The FTC has announced it has settled charges with Fandango and Credit Karma for claims that the companies misrepresented the security of their mobile apps and failed to secure transmission of personal data.
On March 28, 2014, the FTC issued a press release announcing it had reached an agreement with Fandango, LLC, and Credit Karma, Inc, to settle charges that the companies:
Failed to secure the transmission of consumers' personal data from their mobile applications (apps).
Misrepresented the security of their mobile apps.
The FTC alleged that both companies disabled the SSL certificate validation process, which would have verified that the apps' communications were secure. The FTC claimed that as a result both companies' apps were vulnerable to "man-in-the-middle" attacks, which would allow an attacker to intercept information sent or received by the apps. Despite this, Fandango assured its customers that their purchases were secure, and Credit Karma told their customers that it followed "industry-leading security precautions." By overriding the SSL certificate validation process, the complaints allege:
Fandango undermined the security of purchases made through its app, exposing consumers credit card details, including card number, security code, zip code and expiration date, as well as consumers' email addresses and passwords.
Credit Karma's apps exposed consumers' Social Security Numbers, names, dates of birth, home addresses, phone numbers, email addresses and passwords, credit scores and other credit report details like account names and balances.
The settlements require Fandango and Credit Karma to:
Establish comprehensive security programs designed to address security risks during the development of their apps.
Undergo biannual independent security assessments for the next 20 years.
The companies are also prohibited from misrepresenting the level of privacy or security of their products and services.
A description of the consent agreement will be published in the Federal Register. Interested parties may submit public comments through April 28, 2014, at which time the FTC will decide whether to finalize the consent orders.