The trendy payment app Venmo is facing perhaps the worst public relations crisis in its short history: a damning Slate article detailing Venmo's lack of basic security and notification features, which leaves its users highly vulnerable to hackers.
And its response to the crisis, at least so far, suggests the company doesn't care to discuss how it plans to fix the app's serious problems. Venmo provided no comment for the Slate story, despite reporter Alison Griswold showing up at the company's New York offices (Slate and Venmo share a building).
The story led to a torrent of social media lamentation, with users promising to delete Venmo or at least delink their bank accounts from the app. And even this afternoon, responding to an enquiry from BuzzFeed News, Venmo showed little interest in addressing the story.
The article detailed Venmo's slow response to users who ask for help in the wake of hacking attacks, even when the sums involved are in the thousands of dollars, as well as two key flaws in the service that leave users vulnerable to hacks.
Firstly, Venmo does not use two-factor authentication, a security feature that is becoming standard and is highly encouraged by companies like Google and Facebook. And it does not send a notification email to users if their passwords and email addresses are changed, leaving them unaware if hackers have broken into their accounts.
Because many Venmo users often directly link their bank accounts to the service—which Venmo encourages—fraudulent charges can result in accounts being shut down, with their funds inaccessible for days.
The report comes at a sensitive time: Venmo's current parent company, eBay, is spinning off its PayPal unit, which owns Venmo thanks to its acquisition of payments company Braintree in 2013.
The app has an almost cult-like following among some users, who depend on it to quickly and easily split restaurant checks and taxi rides, or settle small debts between friends. It had largely avoided the reputation for poor security and customer service that had long bedeviled PayPal branded products.
The Slate story, in this context, is particularly troubling for the company. BuzzFeed News reached out to Venmo for comment this morning, emailing Venmo, Braintree, and PayPal. After a few hours, the company provided these four sentences from Michael Vaughan, Venmo's general manager:
At Venmo, our most important job is to protect our customers and provide a safe experience. We are continuously improving product and security measures but there is always more to do. We have teams dedicated to fraud prevention, customer support, and operations working tirelessly behind the scenes, and we always guarantee our users' funds. Our customers put their trust in us and we take that responsibility seriously.
If that reads like a non-response, it's because it's exactly what it is. We followed up with specific questions about whether Venmo would be rolling out two-factor authentification or notifications after login information is changed, or to explain why Venmo doesn't already have those features. We're yet to hear back.
In the meantime, we're trying a novel method reach out directly to Venmo's boss:
Venmo's general manager, Michael Vaughan released a lengthy statement Friday addressing "some commentary" about the company's responsiveness to customers and the security of its service.
"First things first, I want you to know a lot of what we do to protect you is happening behind the scenes," he said. "We focus on your safety and overall experience as a whole. We don’t build for features just for features’ sake."
He also sought to assure customers that Venmo was "continuously improving product and security measures," although he did not elaborate on what those efforts were.
"We have a bunch of things we’ve been working on and we’ll share more of those with you soon," Vaughan said. "While we know that we measure up favorably against the industry standards for fraud prevention, we aren’t sitting back."
He then went on to outline basic customer tips for optimizing account security, but did not directly address the concerns brought up in the Slate article.
Read the full statement here.