> Finally on Jan. 22, from Eran Kimchi, Venmo’s head of fraud, whom Movassaghi emailed directly in a final attempt to recover his money and alert the company to what he saw as a dangerous and pervasive scam: “Venmo has a complete understanding of the scam plot you fell victim to … there is nothing Venmo can do to comfort you. … You made an innocent mistake, and you paid for it.”
That's certainly one way of dealing with your customers. Remind me not to touch Venmo again in the future.
If I understood correctly, the whole damn scam is only possible because this Venmo's terms of service prohibit something called "merchant transactions" and allow for reversing or cancelling transfers if they deem or someone reports a payment to fall in "merchant" category?
If so, then the problem is only a completely artificial one and made of mere policy decisions. Venmo could just act as a blind intermediary, no questions asked, completing any transactions once both parties have verified their intention to transfer money.
That's generally how banks work for at least any reasonable sums of money: I can send or receive thousands of euros to whoever and from whoever without worrying that the transfers might be cancelled by some vague policy. With tens of thousands, I'd have to ask my bank to lift the daily transfer cap beforehand, but still no questions asked. I assume that it goes in a relatively similar way in the USA.
Thus, any mobile money transfer service ought to be at least as trustworthy as that. There needs to be a point where the transaction is either complete or discarded, after which both parties can trust it. The service also shouldn't discriminate, it shouldn't matter if it's a private transfer or a merchant transfer. If they want the money they could sell transaction history imports for bookkeeping at a higher price to merchants or something.
Venmo could still do their instant transfer magic and add value there, but them considering whether a transfer is ok or not is akin to an internet service provider who would want to consider which web pages I can view before letting me download them.
Banks don't work the way you think, at least in the US. ACH transfers are slow (take a few days to complete), and often expensive. Up until 5 days later, they can be reversed even after both banks agree that they've happend if the sender decides that the payment was "erroneous."
The government can and does impose "some vague policy" on what you can and can't do with your money. If they decide that you have been "structuring" your payments to avoid triggering various reports being generated, that is considered a crime. So making several payments of 9,000 might be illegal even if you've done nothing wrong (you should have done 11,000 so that all the reports could be generated, didn't you know?)
Oh and by the way people can just take money from your account via ACH transfer if they have the correct numbers. You won't get any kind of confirmation, the bank just assumes that nobody would be unwise enough to make an ACH transfer without the consent of the other party. The US generally believes in insecure infrastructure and the 500-pound surveillance and police gorilla to keep everyone in line. It works surprisingly well, to be honest.
Oh and by the way people can just take money from your account via ACH transfer if they have the correct numbers.
Is the ACH an internal network between banks or something that regular people could use, either directly online or by dropping wiring orders to some box in the bank? If the latter, it sounds so crazy I almost don't believe it. Where is ACH used and who actually uses it if it implies that your money could be just taken away by someone who knows your account number (and hopefully some other information that you wouldn't normally share anywhere) ?
The latency could be what it is but to clarify the core of my assumption is that:
1) sending money to anyone or receiving money from anyone happens mechanically (nobody will step in and say sending $200 to your friend will be cancelled because it looks like a merchant transfer); and
2) when banks do clear the transfer it is cleared for real, and if you see the money on your account it's yours for real by that time.
This would be in opposition to what Venmo does, i.e. lies to you that you've received the money and you haven't. Or can it happen in US accounts that you see a fresh deposit on your account but the next day it won't be there anymore?
What I find interesting is that I don't know anyone here in Australia that uses these payment platforms. I wonder if that's because bank-to-bank transfers are so quick and easy these days? Most of the big banks even have ways of sending _cash_ to other people, to withdraw from any of that bank's ATMs with a code and no card.
Anyway, the issue Venmo has here is similar to what banks also have to deal with: in theory you can reverse a transaction before it's cleared when sending money between accounts. That said, it's quite a bit more difficult I'd assume, and perhaps a lot of people who would otherwise be happy with scamming those out of money on third-party systems would think twice about doing so when a bank is involved. Interesting stuff, and it seems most startups who try and break into these sorts of markets have to learn all the hard lessons the big companies did years ago, which sucks for consumers. On the other hand, the incumbents are usually so slow moving and painful, I applaud those who attempt it.
Same here in Austria. Bank transfers are free and instantaneous between customers of the same bank, and take one business day to other banks. And they are irreversible.
You use the IBAN (International Bank Account Number), which is a 20 digit number that you find on your bank card (it's similar to a credit card number).
Sure, you can't just transfer money to someone's facebook account, but I guess that the inconvenience of having to ask people for their bank account number before you can send them money isn't really that big of a deal.
Especially considering that we are used to paying everything by bank transfer. Things like rent, utilities, parking tickets... any time you get a bill, there's a bank account number on it that you need to transfer the money to. And you just pay it online using the bank's website.
(For paying recurring bills, you can also grant a company permission for "direct debit" for your account, so you don't need to do anything. It sounds risky, but I've never had any fraudulent charges on my account)
>In summer 2012, Venmo was acquired by online payments platform Braintree, which was in turn bought out by PayPal in the fall of 2013.
Ah, that explains it. PayPal is a company that has no problems with stealing money from its own customers, so it's no surprise that they're perfectly happy being complicit in fraud.
Silicon Valley egos at their finest: "Use our product so we can make billions of dollars, but fuck you otherwise." I use venmo with friends because of their network effect and it's convenient, but it sounds like internally they're a pretty shitty company to deal with.
I'm curious if the folk who got scammed w/the e-ticket sales could have waited until the funds are literally in their bank account before they emailed them the tickets. Surely, it is a helluva lot easier to reverse some Venmo balance than it is for Venmo to pull money out of your bank account, so that they can refund a scammer.
I've never touched Venmo and now after this, never will touch Venmo and will make sure everyone who suggests it, read this prior to using it.
No, not really. The scammer can use a stolen Amex card to send payments. When the card is reported stolen and charges reversed, that goes all the way back to the user's bank account.
Would be silly of Venmo to do otherwise, as that would be an easy way for them to go out of business.
But why would the bank reverse the transaction? From venmo viewpoint it is quite clear why they would want to reverse it, because they have changed the credit to actual funds. However the bank probably would want to protect their customer, and instead let venmo to take the hit.
I would assume that Venmo would try to pull the funds back from the bank account in that case. I know that happens with paypal. I have my paypal account linked to a subaccount with my bank that is only used for paypal to address that.
Doesn't surprise me that they are owned by Paypal; I know many who have been scammed on Paypal and they have the same kind of nice and friendly policy; 'we don't care, kthnxbye'. I understand they cannot be in business if they wouldn't work like that, however why do they need to be bastards about it? Even if they cannot do anything to help you, they could be sorry for you or at least show some kind of humanity.
Also they don't really seem to work on fraud cases, at least not as far as I can discover; a friend who ran a website selling digital goods (but unique goods so he actually had to buy each himself so fraud was costing him money, not only making him less revenue like it could be if it was software or an ebook) was scammed by the same user a number of times and sure, Paypal cannot give my friend his money but it was very clear this user was a scammer, especially after doing it to one company a number of times and probably to more companies as well...
This seems the same case; if they see this scam happening, why do they still refund? They know it's a scam; that weird remark from Eran Kimchi even says so. So why not screw the scammer instead? The seller always ends up screwed with Paypal. No difference here.
Transactions in the US banking system aren't instant, so they fake the transactions and pretend like you actually received them. Then when the actual transaction fails, oops you're out of luck.
That's a problem with PayPal in general. I got scammed once because someone paid for something of mine with a stolen account, and the money was removed from my account almost two months after the transaction. I was rather alarmed, because it was long past the date after which I could deposit the money into my bank account, so I assumed by then that it was "safe".
Wow, I use Venmo all the time, never even thought the TOS would have something like this in it. Now I only use it among friends I know well. And any craigslist type transaction I've always done strictly with cash only. But this is definitely good to know though. Venmo needs to make this clear and make the reversal process much more involved, it seems it'd be really easy to pull this scam off.
Well if you claim that something is a) instant and b) has already happened when it hasn't - you are knowingly deceiving your customers to make it look like you provide a service you really do not.
Huh. So what happens (is supposed to happen) to merchants in the event of a chargeback?
* Paypal purportedly credits sellers if the seller proves they shipped / sold something [1]
* Square does not necessarily credit sellers and may pull funds from a bank account [1]. (May have changed since the article?)
* Visa protects merchants from fraud-related chargebacks if the online sale is "verified by Visa"[2]; if not, the merchant may have to suffer the loss. In particular, if the card was physically present, the merchant seems to lose if they screw up any of the little details in the charging process.
* Amazon protects merchants if the transaction occurred according to their policy and the merchant can prove they shipped goods or delivered a service [3]. I imagine if you embed Amazon Payments into your site as it's intended and sell legal stuff, you're fully covered against fraudulent buyers.
So it looks like Venmo (and likely Snapcash) are unique in offering such little fraud protection. Probably due to how their User Agreement works (i.e. they're not meant for merchant selling at all). Also why they can offer no-charge transfer services.
What's probably happened here is that these new services lack regulation and thus have no requirement or incentive to inform users about the consequences of chargebacks. I hate to say we need more regulation, but for Eran Kimchi (Venmo head of fraud) to say "You made an innocent mistake, and you paid for it" is not an acceptable outcome; Venmo is definitely guilty of negligence here.
While I do sympathize with the victims, Venmo protects sending money and so I'm totally okay with their policies. The people involved in transactions should be mutually trusted parties. Craigslist is a place where scams happen all the time. This activity is possible on many platforms, not just Venmo.
They do however need to work on customer support and transparency, but that's if what's being reported is even completely accurate. My entire network of family, friends, and colleagues all use Venmo and none of us have had any issues.
Once you understand that, you can see why Venmo doesn’t want users to make merchant transactions, by which it really means payments outside their networks of close acquaintances. (“Merchant transactions,” Vaughan tells me, “is sort of the catchall for the things that we can’t predefine.”) The analogous real world example is that you wouldn't leave a pair of tickets in a mailbox just because someone sent you a note promising to drop off an envelope of cash at a later date.
Isn't that why you're using a PAYMENTS platform, and not a PROMISE NOTE platform? When you receive or send a payment on a PAYMENTS platform, that's not, and shouldn't be, equivalent to a note promising cash. It should be the cash.
Since it's not, is it not fraudulent to say that it is and pass it off as that?
I'm seeing a lot of Venmo bashing here, but I think it's a great service and these people just used it wrong. Even with a 'merchant transaction', all you had to do was click 'Withdraw' so that the money was on the way to your bank account before sending the buyer whatever they got. I thought it was already pretty clear that a Venmo balance isn't real money yet, it's just Venmo showing you your potential balance if you want to withdraw.
I can see how they should make it more clear, but the people who got scammed were also not very well informed.
I'd wager that much of their workforce is engineering and integration support, in addition to the redundancy they purchased by buying companies like BrainTree.
Additionally, PayPal owns a massive amount of legacy code and APIs. There are plenty of con talks where PayPal describes how they were mired down in bureaucracy when updating a single line of code in Java (JSP) but managed to flip that overhead on its head by running a NodeJS stack on top of the JSP stack (and in some places replacing it).
I imagine for some its the impression that the transaction is instant, despite being a veneer over the same system that a regular bank transaction would use. I imagine that veneer is almost entirely their value prop to customers.
Making a bank transfer isn't 'simple', at least relative to Venmo. This is a way of paying someone just like Paypal. Except, the UI is better and you can hook up to Facebook. Because 'everyone' has it (at least w/ my group of friends) it is very easy to pay each other for group events. I still intend on using it despite the scam situations that people find themselves in.
Well I need to set up a new account on that thing and give it my bank details. Then my counterparties have to provide me with their ID on that app which is pretty much the same as providing a bank account number. So I don't get the convenience aspect.
I see the value of paypal, which is to create a screen between me and a dodgy website which I am buying from. That website can't get my credit card number and therefore take further payments. But when I am making a payment to someone why should I need an app to protect me against fraud? So I don't get the security aspect either.
Here's my user flow.
I sign up and connect w/ Facebook. I connect my bank account.
Separately, my friend who I rarely see does the same thing w/ his Facebook account and bank account.
A few months later we meet, I pay the full check and he Venmo's me 20$ for the meal w/ a few taps on his phone. He doesn't need to ask me anything. Because we're already Facebook friends, he has access to send me money.
I have Bank of America. For the same transaction to happen I would need my friend to sign into his bank account on a mobile phone, initiate a wire transfer from his checking account to my checking account, which requires me to provide him my checking account number and zipcode and full name.
And that's just a 1 on 1 transaction.
The most common use case is if I'm eating in a group of say... 6 people. Instead of splitting the bill 6 ways which many restaurants won't allow one person will front the bill. The rest of the group just "Venmo's" the person who fronted the bill whatever they owe. No exchange of account numbers, no asking for Paypal email address, none of that. The assumption is that everyone has Venmo and everyone's connected on Facebook. As long as those 2 facts are true (which is common for American millennials) the convenience is bar none.
I swear sometimes we need to step back and think about things from a general consumer perspective and not one of the analytical early adopter.
Most people wouldn't remember a number like a checking account number nor do they carry checks around with them. Venmo is simple and easy for them to send money to friends without having to log into a bank's shoddily designed website and figuring out how to transfer funds which is probably non-obvious in the first place.
Typing in your friends name (or asking them for their username if it's non-obvious) is significantly easier than exchanging bank account details. Especially when you're dealing with groups of people.
PayPal discovered early on that they're not really in the payments business, they're in the security business. Handling problems costs PayPal more than doing the money transfers. Although PayPal owns Venmo, that expertise doesn't seem to have been transferred.
If I owe someone 20 bucks for dinner or something I don't mind using Venmo, but who in their right mind would exchange thousands of dollars with strangers over an app without considering the risks or consulting with their bank?
We shortened it because of the linkbait "you", or rather the even-more-linkbait "you don't". Take that out and you get "Venmo Scammers Know Something", which is redundant. Take out the redundancy and you get "Venmo Scammers".
Suggestions for a better title are welcome, as always, but don't forget that HN's rule is to use the original title unless it is misleading or linkbait.(https://news.ycombinator.com/newsguidelines.html)
Their original title was "It's Shockingly Easy to Get Scammed on Venmo" (it still pops up on google like that) but it seems they've decided 'shockingly' alone is not baity enough. But it's a decent title without it. The article is not so much about Venmo scammers but about how easy it is to get scammed on Venmo and how Venmo isn't going to help you.
I didnt have the patience to read to the end but it seemed poorly written. How does the scam work exactly? Is it a technical loophole or something to do with the quoted policy?
1 - anything other than 'money to friends', and Venom says "that's a business/commercial transaction" and reserves the right to cancel/freeze/reverse or otherwise not support it.
2 - as it happens, sure enough, beyond that, the transaction was reversed when the other sides bank NSF'ed the transfers.
Neither, really. You're technically not allowed to do business on Venmo. The intended use case is to send money to people you trust. If someone sends money they can always get that money back by claiming the recipient violated terms or something.
The main use cases are for people who are Facebook friends. I really can't fault Venmo too much here because they only deal w/ money. To me, they technically did their job. They protected the people that send the money, not the people who receive.
If you use this platform for potentially sketchy transactions, I'd say it's on the user to protect themselves. When I sell anything on Craigslist, it's always cash only. Even then, there are no guarantees.
That's certainly one way of dealing with your customers. Remind me not to touch Venmo again in the future.