Venmo has yet to respond to WIRED’s inquiries regarding recent privacy concerns expressed in connection with user accounts belonging to individuals including members of the intelligence community. Erin Mackey, a spokesperson for Venmo, stated, “We take our customers’ privacy seriously, which is why we allow users to customize their privacy settings for individual payments and friends lists. Our platform makes it straightforward for customers to opt for privacy when they choose.”
Tara Lemieux, a veteran of the US intelligence community with over three decades of service, emphasizes the importance of user discretion when interacting with digital applications. She argues that while many may find public transactions on Venmo innocuous, foreign intelligence entities often monitor payment patterns for potential vulnerabilities. “If a user is sending money to children, that information could be leveraged against them. It introduces a point of leverage that could be exploited,” she notes, underscoring the importance of understanding the implications of shared information.
Lemieux also highlights the rapid evolution of digital platforms outpacing regulatory frameworks designed to protect users. “When sensitive information is exposed, it’s challenging to reinstate privacy; once the toothpaste is out of the tube, it can’t easily be put back in,” she explains, indicating a critical gap in user awareness of data security.
Data security expert Mike Yeagley, who has provided guidance to the US Department of Defense regarding digital data risks for over 15 years, shares similar concerns. He warns that even seemingly harmless actions, such as a Cabinet member using Venmo to pay for a personal trainer, can expose critical information. “Identifying who that trainer is opens up further targeting opportunities by revealing associations with influential individuals,” Yeagley says.
Yeagley elaborates on the sophisticated nature of adversaries in the realm of digital espionage, indicating that even minute data points can be valuable. “Our adversaries excel in data collection and are keen on any level of information that might provide insights into an individual’s network or lifestyle,” he asserts.
Venmo’s contact syncing feature, which previously allowed users to upload their phone contacts to the app, has come under scrutiny. While this feature aimed to facilitate connections, it automatically populated users’ friends lists with anyone from their address book who was also utilizing the app, potentially compromising privacy. Although Venmo has since removed this functionality, concerns remain. Users must now actively search for and request to add friends instead of relying on automatic syncing.
However, Venmo’s privacy policy reveals that unless users actively modify their settings, their network remains visible to all. As such, even if an account is set to private, the friends list can still be publicly accessible unless users take the necessary steps to conceal it. In practice, this means navigating to Settings, then Privacy, and adjusting the Friends List to Private—a process that can be easily overlooked.
The implications of these privacy oversights could lay the groundwork for various adversary tactics outlined in the MITRE ATT&CK framework. Techniques associated with initial access, such as exploiting weak privacy settings or social engineering, could be leveraged by attackers. Furthermore, persistence and privilege escalation tactics could be employed to further infiltrate user networks based on the information gleaned from seemingly harmless transactions.
As digital transactions continue to proliferate, the need for vigilance in privacy settings and an understanding of the potential risks becomes increasingly clear. Business owners and tech-savvy professionals must remain aware of how their digital footprints may expose them or their networks to significant security threats.
