Venmo – following an unflattering Slate article about security holes that could potentially leave their customers at risk of having their accounts hijacked – will start today with a sweeping run of security upgrades to their popular money transfer and payments app. The article described the shortcomings of Venmo’s security practices through the tale of one unlucky hacked user.
Venmo general manager Michael Vaughan wrote in a blog post, “We’re working to be more responsive to your support inquiries. We’ve made significant progress and will continue to improve in this area.”
Vaughan also wrote that going forward, when a user’s email address is changed — often the first step taken by hackers after gaining access to an account — the user will receive a notification to both the old email and the new one. Similar notifications will be in place for password and phone number changes.
Slate also noted Venmo’s lack of two-factor authentication. Such systems – widely used in financial services – require users to enter a passcode sent by text message to their phone before logging in from a new or untrusted device or making significant account changes.
“We’ll also be rolling out multifactor authentication (MFA) in the coming weeks, among other product features, to further enhance user security and experience,” Vaughan wrote in the post today.
Venmo is owned in part by eBay and may soon face more time in the sun as eBay’s payments company, PayPal, will be spinning off in an IPO later this year.
John Donahoe, the chief executive officer of eBay, recently said on an earnings call with analysts that Venmo was “on fire,” which would be a good thing except for the fact that the said “fire” seems to have attracted cyber-looters.