Dear Lifehacker,
Services like Venmo, Square Cash and other instant money-transfer services make sending a money to friends, splitting a check, or paying the rent easy. However, Venmo was just called out for its lax security, and now I'm spooked. Which of these apps are secure? Can I trust them?
Sincerely,
Mobile Moneymaker
Dear Mobile Moneymaker,
Money transfer services that let you send money from your bank account to anyone with a few clicks at your computer, or a few taps on your smartphone, are fairly popular. Once you're used to sending money to a friend by email address or phone number instead of asking them for a banking and routing information, it can be really convenient. It's even better if you live far apart, don't carry cash, or want to send money instantly instead of wait for your bank to process the funds.
However, whenever you grant a service access to your bank account, you also open the door to identity theft, stolen money, fraudulent transactions, or worse. Like you mentioned, last week Venmo, one of the most popular apps of this type (owned by Paypal), was got caught up in a nasty hack that ended up with one user out several thousand dollars. Subsequently, the company halfheartedly agreed to tackle its security problems.
How Secure Are These Services Overall?
On the surface, all of these services do the right things. They all use SSL to protect your identity and activity when you use their apps and web sites. They all keep your personal data encrypted, keep your passwords salted and hashed, and do their best to make sure that communication with your bank, and with other users, is always encrypted and direct so there's no chance others are snooping on them.
They all have security policies and help pages that say the right things. They warn users to avoid phishing emails, watch their transactions, and avoid authenticating too many devices. For example, Venmo's security page explains how they use "bank grade" encryption to protect your account, as well as how you can set up a PIN to prevent unwanted access on your device. They also explain how to disconnect a device from your account if it's lost or stolen. Square Cash goes a step further and explains they're PCI compliant (to be fair, so is Venmo). Beyond that though, they only have instructions on how to avoid phishing and other fraud attempts. On the bright side, they all keep your data encrypted at rest, so a hack could obtain email addresses, names, and encrypted passwords, but likely not transaction histories, bank account info, balances, or anything sensitive. Of course, Venmo users are bad enough about making transaction histories public, which is a problem of its own.
However, neither Venmo or Square Cash (or many others in this space) have basic security features like two-factor authentication, or notifications when your password has been changed or reset, or when a new device has been added to your account. Some don't even have mandatory notifications when you process a transaction. In Venmo's case, this—combined with one user who had what per-transaction notifications there are turned off—led to a user being spoofed out of over $2000, which he then had to try and recover through his bank, thanks to some fine print in Venmo's terms of service agreement.
PayPal's security homepage however, is a deeper dive than either of the other two (and most other mobile payment services) largely because PayPal doesn't just route money—they're effectively a bank. They have more rules they have to follow, and while PayPal certainly has its issues, they offer more information about how they secure your account, how you can further protect your account, and how to file disputes, chargebacks, and other issues with them. To their credit, PayPal does offer two-factor authentication, and notifications on account changes like password resets. However, PayPal is Venmo's parent company and the fact that those security features haven't trickled down yet is a problem.
Google Wallet, for its part, has tons of information on how to stay safe using their service, and since they're also a payment processor you can use to buy online, or buy in-person at supported retailers, it's easy to both send money to friends and make purchases with your Google Wallet account. However, putting money into your Google Wallet account is easy, and using Google Wallet for purchases is easy. Getting money back out, as in someone sends you money or you want to transfer a balance back to your bank account, can be pretty difficult. That's good from a safety perspective, but definitely less convenient than some other services.
Which Ones Are The Most Secure?
On their face, PayPal and Google Wallet would be the most secure. The others are new, and their aim is to make sending and receiving money convenient. That convenience comes with sacrifices. PayPal and Google Wallet throw up more blocks that make it tougher to access money sent through the service—which also means it's tougher for you to get your own money when you want it.
That doesn't, however, make either service "hackproof." PayPal has had its share or security worries in the past. It's never suffered a broad intrusion, but that doesn't mean it's not possible. Google Wallet has suffered a series of hacks. All of this just means both services have larger corporate backing, more attention to security, and more resources to devote to security. That's a thin screen, but its more than the competition.
With Venmo, Square Cash, and others, if you tie the app directly to your bank account using its account number and routing number (Update: Square Cash, to their credit, only allows you to tie to a debit card—not direct bank information), you can send and receive money instantly from anyone, anytime, without waiting for money to clear or for banks to pretend "business hours" are required to process money electronically.However, the flip side to that is if your account with Venmo or Square is compromised, so is your bank account or debit card—they can help you, but you'll likely (as the victim in the victim in the Venmo affair discovered) have to close your bank account and open a new one before you can get access to your money again, which is a huge hassle.
In short, the same features that make these apps convenient and fast are the ones that open up doors to social engineering and phishing attacks.
What Are Some Alternatives?
There are a few alternatives to these money payment services, although they may not be as convenient. The luxury of sending cash to anyone, using just their phone number or email address, is a pretty big draw. Even so, it's worth looking into what your bank offers. Most banks allow you to send money to others just as easily, either through their mobile apps or on their web site. For example, Chase offers Chase Quick Pay, Wells Fargo offers Wells Fargo Sure Pay, and Bank of America offers a similar service, just without a snappy name.
In most cases, if the person you're sending to is with the same bank, all you'll need is their email address. The money is transferred immediately, shows up in your (or their) account instantly, and there are no fees. If they're not, you may need their account number and routing number, which can be difficult if you're just trying to split a check, or go halfsies on a Netflix subscription. You may incur fees depending on how much money you send, and you'll probably have to wait a business day or two before the money gets where it's going. It's much less convenient, but since everything is handled by each corresponding bank, there's no middleman to worry about.
Of course, part of the billing of services like Venmo and Square Cash is that it's "easy to split the bill on fun activities." While it's not always practical, there is always the option of just splitting the check at the restaurant with multiple cards, paying your friends back in later, or, arcane as it might be, carrying cash.
Should I Trust These Services at All?
With all of these security issues, it's tempting to give up on mobile money transfer. If the outrage over Venmo's security issues is any indication, more than a few people have. Many others look at apps like these and immediately say "There's no way I'd trust some random silicon valley company with access to my bank account," and that's fine too.
However, it's not fair to say these services are insecure, or that you should avoid them. These startups are new, and while there are certainly security concerns, there's no specific reason that any of these services are untrustworthy, or inherently dangerous. Any app, company, or service that handles money is going to be a target for people who want to get access to that money.
If you do choose to use them, make sure you enable any and all security features they have, and watch your transactions like a hawk. Keep your notifications turned on, and keep the number of connected devices to your account low. Being smart and vigilant about how you use these apps is the most important thing you can do—and if you can't, or you're worried that's not enough, opt for more secure alternatives, even if they're less convenient. At the end of the day, you have to find your personal sweet spot between security and convenience, then make that decision with both eyes open.
Title image made using frescomovie (Shutterstock) and PandaVector (Shutterstock). Additional images by Jean-Etienne Minh-Duy Poirrier, Michael Coté, and Terry Johntson.