Venmo App: Users Raise Questions About Security of Peer-to-Peer Money Transfer Service

— -- On a Tuesday afternoon in Berkeley, California, I asked about 20 students how they split a bill in a restaurant or pay back a roommate for shared bills.

“Venmo,” they answered.

Venmo is a smartphone app that lets you transfer money to another person’s account without fees and without credit cards. Roughly two-thirds of the students I asked said they used this smartphone app for the task; only a handful said they write checks to pay each other back. For these digital natives, Venmo is clearly convenient, but is it safe?

Venmo isn’t for buying things from a merchant. It’s not a direct competitor to Google Wallet or Apple Pay. It’s for peer-to-peer transfers to people you know. You can tie a credit card to your Venmo account for transfers, but there’s a 3 percent surcharge. Tying Venmo directly to a bank account eliminates those fees.

That’s how Mohsin Charania says he had his account set up. In making transfers and receiving them from friends, Charania had built up a surplus of cash that Venmo held in his account -- kind of like an escrow account that Charania hadn’t cashed out. But last fall the professional poker player from Chicago says his account was hacked.

“It was frustrating. I had over $2,000 on there from various transfers that I received from friends and I had no way of finding out what happened to my account,” he said.

He says he tried to make a transfer using the app and it displayed a message saying his account had been closed and the money was gone. But he says this was the first he’d heard of any activity; he hadn’t used the app for about a week.

“There was no notification on my phone saying ‘$2,000 on your Venmo account has been cashed out’ or that your account has been shut down,” he said. “I was kind of dumbfounded that something like that could happen. It took four days and I still didn’t get a response on my cellphone regarding my account until I discovered that it had been hacked and then I reached out to [Venmo].”

Venmo is incredibly social for a financial app. It can broadcast your transfers within the app to other people in your social graph. One of the ways it has spread so fast amongst millennials is that it combs a user’s Facebook friends and asks if it can send them invitations to join Venmo.

But Venmo has had a run of complaints across social media, and the one rising to the top was the same one Charania complained about: users said Venmo did not email them when changes were made to their accounts. The security issue here is that a hacker could change your password or email address and you would never know until the money was gone.

An article detailing another hack of a Venmo user was published by Slate and got a lot of attention. And as the media honed in on the app-maker about this and other security issues (and a day after "GMA" Investigates contacted the company), it improved that notification feature.

“If customers don't feel like they're secure they won't use the application,” James Wester, mobile payments analyst at IDC, a market research firm, told ABC News.

On the Venmo blog, their general manager, Michael Vaughan, explained the changes. "To enhance the security of your Venmo account, any time there is a change to your primary email address, password or phone number, we will send you an email notification."

To test the change out, we teamed up with Wester to simulate an account takeover. Because Venmo publishes my use of the app to others in my social graph, it’s not impossible that an acquaintance could take my email and guess my password. Imagining that scenario. Wester uses my email address to log on to Venmo with a password I provide. As soon as he makes the change to my primary email address, the app notifies me at my old address.

It worked, but here’s the existing problem: If my account had truly been hacked, Venmo offers no phone or live support; you can only submit complaints through an online form.

That’s what Charania says he did, and I ask him, “Did you ever get a phone call or reach a Venmo rep on the phone?”

“No. No one ever contacted me on the phone,” he replied.

He says he eventually got his money back, but he says only after he took to Twitter to complain and enlisted friends with a lot of followers to retweet his issue. According to Wester, users are protected when using an app like this because it’s tied to your bank or credit card so their umbrella protections apply: with a credit card, as soon as the fraud is reported the money is credited back.

With a debit card or bank account, users have two days after learning of the fraud to alert the bank and only after they verify it is fraud is the money credited back into the user’s account. But in Charania’s case, the money stolen was ostensibly being held in escrow by Venmo. It had never come from his bank, but was transferred in by other users paying him back.

The California Department of Business Oversight cited more than 20 unsafe practices by Venmo last year. Today, the department told "GMA" Investigates in a written statement: “We continue to work with Venmo to obtain full compliance with the order.”

Venmo, which is owned by PayPal, responded to GMA Investigates with a blog it wrote to customers. “We're working to be more responsive to your support inquiries,” the blog read. "We’ve made significant progress and will continue to improve in this area.”

Despite the issues, Mohsin and others say they experienced, Wester points to the overall security improvements in digital payments.

“Even with the issues that are happening with these peer-to-peer payment networks and mobile networks, they really are more secure than a lot of other payment methods,” he said.

He suggested that people who use Venmo and other digital payments apps put a passcode on their phones, use a hard-to-guess password, and dive into the settings of all financial apps to enact any extra security features they may offer, such as a PIN number for each transaction (two-factor authentication).

The bottom line is, in this race to win the lucrative digital payments market, it may be the services that make users feel safest that ultimately win.

“When you’re selling an application it’s supposed to be more convenient. Just the inconvenience of having to get your own many back is not good,” Wester said. “If customers don’t feel like they’re secure, they won’t use the application.”