology with enhanced manual investigatory work to detect and stop opportunistic cybercriminals.”
Protecting yourself is relatively easy. When you go to make a Venmo payment, you can change the setting each time from public to private.
“My profile is definitely now on private,” Woodard said.
Salmon said he believes Venmo does an excellent job protecting people’s bank account information.
Salmon also recommends that you turn on the two-factor authentication and also go back and change all your past transactions to private.