NEW YORK (MainStreet) — The Internet has been abuzz for a couple weeks with chatter about documented cases of theft of money from accounts of users of Venmo, the p2p (peer-to-peer) money transfer app that had been the the fast growing darling of Millennials.
One user, in a story reported in Slate, had $2,850 looted from a Chase checking account.
The question is: are p2p apps too hot to handle? In a rush to make money transfer easy and fast have they cast aside security? It goes well beyond Venmo, with Square Cash, Dwolla, Google Wallet, PayPal, Popmoney, Chase’s Quickpay and many more plunging into p2p, where the mantra is that an estimated $1 trillion in analog paper money will soon be replaced by digital cash transfers.
In many cases, all that is required to initiate a cash transfer with a p2p mobile app is a log in with a four digit PIN. That means money can be in motion in less than a minute. The scary bit: p2p accounts generally are directly linked to checking accounts - and in an instant a checking account can be emptied by a crook. There are federally mandated fraud protections for checking customers, but they are neither as easy or immediate as protections against credit card fraud. Checking fraud victims often complain of hassles in getting ripped off money returned.
Even so, p2p cash is suddenly on fire as user adoption soars, often due to peer pressure, said experts. You go to lunch with three friends. One puts it on his/her credit card and says, pay your share with Venmo. What do you do? That’s right: you sign up for an account.
What other use cases? Aaron Cohen, Venture Director at Fueled, a mobile development agency and incubator in New York, told Mainstreet he uses Venmo just about every day to covers a range of personal expenses.
Splitting lunch and bar tabs, shared roommate expenses, chipping in on a birthday gift, you name it -- the uses multiply.
The question now is: will users flee Venmo, and if they do, will they abandon p2p entirely - or just jump to an alternate provider?
Understand how big Venmo has gotten, so fast. In 2014 it’s total payment volume was $2.4 billion. In just Q3, it’s payment volume was $700 million, a 50% increase from the prior quarter, according to numbers provided Mainstreet by the public relations agency for Venmo owner, PayPal.
Security experts told Mainstreet that, based upon the information available about the Venmo theft cases (Venmo itself - citing user privacy - offers no details) the probable cause was "consumer error," said Robert Siciliano, a Boston-based security expert. One possibility: the victims were phished with fraudulent emails that persuaded them to part with their login credentials. Every day literally millions of phishing emails flood email and SMS boxes. Most are deleted with no harm done. But some hit criminal paydirt.
What happened at Venmo is “not a fraud, not a hack -- it’s a user process issue,” said David Bozin, a vice president at point of sale company Bindo.
Nobody has claimed that Venmo or PayPal or any of the other leading p2p providers had been hacked. “It’s not a factor of security," said Bozin, speaking specifically of what happens to have occurred at Venmo. "It’s a factor of loopholes.” In that case, the company had not sent users either an email or an SMS informing them of, for instance, password changes. That’s the norm for most financial services - and it now is in place at Venmo too - but it had not been, a lapse that proved painful when one victim tried to log into his Venmo account and was locked out because a crook had changed the password.
“We put in a list of security improvements,” a PayPal spokesman told Mainstreet, speaking of Venmo upgrades. He added that more - such as multi-factor authentication - are on the way. Other p2p services, said sources, are adding new security features in light of the Venmo publicity.
Will it be enough to save this generation of p2p apps? Paul Martini, CEO at iboss Cybersecurity, said, “I don’t see this slowing adoption of p2p.” He added: “These systems are so convenient, it will outweigh people’s fears.”
And know there is a step a user can take to up his/her own security when using p2p apps on a mobile phone. “Put a PIN on the phone,” said Martini. That adds a layer of security on top of the PIN needed to use the mobile p2p app.
Siciliano also suggested using a unique password at every site, because, often, account takeovers trace back to a user using a password at Site A, which gets hacked, and then the user finds his account at Site B is compromised because the hackers tried their stolen credentials there and they worked.
That’s it, two easy steps and security when using p2p on a mobile device jumps. It’s that easy.
—Written by Robert McGarvey for MainStreet