Smartphones and ubiquitous internet access have paved the way for digitizing most of our daily lives. We can surf the web and steam movies from anywhere. But modern technology has also managed to supplant much more mundane analog and physical things, like all the crap we’re used to carrying in our purses and wallets: ID, grocery lists, notes, addresses and phone numbers, photos of our kids and pets, and of course, cash.
Now, credit cards arguably replaced physical currency decades ago. But there’s one place they still can’t be used: between you and friend. Or really between you and anyone else who isn’t a vendor and has way to swipe your card. And that’s where popular personal payment apps like Venmo and the Google Pay come in. While these apps have all done a pretty good job with security (at least in terms of the transfer itself), where they often fail is with privacy.
But let’s discuss security first. There are a few main aspects to security when it comes to payments. First and foremost, the app shouldn’t allow anyone to get at your money without your knowledge or consent. Second, you expect that when you do send money that the exact amount of money you specified (no more, no less) will be transferred and that it will transfer safely. Finally, you expect that the money will go to the proper recipient.
From what I’ve read, most of the popular payments apps – Venmo, PayPal Mobile Cash, Zelle, Cash App, Apple Pay, Google Pay – do all of these things just fine. Some apps are better than others when it comes to preventing simple human mistakes, like a typo in the recipient’s info or the amount. They provide a link you can share or a QR code you can scan, for example. However, it’s worth noting that in all cases, the transaction is final. If you make a mistake, you’re at the mercy of the recipient to give it back. (Apple Pay and Google Pay payments can be rescinded if the recipient has accepted the payment yet.)
As you might have surmised, privacy is where these apps differ most – but not as much as you might hope. This article has a really good breakdown of all the details, but essentially, you should assume in most cases that whoever runs/owns the service has full knowledge of your transaction details. That doesn’t necessarily mean that they’re doing something nefarious with it – for instance, they’re surely using this data to detect and prevent fraud. But in many cases that info is likely shared with one or more third parties for “marketing purposes”. As the old saying goes, three people can keep a secret so long as two of them are dead. Okay, that’s a little dark, but the point is that the more people (companies) that have the info, the more likely the info will be used in a way you’d rather it wasn’t.
I’m an admitted Apple fan, but Apple Pay seems to be the most private of the bunch by far. Apple’s business model doesn’t require monetizing your personal data – and they’ve come out strongly in favor of privacy. Apple Pay has several cool privacy features that can make using it even more private than a regular credit card (though nothing is as private a cold hard cash). Google and Facebook are ad companies – they want to know as much about you as possible, and few things provide more insight than how and where you spend your money. And according to the already referenced article and this one from Consumer Reports, most of the other apps are monetizing that data one way or another, too.
Venmo is Exceptional (Not in a Good Way)
Venmo has a special problem, though. Venmo is the only payment app that is primarily a “social” app. That’s shorthand for “share as much info as possible, with as many people as possible”. If you weren’t already aware, all Venmo transactions are public by default. According to Venmo, this is a feature, not a bug. That might come as an unwelcome surprise to the third of millennials who have used Venmo to pay for drugs.
Your Venmo friends list is also public by default. (See update below.) That list may be quiet a bit larger than just the list of people you’ve exchanged money with. If you gave Venmo access to your contact list or linked it up with Facebook, that list could be huge. And available to anyone on the planet. Buzzfeed recently used this “feature” to find Joe Biden’s Venmo account, along with members of his staff, members of Congress, and even their families… and of course, all of their contacts, too. Your social graph can tell an awful lot about you.
[UPDATE: Venmo, bowing to pressure on this issue, has removed the global public feed for transactions.]
Making Venmo Less Public
I would argue that you can’t make an app like Venmo be “private”. Not possible. But if you insist on using it, you can make it more private. EFF has a great guide here with pictures, but here’s the short version:
- Tap Settings (three lines at the top right, the “hamburger button“)
- Select Privacy, then set your “Default Privacy Settings” option to Private
- Then below that, select Past Transactions
- Select Change All to Private and confirm the change
- Back up to the Privacy settings, select Friends List
- Set your friends list to “private”
- Turn off “Appear in other users’ friends lists
- Back to the top level of the Settings, find “Friends & Social”
- From there, unlink Facebook and turn off Facebook Friends and Phone Contacts, if possible.
You can adapt these to your specific needs, of course, but those setting will give you the most privacy. If that’s not enough, I would use Apple Pay Cash if you can, but that only works with other Apple people. I personally use Zelle and PayPal in those situations. They’re not great in terms of privacy, but better than Venmo.
Need practical security tips?
Sign up to receive Carey's favorite security tips + the first chapter of his book, Firewalls Don't Stop Dragons.
Don't get caught with your drawbridge down!