Millions of Venmo transactions scraped in warning over privacy settings

A computer science student has scraped seven million Venmo transactions to prove that users’ public activity can still be easily obtained, a year after a privacy researcher downloaded hundreds of millions of Venmo transactions in a similar feat.

Dan Salmon said he scraped the transactions during a cumulative six months to raise awareness and warn users to set their Venmo payments to private.

The peer-to-peer mobile payments service faced criticism last year after Hang Do Thi Duc, a former Mozilla fellow, downloaded 207 million transactions. The scraping effort was possible because Venmo payments between users are public by default. The scrapable data inspired several new projects — including a bot that tweeted out every time someone bought drugs.

A year on, Salmon showed little has changed and that it’s still easy to download millions of transactions through the company’s developer API without obtaining user permission or needing the app.

Using that data, anyone can look at an entire user’s public transaction history, who they shared money with, when, and in some cases for what reason — including illicit goods and substances.

“There’s truly no reason to have this API open to unauthenticated requests,” he told TechCrunch. “The API only exists to provide like a scrolling feed of public transactions for the home page of the app, but if that’s your goal then you should require a token with each request to verify that the user is logged in.”

He published the scraped data on his GitHub page.

Venmo has done little to curb the privacy issue for its 40 million users since the scraping effort blew up a year ago. Venmo reacted by changing its privacy guide and, and later updated its app to remove a warning when users went to change their default privacy settings from … Read the rest

After Equifax breach, US watchdog says agencies aren’t properly verifying identities

A federal watchdog says the government should stop relying on the credit agencies to verify the identifies of those using government services.

In a report out this week, the the Government Accountability Office said several government departments still rely on the credit agencies — Equifax, Experian and TransUnion — to check if a person is who they say they are before they can access their services online.

Agencies like the U.S. Postal Service, the Social Security Administration, Veterans Affairs, and the Centers for Medicare and Medicaid Services ask several questions of a new user and match their answers to information held in an individual’s credit file. The logic is that these credit files have information only the person signing up for services can know.

But following the Equifax breach in 2017 those answers are no longer safe, the watchdog said.

The Equifax breach resulted in the theft of 148 million consumers. Much of the consumer financial data had been collected without the explicit permission of those whose data it held. An investigation later found the breach was “entirely preventable” had the credit agency employed basic security measures.

“The risk that an attacker could obtain and use an individual’s personal information to answer knowledge-based verification questions and impersonate that individual led the National Institute of Standards and Technology (NIST) to issue guidance in 2017 that effectively prohibits agencies from using knowledge-based verification for sensitive applications,” wrote the watchdog.

In response, the named agencies said the cost of new verification systems are too high and may exclude certain demographics from the population.

Only Veterans Affairs implemented a new system but still relies on knowledge-based verification in some cases.

The other downside is that if you have no credit, you simply don’t show up in these systems. You need a credit card … Read the rest

Creative Destruction Lab’s second Super Session is an intense two-day startup testbed

Canadian startup program Creative Destruction Lab (CDL) escapes succinct description in some ways — it’s an accelerator, to be sure, and an incubator. Startups show up and present to a combined audience of investors, mentors, industry players (some of whom, like former astronaut Chris Hadfield, verge on celebrity status) — but it’s not a demo day, per se, and presentations happen in focused rooms with key, vertically aligned audience members who can provide much more than just funding to the startups that participate.

North founder Stephen Lake onstage at CDL’s Super Session 2019

Seven years into its existence, CDL really puts on a show for its cornerstone annual event (itself only two years old), and clearly shows the extent to which the program has scaled. From an inaugural cohort of just 25 startups with a focus on science, CDL has grown to the point where it’s graduating 150 startups spanning cohorts across six cities associated with multiple academic institutions. It has consistently added new areas of focus, including a space track this year, for which Hadfield is a key mentor, as is Anousheh Ansari, the first female private space tourist to pay her own way to the International Space Station and the co-founder and CEO of Prodea Systems.

The ‘Super’ in Super Session

This is the second so-called “Super Session” after the event’s debut in 2017. It includes roughly 850 attendees, made up of investors, mentors, industry sponsors and the graduating startups themselves. As CDL Fellow Chen Fong put it in his welcoming remarks, CDL’s Super Session is an opportune moment for networking, mentorship and demonstration of the companies the program has helped foster and grow.

A keynote track included talks by Ansari and Hadfield, as well as from Celmatix CEO and founder Piraye Beim, and a fireside chat with … Read the rest

Card readers at electric vehicle charging stations will weaken security, researchers say

Electric vehicle charging stations could become one of the next big targets for fraudsters — thanks to proposals in several state that researchers say would weaken their security.

Most electric vehicle (EV) charging stations rely solely on a credit card linked to an app or through contactless payments with RFID-enabled credit cards or through a driver’s smartphone. Contactless payments are one of the most secure ways to pay, cutting out the credit card entirely and reducing the chance that a card will be cloned or have its data skimmed. For charging stations — often in the middle of nowhere and unmonitored — relying on contactless payments can reduce device tampering and credit card fraud.

But several states are proposing EV charging stations install magnetic stripe credit card readers, which the researchers are prone to abuse by fraudsters.

Arizona, California, Nevada, Vermont, and several states across New England are said to be considering installing credit card readers at publicly funded EV charging stations.

“While these proposals may be well-intentioned, they could expose drivers to new security risks while providing cyber criminals with easy access to attractive targets,” wrote security researchers April Wright and Jayson Street, in a paper out Monday by the Digital Citizens Alliance, a nonprofit consumer group.

Instead, they say EV charging stations and other point-of-sale machines should continue to rely on contactless payment methods and lawmakers “should engage with the security community to better understand fraud risks associated with credit card readers.”

“These proposals would effectively reverse the industry’s careful considerations regarding EV charger payment options,” said the researchers.

Much of the issues fall on the continued reliance of magnetic stripe cards, which remains one of the most common payment methods in the U.S.

Where other nations, including the U.K. and most of Europe, have adopted chip-and-PIN as … Read the rest

Fintech platform Synapse raises $33M to build ‘the AWS of banking’

Synapse, a San Francisco-based startup that operates a platform enabling banks and fintech companies to easily develop financial services, has closed a $33 million Series B to develop new products and go after international expansion.

The investment was led by Andreessen Horowitz, with participation from existing backers Trinity Ventures and Core Innovation Capital . Synapse — which recently rebranded (slightly) from “SynapseFi” — announced a $17 million Series A back in September 2018, so this deal takes it to $50 million raised to date.

The startup was founded in 2014 by Bryan Keltner and India-born CEO Sankaet Pathak, who came to the U.S. to study but grew frustrated at the difficulty of opening a bank account without U.S. social security history. Inspired by his struggles, Synapse, which operated under the radar prior to that Series A deal, is focused on democratizing financial services.

Its approach to doing that is a platform-based one that makes it easy for banks and other financial companies to work with developers. The current system for working with financial institutions is frankly a mess; it involves myriad different standards, interfaces, code bases and other compatibility issues that cause confusion and consume time. Through developer- and bank-facing APIs, Synapse aims to make it easier for companies to connect with banks, and, in turn, for banks to automate and extend their back-end operations.

Pathak previously told us the philosophy is a “Lego brick” approach to building services. Its modules and services include payment, deposit, lending, ID verification/KYC, card issuance and investment services.

“We want to make it super easy for developers to build and scale financial products and we want to do that across the spectrum of financial products,” he told TechCrunch in an interview this week.

Synapse CEO Sankaet Pathak

“We don’t think Bank of America, … Read the rest