On Friday, the payment app Venmo wrote a blog post enumerating the variety of security measures it takes to protect its customers.
The post came after Slate ran a story about a user who had almost $3,000 taken from his bank account, which the app directly links to. The user was eventually reimbursed by Chase bank, but closed his Venmo account after the incident.
“We’re processing billions of dollars of your payments every year and we maintain fraud rates favorable to industry standards and that is why we are comfortable guaranteeing your money if you are the victim of fraud or unauthorized transactions,” Michael Vaughan, a general manager at Venmo, wrote on the company blog.
“We have fraud protection algorithms and systems that are always on. As much as I'd love to share more here, I don’t want to tip our hand to would-be fraudsters, but we back it up by guaranteeing your money from unauthorized transactions.”
In an effort to reassure customers, Vaughan listed features such as the encryption of financial information, PCI-compliancy, and spending limits. Still, the company was criticized for not using two-factor authentication, lagging on customer service, and not automatically sending users an email notice when an account password changes.
The lack of an automatic email notice aside, however, Venmo doesn’t show any serious security deficits.
While two-factor authentication is ideal, many banks don’t use it, among them Wells Fargo, American Express, and Citibank.
Venmo can hardly be faulted for not having a large customer-service team that can field replies instantaneously, being a startup that only had 70 employees in November.
Moreover, the nature of the app’s transaction limit imposes a low-ceiling on the damages from a hacking incident. Most Venmo users send small amounts of money for things like splitting restaurant-bills with friends, and the default sending limit is $299.99, which can be increased to $2,999.99 if you choose to confirm your ID.
As an innovator, Venmo still has the task of balancing ease-of-use with a reliable security protocol, a process that its parent company, PayPal, also went through. In its founding stage, PayPal lost millions to Russian hackers and often had to delete customer-service complaints wholesale.
Larger Fish
The most pressing security breaches do not involve direct monetary theft, but the theft of Personally Identifiable Information (PII) such as Social Security numbers that can be used for identity theft, and those tend to happen outside of Silicon Valley, where older, more established companies have a much larger customer-base that make more lucrative targets for hackers.
In January, hackers broke into the databases of Anthem Inc., the second largest health insurer in the country, and were able to access the PII of its 80 million customers, of which tens of millions were stolen.
In 2014 the biggest security breaches featured retail companies like Target and Home Depot.
By comparison, systemic compromises of app-based tech companies tend to be limited in scope. Uber said Friday that in May the information of 50,000 of its drivers had been compromised by hackers, in a company that counts more than 150,000 drivers in the United States and 8 million customers.
Private companies aren’t the only target of hackers. The U.S. government suffered at least 23 major security breaches since 2012, and saw the 2013 leak of the PII of more than 100,000 people who worked for or interacted with the Department of Energy.
As more of the economy operates more on a digital platform, the opportunity for hacking invariably grows. When Neil deGrass Tyson tweeted after the North Korean attack on Sony that the solution was to “create unhackable systems,” he was roundly mocked, and rightly so.
Security breaches are part and parcel of a digital world, and isolated compromises are no indication that a company has a security problem.
