On Wednesday, I published a story on Slate about a Venmo user who had $2,850 stolen through the app from his bank account. In the piece, I documented several apparent issues with Venmo’s security and customer support: It doesn’t offer two-factor authentication, routes all support inquires through an email address (and can be slow to respond to those emails), and, at least until Wednesday, didn’t alert you if your email and password settings were changed from within the account. Venmo also encourages new users to link their bank accounts directly to the app, without any warnings as to why this might be unwise.
I first contacted Venmo on Monday and, after initially pointing me to its online security and privacy policies, the company did not respond further. My attempts to follow up with Venmo since the story ran have also gone unanswered. But Venmo is apparently speaking to other media outlets. It sent a run-of-the-mill statement on its policies to BuzzFeed and Gigaom, and Friday afternoon the Verge published comments from an interview with Bill Ready, the CEO of Venmo and its parent company Braintree. They’re not exactly reassuring.
Ready explains that Venmo has until now preferred to deal with fraud without looping in the user because “in many of these cases, we want to handle it seamlessly so we’re working behind the scenes.” This is despite the fact that Venmo’s user agreement instructs consumers to notify the company within two days if they suspect their account has been compromised to keep their maximum liability from rising to $500 from $50—something that becomes much tougher to do if the service isn’t alerting you to suspicious activity in the first place.
Venmo isn’t the first tech company to defend its practices in the name of a frictionless user experience. Uber, the multibillion ride-hailing company, automatically tacks on a 20 percent gratuity to each fare to keep the experience cashless and hassle-free. Snapchat, which has suffered a few security snafus of varying severity, used to automatically link users’ accounts to their phone numbers to simplify onboarding and friend-finding. Even BuzzFeed, which sees itself as first and foremost a tech enterprise, defended its decision to quietly delete thousands of posts from its website—a huge journalistic sin—as a move that benefited the user.
While wanting a smooth user experience is all well and good, it often feels like—and Ready’s comments seem to confirm—a desire to be frictionless can lead companies to sacrifice some pretty important stuff. “It’s a big issue, balancing the customer experience with the fraud measures that you want to have in place,” says Matt Tatham, a spokesman for Experian, a global credit report and fraud monitoring firm. “Nowadays, just log-in password isn’t enough. You need extra layers to make it difficult for people to take advantage of any site, whether it’s mobile payments or something else.”
In this respect, Venmo is quite different from traditional financial institutions. As anyone who has forgotten to notify a bank or credit card company of major travel plans probably knows, fraud departments will often freeze accounts as soon as they notice irregular spending patterns. Credit card issuers also charge merchants transaction fees in part to have money for anti-fraud efforts. Those measures might at times feel inconvenient, but they also deliver some important peace of mind. As a colleague noted this afternoon, “I really like the experience when my credit card company calls to tell me that they’ve already caught the fraud. It sucks to have to wait a day or two for a new card, but it beats not knowing.”
For now, Venmo is trying to send a message that it takes security concerns seriously. “I think there are some valid points around how we can communicate more effectively on a couple of these issues,” Ready told the Verge (though at least in the story, he didn’t elaborate on which ones). Venmo is working to enable two-factor authentication. It also notes that users who want more protection can add a four-digit PIN to their accounts—this is true, but that PIN isn’t required to log into your account in a desktop browser or complete a transaction there. And while Gigaom’s Kif Leswing reported Friday that changing his account password produced an email alert, when I and three other colleagues tried this from within our accounts we still weren’t getting notified.
At any rate, are people concerned enough about having their accounts compromised on Venmo to actually leave its service? If so, you’d think Venmo would be more inclined to add extra layers of protection at the cost of convenience. At least to me, not being immediately alerted to fraud exemplifies a bad user experience. But for others, maybe the “seamless” factor really is more important.