But users aren’t always aware where the banking information they give a financial app like Venmo is going.
The spread of data online -- largely without user knowledge -- is a hot-button topic as more people use their phones to bank, shop and store valuable information such as insurance or passport details.
In the case of Venmo, banking log-in credentials are sent to an aggregator called Plaid. Plaid is the connector between banks and the app, taking a user’s information and using it to unlock the bank account.
Plaid connects more than a quarter of U.S. bank accounts to financial services apps, according to CNBC.
“I would absolutely share not any kind of username, password or credential with any kind of third-party service,” Baldwin Wallace assistant professor Brian Krupp said. “I think you have to take a step back and ask it if the service is worth me sharing information with the potential of it being compromised.”
The company collects banking user names and passwords, but also can scrape information like account balances, user device information, loan balances and more. What they collect depends on what app you’re using, according to its website.
“The biggest issue (with third-party apps in general) is that users don’t have fine-grained control over their privacy,” Krupp, who leads a mobile, privacy and security research group, said. “So you have no way of telling whether or not that app is sending that information to advertisers, servers (or) whether it’s selling it off.”
Venmo or parent company, Paypal, did not respond to request for comment for this story.
Who Do You Trust With Your Data?
The Pew Charitable Trusts in 2019 conducted a survey on mobile payments, which found 56 percent of adults had made a mobile purchase in the last year. Mobile transactions are defined as transactions conducted via smartphone apps.But, the same survey showed that showed that consumers trusted debit and credit card security more than they did mobile payments.
Pittsburgh-based PNC started to alert its consumers recently about potential problems with financial apps and third-party data aggregators.
“The fact that the sensitive information outlined above is maintained by an outside party is concerning,” a post on PNC’s website reads. “Of particular concern to us is the storage of account numbers by a third party, because fraudsters, if armed with this information, would have the access they need to move money from our customer accounts.”
PNC partners with Zelle, one of Venmo's biggest competitors. Zelle, which also maintains a stand-alone app, partners with hundreds of banks to allow customers to send money digitally.
Zelle is often built into the bank’s online or mobile services. For example, what was once Chase QuickPay is now Chase QuickPay with Zelle.
PNC customers complained in December that recent security upgrades stopped them from connecting their accounts to financial apps, including Venmo, according to the Pittsburgh Post-Gazette.
The issue was that the Plaid data aggregator didn’t meet PNC’s new security requirements. Though there seemed to be manual workarounds, some claimed that PNC worked to divert customers away from Venmo to Zelle, which the bank denied.
Other banks have issued warnings about providing bank information to outside apps. Chase’s CEO addressed concerns in a 2015 shareholders letter, but took a different approach to boosting security.
The bank signed an agreement with Plaid and other financial tech services like Intuit, which powers budgeting app Mint and tax software TurboTax. Instead of copying user information this agreement would allow Chase to share information with the services through a secure portal.
“There’s not an answer that would say because your bank is part of your partnership that you’re good to go,” Krupp said. “From my experience in industry in those type of integrations, you can put more trust in that because now your bank is taking accountability.”
Krupp said direct partnerships like the one between Zelle and its member banks work differently; the app doesn’t take a user’s credentials and log in. Instead, the app asks the bank to confirm the user’s identity. Krupp compares it to a “handshake.”
How Do You Protect Your Data?
PNC on its website states it supports secure financial app use, and that it’s working on better ways to connect with financial apps. The bank issued a list of recommendations when choosing financial apps.PNC advises making sure whatever app you’re using encrypts its data. Encrypted data is coded and can only be decoded by the correct encryption key.
Both Venmo and Plaid use encryption to protect consumer data, according to the companies’ respective websites.
Krupp, who favors Apple Pay, advises checking on how services make their money before trusting them with information. Facebook and Google aren’t paid services for most users, but information is being used for targeted advertising.
“If I’m not paying for it, typically it’s going to be in some form of data that I shared.”
©2020 The Plain Dealer, Cleveland. Distributed by Tribune Content Agency, LLC.
