Cash apps need tools like Apple’s Stolen Device Protection, DA says.
Popular apps like Venmo, Zelle, and Cash App aren’t doing enough to protect consumers from fraud that occurs when unauthorized users gain access to unlocked devices, Manhattan District Attorney Alvin Bragg warned.
“Thousands or even tens of thousands can be drained from financial accounts in a matter of seconds with just a few taps,” Bragg said in letters to app makers. “Without additional protections, customers’ financial and physical safety is being put at risk.”
According to Bragg, his office and the New York Police Department have been increasingly prosecuting crimes where phones are commandeered by bad actors to quickly steal large amounts of money through financial apps.
This can happen to unwitting victims when fraudsters ask “to use an individual’s smartphone for personal use” or to transfer funds to initiate a donation for a specific cause. Or “in the most disturbing cases,” Bragg said, “offenders have violently assaulted or drugged victims, and either compelled them to provide a password for a device or used biometric ID to open the victim’s phone before transferring money once the individual is incapacitated.”
But prosecuting crimes alone won’t solve this problem, Bragg suggested. Prevention is necessary. That’s why the DA is requesting meetings with executives managing widely used financial apps to discuss “commonsense” security measures that Bragg said can be taken to “combat this growing concern.”
Bragg appears particularly interested in Apple’s recently developed “Stolen Device Protection,” which he said is “making it harder for perpetrators to use a phone’s passcode to steal funds when the user’s phone is not at home or at work.”
Apple just rolled out “Stolen Device Protection” for iOS 17.3. On its website, Apple explained that when “Stolen Device Protection” is enabled, “some features and actions have additional security requirements when your iPhone is away from familiar locations such as home or work.”
For users taking advantage of this enhanced security layer, biometric or FaceID would be required to access devices, with no option to bypass with a passcode. This alone could help deter crimes that Bragg described, potentially stopping thieves from rifling through someone’s passwords to get instant access to a cash app. “Stolen Device Protection” also sets up a security delay that could stop thieves from immediately changing the account password and locking an owner out of their device. To change a password in this more secure mode, thieves would need to wait one hour—perhaps giving time for the owner to report that the phone is stolen or missing—and then must provide a biometric or FaceID.Advertisement
Bragg wants financial apps like Zelle or Venmo to follow Apple’s lead and build similar safeguards. He suggested that Apple’s release makes it clear that the technology exists where apps could detect when a user is attempting to send a large transaction from an unknown location and perhaps block or delay sending that transaction for up to a day without secondary verification. This could afford victims more time to discover and cancel fraudulent transfers before they go through, instead of after the theft, when it’s usually harder to claw back funds.
This problem goes well beyond Manhattan, Bragg wrote, pointing to “similar thefts and robberies” that have been “publicly reported” in major cities like Los Angeles and Orlando, as well as in West Virginia, Louisiana, Illinois, Kansas, Tennessee, Virginia, and “elsewhere across the United States.”
Overall, the DA traced a pattern showing that the more people were using financial apps, the more fraud claims spiked, “tripling between 2020 and 2022” and “costing consumers hundreds of millions of dollars each year.”
“While cash apps, like Cash App, offer consumers an easy and fast method to transfer funds, they also have made these platforms a favorite of fraudsters because consumers have no option to cancel transactions, even moments after authorizing them,” Bragg wrote to Cash App CEO Brian Grassadonia. “I am concerned about the troubling rise in illegal behavior that has developed because of insufficient security measures connected with your software and business policy decisions.”
While building tech like Apple’s “Stolen Device Protection” seems to be the most extreme step that Bragg recommended, he also pushed “commonsense solutions” that he claimed that financial apps currently overlook. These include steps like requiring multifactor authentication to help keep thieves locked out and lowering limits on daily transfers to make the scam less appealing to thieves looking for a big payday.
No apps said they’d meet with Bragg
None of the apps confirmed whether they had any plans to meet with Bragg to discuss any additional security measures. Each provided statements touting current safety measures as effective.
Cash App’s spokesperson linked Ars to a security page, which confirmed that Cash App flags suspicious activity like users sending money internationally or logging in to new devices. To proceed with suspicious transactions, users are asked to confirm details that Cash App says only they would know. The app also takes steps like asking users to confirm payments before sending money to someone not listed in their contacts and notifying users when the PIN or security settings are changed.
“Cash App continues to be committed to building trust with our customers and investing in areas that help build a safe and secure platform,” Cash App’s spokesperson said. “We work proactively and diligently to safeguard our customers’ money and mitigate against the risk of fraud on our platform through a combination of preventative controls like multi-factor authentication, account transaction limits, fraud detection, and consumer education. We also partner with law enforcement agencies to detect and combat criminal activity.”
PayPal’s spokesperson told Ars that “PayPal and Venmo take the safety and security of our customers and their information very seriously. In addition to proactively leveraging sophisticated fraud detection tools, manual investigations, and partnering closely with law enforcement agencies to protect our customers against common scams, we have several options in place to enable enhanced layers of security and protection directly within our apps.”Advertisement
The company offers multifactor authentication and biometric options for logging in. PayPal also recommends that PayPal and Venmo users report lost or stolen devices immediately and enable enhanced security measures on any device used to access sensitive financial information.
A spokesperson for Early Warning Services, the fintech company that owns Zelle, told Ars that all financial institutions in Zelle’s network “are required to reimburse consumers for confirmed fraud claims.” But as recently as 2022, lawmakers accused Zelle of allowing fraud to rise while often denying refunds to victims who frequently were tricked into sending transactions. In response, Zelle recently agreed to start refunding scam victims induced into initiating fraudulent transactions. And after safety measures were added in August, Zelle institutions can now limit the size of transactions if higher-risk situations are identified through a mandatory free service called Risk Insights for Zelle.
“As a result of our continued efforts to build on Zelle’s strong foundation of security, less than one-tenth of one percent of transactions are reported as fraud or scams, and that percentage keeps getting smaller,” Zelle’s spokesperson said.
Zelle is “aware of isolated criminal incidents” that Bragg described in his letter and encouraged victims to “contact the local authorities and their bank and credit union” to “begin the claims process,” Zelle’s spokesperson said.
