March 28 — Movie ticket company Fandango LLC and consumer credit information company Credit Karma Inc. have agreed to settle Federal Trade Commission charges that they misrepresented the security of their mobile applications and failed to protect the transmission of the sensitive personal information of millions of consumers, the FTC announced March 28.
The FTC alleged that the two companies disabled an important default process called Secure Sockets Layer (SSL) certificate validation, which would have ensured that all app communications were secure, the FTC said in a statement.
“As a result, the companies' applications were vulnerable to ‘man-in-the-middle' attacks, which would allow an attacker to intercept any of the information the apps sent or received,” the FTC said.
“Consumers are increasingly using mobile apps for sensitive transactions. Yet research suggests that many companies, like Fandango and Credit Karma, have failed to properly implement SSL encryption,” FTC Chairwoman Edith Ramirez said in the FTC's statement. “Our cases against Fandango and Credit Karma should remind app developers of the need to make data security central to how they design their apps.”
Fandango failed to test its movie app for Apple Inc.'s iOS operating system to ensure that the app was validating SSL certificates and securing consumers' information, leaving their information vulnerable for almost four years, the FTC alleged in a draft administrative complaint. The company also didn't have “a clearly publicized and effective channel for receiving security vulnerability reports,” according to the complaint.
Similarly, Credit Karma failed to perform an adequate security review or test its iOS and Android apps prior to their launch, the FTC said in a draft administrative complaint. In addition, as a result of the company's failure to properly oversee the security practices of its service providers, the iOS app was storing authentication tokens and passcodes insecurely, the FTC claimed.
Overriding the default SSL certificate validation process exposed consumers personal information, such as their credit card details, e-mail addresses and passwords, Social Security numbers, names, dates of birth, home addresses, phone numbers, credit scores and other credit report details, the FTC said in the complaints.
Both companies have corrected the security vulnerabilities, the FTC said.
Both Fandango and Credit Karma had made representations that they would secure consumers' information, the commission alleged.
The FTC alleged that the two companies' practices were unfair or deceptive acts or practices in violation of Section 5 of the FTC Act, 15 U.S.C. § 45. The commission's use of the unfairness prong in data security enforcement actions is being challenged in federal court.
Under the proposed consent orders, Fandango and Credit Karma have agreed to:
The FTC is accepting comments on the proposed agreements through April 28. The FTC released analyses of the Fandango and Credit Karma consent orders to aid public comment.
DLA Piper LLP represented Fandango. Morrison & Foerster LLP represented Credit Karma. FTC counsel represented the commission.
The proposed Fandango consent order is available at http://www.ftc.gov/system/files/documents/cases/140328fandangoorder.pdf.
The proposed Credit Karma consent order is available at http://www.ftc.gov/system/files/documents/cases/140328creditkarmaorder.pdf.
Additional information on the cases is available at http://www.ftc.gov/enforcement/cases-proceedings/132-3089/fandango-llc and http://www.ftc.gov/enforcement/cases-proceedings/132-3091/credit-karma-inc.
To view additional stories from Privacy & Security Law Report® register for a free trial now