SecureMac, Inc.

The Checklist Podcast

SecureMac presents The Checklist. Each week, Nicholas Raba, Nicholas Ptacek, and Ken Ray hit security topics for your Mac and iOS devices. From getting an old iPhone, iPad, iPod, Mac, and other Apple gear ready to sell to the first steps to take to secure new hardware, each show contains a set of easy to follow steps meant to keep you safe from identity thieves, hackers, malware, and other digital downfalls. Check in each Thursday for a new Checklist!

Checklist 232: Practice Safe Venmo and Update Your Stuff

Posted on May 28, 2021

On this week’s Checklist, we’ll talk about Venmo’s privacy issues — and we’ll tell you why it’s update time again!

Venmo doxes the President

Venmo is a popular mobile payment platform. It’s also, in the words of one security expert, “a privacy nightmare”.

U.S. president Joe Biden found that out the hard way when BuzzFeed journalists discovered his personal Venmo account — along with an extensive network of his personal social connections.

It seems that a New York Times piece mentioned in passing that Biden sometimes used Venmo to send money to his grandkids. That little tidbit piqued the BuzzFeed reporters’ curiosity, and they started searching for the President’s Venmo profile. They found it in under 10 minutes — using nothing more than the platform’s search function and its public friends feature.

The incident underscores some serious privacy issues with Venmo — issues that critics have been talking about for years now. For one thing, Venmo publishes user transactions to social media-like feeds (minus the actual dollar amounts). Venmo users also have a “friends list” of other users that they’re connected to. These lists are visible to other people on the platform.

Venmo’s oddly social dimension is the result of the platform’s history. Although it’s now a large payment service (owned by PayPal, no less), Venmo was originally conceived as a fast and easy way for friends and roommates to send one another small amounts of money. Since the founders envisioned Venmo being used by people who knew each other well (or even lived together), the social aspect was seen as a way to make the service engaging, and to help grow the user base.

But unfortunately, this has created privacy problems for users. As some observers have pointed out, Venmo has already revealed the patient lists of counselors, resulted in women being stalked by their boyfriends, and exposed the confidential sources of journalists.

Lessons for John Q. Public

The Biden Venmo account has now been removed, but the fact that such a high-profile individual was found with such apparent ease should be a wake-up call for the rest of us.

For one thing, all Venmo users should take steps to protect their privacy on the platform (more on this in the next section).

In addition, consider the fact that a casual comment to a reporter led to President Biden’s personal information being exposed. This is a good reminder of why it’s so important to keep the details of your personal life private online. Most of us aren’t going to be talking to Times reporters, of course. But many of us use social media, and publish things about our personal lives there. If that information is public-facing — for example, if we haven’t restricted our Facebook posts to friends only — it could make its way into the wrong hands. This sort of “open source intelligence” is often how bad guys find material for targeted phishing attacks, social engineering schemes, and scams. If you need some help with how to safeguard your privacy, Electronic Frontier Foundation maintains a useful guide to protecting yourself on social networks.

Making Venmo safer

If you use Venmo, you should take a few moments to consider the privacy implications. For one thing, strangers might be able to see details of your activity on the platform. In addition, other people can see who your Venmo friends are. This could reveal information about your personal network — information that you might prefer to keep private.

If you’re concerned about these Venmo privacy issues, here are some recommendations for how to use the service more safely.

  1. Set transactions to private by default

    Venmo transactions are public by default. You can set individual transactions to private, which is nice, but it also means you’ll have to remember to switch the transaction over to private as you make it. For most users, setting all transactions to private by default is the way to go. To do this, open the Venmo app and go to Settings > Privacy. Look for the Default Privacy setting and change it to (you guessed it) Private.

  2. Switch past transactions to private

    If you’ve used Venmo for a while, you may have a lot of past transactions that are visible on the platform. You can change these to private retroactively if you like. You can’t undo this, so make sure you really want to hide all of those old transactions before you pull the trigger. To make past transactions private, go to Settings > Privacy and look for Past Transactions. Set it to Private and you’re done!

  3. Change your Venmo username

    Many people use their real names on Venmo, or something pretty close. Venmo even recommends this, saying it will help your “friends” to find you. True, but the problem is, it will also help other people to find you! If you’d like to be a little harder to find in Venmo’s search engine, change your name to something a bit more anonymous. You can do this by going to Settings > Edit Profile and typing in a new username.

  4. Unfriend some people

    On Venmo, everyone can see your friends list. That can be a real privacy issue, especially if you’ve imported your phone’s contacts list or all of your Facebook friends. It’s a good idea to limit your Venmo friends list to only those people who you regularly use the service with … and to remove everyone else. To remove someone from your friends list, go to their profile, tap the checkmark next to Friends, and tap Unfriend.

  5. Block problem users

    If a specific person is a privacy threat, you can block them on Venmo. This could be a nosy friend or relative, an ex or a harasser, or maybe just people from your workplace. Basically, if you think someone might use Venmo to snoop around and uncover details about your personal life … block them! This prevents them from finding your profile in the Venmo search tool. To do this, go to the person’s Venmo profile, tap the three little circles in the upper right, and then use the red Block User option.

Yet another updates update

Updates again? You bet!

Apple released the latest round of OS updates earlier this week, and they included a patch for a serious Mac security issue.

It seems there was a 0-day bug in macOS‘s Transparency, Consent, and Control (TCC) framework. TCC requires apps to get a user’s permission before performing sensitive actions (for example, taking a screenshot).

At least, that’s how TCC is supposed to work. But the bug allows malware to circumvent TCC by “borrowing” the permissions of other apps installed on the system. A malicious app could thus take screenshots or log keystrokes without having to ask the user for permission. Unfortunately, this one is more than just theoretical (again). Researchers have already seen evidence that the XCSSET family of malware is exploiting this vulnerability in the wild.

The bug is patched in macOS 11.4, so if you haven’t updated already, you should do so right away. The same update fixes nearly 60 other security issues as well.

In addition, Apple has issued security updates for all of its other OSes. The updates are as follows: iOS 14.6, iPadOS 14.6, watchOS 7.5, and tvOS 14.6. Each of the updates contains dozens of security fixes so … yeah … time to update it all!

That brings us to the end of this week’s Checklist. To find more digital privacy tips, have a look at our show archives. If you have a security or privacy question that you’ve been wondering about, write to us and let us know! We may answer it on a future edition of the podcast.

Join our mailing list for the latest security news and deals