March 28 — Movie ticket company Fandango LLC and consumer credit information company Credit Karma Inc. have agreed to settle Federal Trade Commission charges that they misrepresented the security of their mobile applications and failed to protect the transmission of the sensitive personal information of millions of consumers, the FTC announced March 28.
The FTC alleged that the two companies disabled an important default process called Secure Sockets Layer (SSL) certificate validation, which would have ensured that all app communications were secure, the FTC said in a statement.
“As a result, the companies' applications were vulnerable to ‘man-in-the-middle' attacks, which would allow an attacker to intercept any of the information the apps sent or received,” the FTC said.
“Consumers are increasingly using mobile apps for sensitive transactions. Yet research suggests that many companies, like Fandango and Credit Karma, have failed to properly implement SSL encryption,” FTC Chairwoman Edith Ramirez said in the FTC's statement. “Our cases against Fandango and Credit Karma should remind app developers of the need to make data security central to how they design their apps.”
Fandango failed to test its movie app for Apple Inc.'s iOS operating system to ensure that the app was validating SSL certificates and securing consumers' information, leaving their information vulnerable for almost four years, the FTC alleged in a draft administrative complaint. The company also didn't have “a clearly publicized and effective channel for receiving security vulnerability reports,” according to the complaint.
Similarly, Credit Karma failed to perform an adequate security review or test its iOS and Android apps prior to their launch, the FTC said in a draft administrative complaint. In addition, as a result of the company's failure to properly oversee the security practices of its service providers, the iOS app was storing authentication tokens and passcodes insecurely, the FTC claimed.
Overriding the default SSL certificate validation process exposed consumers personal information, such as their credit card details, e-mail addresses and passwords, Social Security numbers, names, dates of birth, home addresses, phone numbers, credit scores and other credit report details, the FTC said in the complaints.
Both companies have corrected the security vulnerabilities, the FTC said.
Both Fandango and Credit Karma had made representations that they would secure consumers' information, the commission alleged.
The FTC alleged that the two companies' practices were unfair or deceptive acts or practices in violation of Section 5 of the FTC Act, 15 U.S.C. § 45. The commission's use of the unfairness prong in data security enforcement actions is being challenged in federal court.
Under the proposed consent orders, Fandango and Credit Karma have agreed to:
DLA Piper LLP represented Fandango. Morrison & Foerster LLP represented Credit Karma. FTC counsel represented the commission.
The proposed Fandango consent order is available at http://www.ftc.gov/system/files/documents/cases/140328fandangoorder.pdf.
The proposed Credit Karma consent order is available at http://www.ftc.gov/system/files/documents/cases/140328creditkarmaorder.pdf.
Additional information on the cases is available at http://www.ftc.gov/enforcement/cases-proceedings/132-3089/fandango-llc and http://www.ftc.gov/enforcement/cases-proceedings/132-3091/credit-karma-inc.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to email@example.com.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).