Tuesday, June 18, 2019
Whittaker noted that Salmon, a computer science student, wanted to draw attention to Venmo’s default settings, which render all transactions public. It took Salmon six months to compile the data. “The peer-to-peer mobile payments service faced criticism last year after Hang Do Thi Duc, a former Mozilla fellow, downloaded 207 million transactions,” Whittaker wrote. Despite these actions, Venmo has made no changes to default settings, he stated.
Salmon said he used Venmo’s public API to mine transaction data. On June 12, he released the dataset on GitHub, demonstrating that anyone can grab the publicly available data without even using an API key. “There is some very valuable data here for any attacker conducting OSINT [open-source intelligence] research,” he wrote on GitHub.
Sam Bakken, senior product marketing manager at OneSpan, agreed that a revised Venmo privacy policy that keeps user profiles private, except for those who intentionally opt out, would better serve the platform and its users.
“Venmo purposely designed this functionality into their app in an effort to increase user engagement – it isn't exactly a security vulnerability,” Bakken said. “Last summer, a spokesperson said some users enjoy opening up the app to see what friends, families or strangers are purchasing via Venmo.”
Noting that requiring explicit permission may discourage data sharing, Bakken stated that a more stringent privacy policy would benefit consumers. “I don't see much value in making my Venmo transactions public, and I do see how attackers might potentially find such information valuable as fuel for social engineering schemes or maybe even blackmail,” he said.
Ameya Talwalkar, co-founder and chief privacy officer at Cequence Security, pointed out that scraping attacks can be difficult to detect and wreak havoc on business environments and public infrastructure. “Many of today’s hyper-connected organizations are faced with the challenge of how to address content scraping attacks in an efficient and scalable manner,” he said. “The impact of this attack can be wide-ranging, starting from overspending on infrastructure to devastating loss of intellectual property.”
Content scraping attacks are also difficult to prevent, Talwalkar stated, because they can happen anywhere within a domain, which forces businesses to inject bot mitigation tools into every web application and endpoint. These attack vectors are dynamic in nature, which helps them rapidly scale while eluding detection. When scraping attacks face resistance from Web applications, they can simply switch to API endpoints to achieve their goal, he added.
“Scraping attacks leverage application APIs and endpoints,” he said. “The use of API endpoints is rapidly becoming a critical element in the move towards a more rapid, iterative application development workflow. The same information that may be consumed by mobile customers, partners, aggregators from a rich web-based interface is also available via the API endpoints.”
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.
