Venmo: A case study on why e-mail verification is absolutely required by any web site with account creation
I’ve had my firstname.lastname@example.org address since gmail was in beta, approximately 10 years now.
Now, personally, I don’t find it very difficult to remember my e-mail address. I can type it in just fine. But that’s far too challenging a task for many people, it seems. There’s an Edna, for example, who lives on the other side of the country from me. I know a lot about Edna — I know about her taste in cars and crafting supplies. The main thing I know about her is that she likes to sign up for lots of accounts and she believes her e-mail address is email@example.com. Poor Edna. And poor me, because I get a lot of her junk e-mail.
Sometimes I end up on e-mail threads having nothing to do with me. Two recent examples were a church group planning a camping trip, and a New York apartment complex trying to rally tenants to sue their landlord.
There is an Ed and an Elissa and quite a few others out there who have mistakenly used my e-mail address when signing up for accounts. Usually I can cancel their account or unsubscribe fairly simply. And sometimes I end up on a mailing list of a company that just refuses to take me off. (Car dealerships seem to be the worst at that one.)
Fortunately, many companies use e-mail verification: Before they let someone create an account, they send an e-mail off to whatever address was used to sign up, and require the recipient click on a link to confirm that the e-mail address is actually associated with the person who was trying to sign up. This is a smart process. It’s not entirely foolproof (since the e-mail recipient could confirm the address even if they’re a different person from the one who tried to sign up). But it’s far better than just relying on people to type in their own e-mail address correctly. You simply cannot trust people to be able to do that accurately.
Now a financial company, one that facilitates payments, you’d certainly expect them to use e-mail verification, right? Paypal and Square do. Both have elaborate processes to verify all aspects of your identity, up to and including your bank account (by sending a $1 charge to confirm that your debit card is real).
Today I had an experience with Venmo, a payments company similar to Square and Paypal (but with more of an apparent emphasis on Facebook integration). Venmo requires verification of your phone number, when signing up, but not your e-mail address. (They require e-mail confirmation to receive money, but not to create the account or send money.) Here is the e-mail exchange I’ve had with them earlier today that explains more.
Dear Venmo Support,
At some point in the past, someone named Exxxxxx Stepxxx created a Venmo account. She is apparently not a very attentive person, however, because she used the wrong e-mail address when creating the account — she used firstname.lastname@example.org.
Sad for her, but email@example.com is my e-mail address, and I have had it since when gmail was in beta.
Your company is idiotic to not require e-mail address verification. All of your competitors follow a typical process where an e-mail address cannot be used to create an account (or even changed on an account) unless a customer verifies that they actually have that e-mail address. The typical process is to send an e-mail stating that someone has created an account with this e-mail address, and then there’s a link to confirm the customer received the e-mail — thus proving the customer is in possession of that account.
For a banking company to not require address verification is absolutely moronic.
I had never heard of Venmo before today. I have never received any e-mail from your company before today.
But a friend wanted me to pay for a t-shirt using Venmo, so I tried to sign up today and found my e-mail address was already in use.
I thought perhaps I might have used your service in the past and forgotten about it, so I chose to reset my password.
Soon I received a password reset e-mail, and with one click I was logged in to Exxxxxx Stepxxx’s account.
From there, it appears I could see all kinds of financial and personal information about her account. She had a balance of $0, I didn’t check but it appeared to me that her bank accounts were also linked.
Instead of exploring her account, I chose to deactivate it immediately. She’s lucky.
But I’m flabbergasted that you are such a naive and terrible company that you let any customer type in any e-mail address they want and you just assume that they are able to type in their e-mail address correctly.
If you expect that your customers are actually able to remember their e-mail address and type it in, you are sadly mistaken. As a financial company you absolutely cannot trust people to be able to type their own e-mail address. YOU MUST IMPLEMENT E-MAIL VERIFICATION IMMEDIATELY.
I will create a new account using a different e-mail address to pay for my friend’s t-shirt, and then I will immediately cancel my account, because I suspect your company has one of the worst sets of security employees and practices in the entire financial world. You are demonstrably a completely untrustworthy company.
How can you be still in business?
FYI, I will be posting this to my blog, FriendFeed, Twitter, and Facebook. I will also be submitting this to popular security blogs. I will be recommending to all of my friends to not do business with you.
Please forward this message to your senior management, and in particular your security team.
My cell phone is 4xx-xxx-xxxx should you have any questions.
The true owner of firstname.lastname@example.org for approximately the last 10 years
They replied about an hour later:
Hi Stephen, thanks for your very thorough review of our free service. We definitely appreciate constructive feedback from our users.
We also appreciate you looking out for the security of another user by canceling their account on their behalf.
When you created your account with your alternate email address, we sent a verification email to that address. If it’s not in your inbox, check your spam folder. The process is exactly as you’ve described. The email confirms that an account was set up with that email address, and provides a link for users to click in order to verify the account.
User bank and debit/credit card information is stored securely and entirely encrypted using bank-grade encryption technology. We only display the last four digits of a user’s bank account or card number, just as any other online retailer or financial institution does. This is so our users are clear about what funding sources they have on file at any given time.
We are continually working to improve the user experience and of course, the security of our free service and we value your comments.
I’ve noticed that you did successfully pay your friend but have not cancelled your account yet. If you are still dissatisfied with our free service, you can visit: https://venmo.com/account/settings/cancel to cancel your account.
If you have any questions, please do not hesitate to reach out to us again.
But this isn’t good enough, as my response details:
Thanks for your detailed reply.
As you saw, I did in fact create my new account (and that’s good detective work on your part, since I used a completely different e-mail address). And I did receive an e-mail that offers me the OPTION of verifying my e-mail address in order to receive payments.
But that e-mail does NOT require me to verify the e-mail address to send payment. And most importantly it does not require me to verify that e-mail address BEFORE the account is created! That is completely horrifying and evil.
So, because of your company’s poor security practices, if I had used the wrong e-mail address, then the true owner of that e-mail address would have been able to see:
* My name
* My phone number
* My photo (if I uploaded one)
* My FB friends (if I had linked FB) or any other linked social media
* My transaction history
* The last 4 digits of my debit card and its expiration date
* My zip code (shown on the confirm cancellation screen)
You don’t mention if you’ve escalated this complaint to your security team and management or not. I highly recommend you do so.
It’s not so much that I’m “dissatisfied” with your “free service” as I am completely mortified at how horrifically terrible your security practices are.
I have not yet canceled my account because I’m investigating other ways in which you may be violating my privacy and security. But rest assured I will be canceling very soon.
I am currently in the process of writing my blog post about my experience. Please be advised that all e-mail communication sent to me regarding this case will be considered public and is likely to be included in my post.
Thanks for your quick response. Unfortunately your response doesn’t help with this security and privacy flaw, not by a long shot.