Your Venmo Data is Public Information
Venmo™ disrupted the peer-to-peer payment scene — it was like one day I had never heard of Venmo and the next everyone had been using it for their whole lives. It has become the household name for money transfer among friends; everyone knows what “Venmo me” means, even if you don’t use Venmo as your payment exchange platform. I remember in the early days, you could see all your friends in the activity feed, who was paying who and for what, even the transaction amount.
As it turns out, your Venmo data wasn’t just public to people in your contact list. It is actually just publicly available data that anyone can pull from the Venmo API without even so much as an API Key. So, if you don’t explicitly switch to private mode for each transaction you do, that data is public for anyone to pull. This potential data ethics violation was recently brought to light by Dan Salmon (@sa7mon) who extracted over 7 million records of public record data from Venmo and posted the dataset here on GitHub.
If you’re not into getting tracked, you can set your default payment visibility to Private under Settings > Privacy, or you can set it on a per-payment basis when you’re making the payment by clicking the text in the bottom-right corner of the “Pay or Request” screen, as seen below.
As data nerds, we wanted to take this data for a spin. So we fired up Knarr, pulled in this 7-million-row dataset, and hopped into a datastorming session. The first thing we did was search for ourselves, which thankfully yielded no direct results. However, I did find some family members. The danger here is that if I know your name, I can do some serious social engineering. I can see what you pay for. Who you are friends with. Who they are friends with. I can create a profile of your speech patterns. I can even see your picture and your bio. It would be easy to use this information to impersonate you effectively. An OSINT hacker’s dream.
In the image below, we search the pizza Emoji™ and find that there is a huge spike in people paying for pizza in October of 2018. At this point, we must find out the cause of this sudden onset of pizza fever…
Upon further inspection, we found that the taco Emoji also revealed a huge uptick in transactions for the same time period. And also a text search for Chinese Food. A quick Google search showed that there was a series of promotions with GrubHub and Venmo in the fall of 2018, specifically targeting students. Students liking pizza, tacos, and Chinese food isn’t a groundbreaking insight, but you can see clearly in the gif above that people’s written mannerisms are visible and could be replicated.
Below, we have an interesting example where we search the top users by transaction count using their IDs and discover a person who has, over the limited course of this dataset, paid the same individual 360 times with apparent phone numbers in the note, presumably to identify the actual payor’s identity. This could be perfectly innocent, but might not be a bad way to route payments in an untraceable way. You know, if the person didn’t have their transactions marked as “Public”. 🙄
These are some fun examples, but it’s important that we recognize how our data is being stored and displayed by the apps and platforms we use, especially when they are supposedly free.
The tool we used to do this Collaborative Analytics session is called Knarr. We’ll be posting this and more datastorming sessions to our YouTube channel over the next few weeks and months, so be sure to check them out!
-Jerry
This is the first in a series of posts where we explore interesting data sets using Knarr, a data collaboration tool. You can sign up for our beta at https://knarr.io
