13

When linking a bank account, one of the options on Venmo is to provide the username and password of your online banking account. I can't seem to find people criticizing this practice, which surprises me, since I feel like it goes against every rule of credential security.

Wouldn't Venmo have to store the password in plaintext to use it, i.e, send it on to my bank for verification? Wouldn't that create inherent vulnerabilities? How is this an acceptable business practice? Am I missing something?

Daniel B
  • 441
  • 1
  • 3
  • 10
  • 2
    You are right, your password is a secret which should not be shared. I am not a user of Venmo, but [Wikipedia](https://en.wikipedia.org/wiki/Venmo#Security_and_criticisms) seems to indicates that there are some criticisms regarding their security level. – WhiteWinterWolf Aug 06 '17 at 17:53
  • 2
    The [paper](https://courses.csail.mit.edu/6.857/2014/files/13-benkraft-jmoldow-mannes-venmo.pdf) linked on wikipedia is definitely additionally concerning, but it doesn't address what seems to me like a deep flaw in concept, not just the implementation. – Daniel B Aug 06 '17 at 18:14
  • 2
    Is this feature limited to a few selected banks? If so, I can imagine that Venmo *may* have passed a special agreement with them and *may* use your login and password only to obtain a ticket, and that only this tickets gets stored in the database, not your bank credentials (but this is just guessing, in any way they should never have to ask you for your bank password, this should have been designed a different way). – WhiteWinterWolf Aug 07 '17 at 08:49
  • 2
    To [quote Jeff Atwood](https://blog.codinghorror.com/please-give-us-your-email-password/): "Frankly, it's irresponsible to even ask this question. Naive internet users may not understand why it is such a profoundly bad idea to give out their email [or banking] credentials to random websites" – GnP Aug 08 '17 at 22:57
  • Bank of America has a personal financial manager (from Yodlee) that (if you wish to use it) requires your credentials for external services for automatically pulling transaction data. They haven't gotten in trouble for it so I assume it's okay. – user541686 Aug 10 '17 at 06:18
  • 2
    I didn't like that either. I wasn't about to give them information to sign into my bank, so I did some digging. Found a document (see link below) that explained you can get around that by listing the bank as 'Other' and then you only need to put in routing and account number. https://help.venmo.com/hc/en-us/articles/221073067-Verifying-Your-Bank-Account – Guesting Oct 12 '17 at 16:07

1 Answers1

6

A similar situation seems to happen with Paypal. When asked to enter banking information it claims 'It's safe to share this information. Paypal doesn't save it'. But Paypal is clearly the intermediary between you and your bank and, it seems to me, would have to decrypt and re-encrpyt the password at least once. And since Paypal owns Venmo this could be a very similar method now.

From following the references at the Venmo Wikipedia Link (although they may be slightly dated) mentioned in the comments, I would be very hesitant to link a bank account or credit card to Venmo. Although having Paypal's fingers in my stuff doesn't feel much better.

Best practices for using Venmo seem to be to transfer a small amount into your Venmo account rather than linking your life savings to it.

flerb
  • 450
  • 2
  • 14
  • 2
    PayPal *may* use you bank credentials only to request a ticket from the bank, and then only store this ticket in their database, throwing your credentials away. So PayPal doesn't technically *"have to decrypt and re-encrpyt the password."*. Nevertheless, I don't feel this as secure as it accustom users to communicate their passwords to third parties, which is not a safe practice. – WhiteWinterWolf Aug 07 '17 at 08:58
  • 2
    The secure way to do this would be to redirect to the banks site for login then back again. – Hector Oct 13 '17 at 07:06