Here is why your healthcare provider cannot accept Venmo payments

April 2, 2020 | Bob Covello

This blog was written by an independent guest blogger.

Are you using Venmo to send and receive payments?  People use Venmo for everything, and in these times when no one wants to handle actual money for fear of spreading infection, Venmo is a brilliant idea.  Of course, the difference between Venmo and other mobile payment applications is that Venmo adds a social networking component to its process.  While this makes things very easy for transacting payments, it creates some serious privacy concerns. 

Privacy and confidentiality are cornerstones of many business interactions.  Whether you are in treatment for a medical condition, or if you are seeing a psychotherapist to work through an anxiety problem, not only do you want your information protected, but you also do not want anyone knowing the identity of your healthcare provider.  Unfortunately, Venmo has a flaw that does not allow for such confidentiality. 

Please note that I am not bashing Venmo.  As stated earlier, it is a fine application that is perfect during these tense, Covid-19 times. 

Most of my friends who use Venmo had no idea of the problem, so here is a short demonstration to show what I am describing:

First, the way to keep your transactions private is by changing a setting in the application:

Venmo privacy settings 

If you are just now discovering this setting, you can also hide all your past transactions so that all of your activity is hidden.

Of course, if you want to have some fun, you can just name your transactions to whatever you want, as one of my wise-guy friends did when sending some money to me:

sex trafficking example of privacy invasion

Apparently, some folks are not joking, and are broadcasting all kinds of illicit activity through the platform.  Please beware that illegal transactions could result in you getting kicked off the application, so it is not recommended.

The real problem is this: even if you set your Venmo to “private” mode, it is still leaking too much inferential information about all of your associations.  If you go to a person’s profile page, there is a heading named “Friends” that allows you to see everyone in a person’s Venmo world:

friends setting in venmo can be abused

This is a social engineer’s dream!  The entire family of a total stranger can be accurately mapped just by scrolling through their “friends” list.  This is exactly how the “grandparent scam” is so effective. 

To take this to the next level, if a person happens to pay a medical provider with Venmo, a social engineer could use all the publicly available information to easily impersonate that person, leading to a full medical records breach. This is why your healthcare provider will not accept payments through the application.

When will Venmo lock down the Friends page?  Why was that not built into the application from the start?   Venmo is part of PayPal, and it is a safe way to move money between you and your friends and family.  However, it just needs a bit of a privacy nudge.

Bob Covello

About the Author: Bob Covello, Guest Blogger

Bob Covello (@BobCovello) is a 20-year technology veteran and InfoSec analyst with a passion for security topics. He is also a volunteer for various organizations focused on advocating for and advising others about staying safe and secure online.

Read more posts from Bob Covello ›

TAGS:

‹ BACK TO ALL BLOGS

Get price Free trial