Fandango, Credit Karma Settle with FTCComplaints Involved Failure to Secure Mobile Apps
Fandango and Credit Karma have reached settlements with the Federal Trade Commission on charges that they failed to secure the transmission of millions of consumers' sensitive personal information from their mobile apps.
Fandango is an online service for purchasing movie tickets and finding movie times. Credit Karma is a web-based credit and financial management service for U.S. consumers.
The FTC alleged the companies failed to take reasonable steps to secure their mobile applications, leaving consumers' sensitive personal information at risk. The agency's complaints charge that Fandango and Credit Karma disabled a critical default process, known as SSL certificate validation, which would have verified that the apps' communications were secure.
The disabling of SSL certificate validation made the companies' applications vulnerable to man-in-the-middle attacks, which allow cyber-attackers to intercept any of the information the apps sent or received, the FTC says.
"Consumers are increasingly using mobile apps for sensitive transactions," says Edith Ramirez, FTC chairwoman. "Yet research suggests that many companies, like Fandango and Credit Karma, have failed to properly implement SSL encryption. Our cases against Fandango and Credit Karma should remind app developers of the need to make data security central to how they design their apps."
The FTC soon will publish a description of the consent agreements in the Federal Register, which will be open to public comment for 30 days. After that time, the FTC will decide whether to make the proposed consent agreements final.
The settlements require Fandango and Credit Karma to establish comprehensive security programs designed to address security risks during the development of their applications and to undergo independent security assessments every other year for the next 20 years.
Additionally, the settlements prohibit Fandango and Credit Karma from misrepresenting the level of privacy or security of their products and services.
Fandango Case Details
The FTC alleges that Fandango, because of its security gaps, undermined the security of ticket purchases made through its iOS app, exposing consumers' credit card details, including card number, security code, ZIP code and expiration date, as well as consumers' e-mail addresses and passwords.
Fandango made assurances to its customers that its application stores and transmits their credit card information securely, the FTC says. But from March 2009 until February 2013, the company disabled SSL certificate validation and left consumers that used its app to make movie ticket purchases vulnerable to man-in-the-middle attacks, according to the FTC.
The FTC alleges Fandango could have easily tested for and prevented the vulnerability, but failed to perform the basic security checks that would have caught the issue. Additionally, the complaint charges that Fandango lacked an adequate process for receiving vulnerability reports from security researchers and other third parties, and, as a result, missed opportunities to fix the vulnerability.
Credit Karma Allegations
Credit Karma's apps for iOS and Android disabled the default validation process, exposing consumers' Social Security numbers, names, dates of birth, home addresses, phone numbers, e-mail addresses and passwords, credit scores, and other credit report details such as account names and balances, the FTC alleges.
The FTC complaint alleges that Credit Karma assured consumers that the company followed "industry-leading security precautions" including the use of SSL to secure consumer information. Yet, the company disabled SSL certificate validation and left consumers vulnerable to attacks.
The agency alleges Credit Karma could have easily prevented the vulnerability with basic tests, but did not perform an adequate security review of its iOS app before release. Even after a user warned Credit Karma about the vulnerability in its iOS app, the company failed to test its Android app before launch and, as a result, the company released its Android app with the very same vulnerability, according to the FTC.