The mobile apps of credit report provider Credit Karma and movie ticket seller Fandango may have exposed millions of consumers' sensitive personal information, including credit card details, according to the Federal Trade Commission.
The agency said the companies failed to take "reasonable steps" to secure their mobile apps, leaving them vulnerable to so-called "man-in-the-middle" intrusions, which could have allowed an attacker to intercept any information customers submitted through the app.
This includes: credit card details, Social Security numbers, names, birthdates, home addresses, phone numbers, email addresses, and passwords. In Credit Karma's case, the lapse may have also exposed credit scores, and other credit report details such as account names and balances.
Both companies have settled charges with the FTC that they failed to safeguard users' information and misrepresented the security of their apps. The settlements require Fandango and Credit Karma to establish mobile app security programs and undergo independent security assessments every other year for the next 20 years.
The agency charged that the companies had somehow disabled SSL certificate validation, an industry standard that would have verified that the apps' communications were secure. The companies could have caught and/or prevented the vulnerabilities with basic security tests.
Fandango's app went without SSL for nearly four years—from March 2009 to February 2013—but the company assured users during checkout that their credit card information was secure. During the same time, the company had no process for receiving vulnerability reports from security researchers, and consequently missed opportunities to fix the flaw.
Credit Karma, meanwhile, also promised users that its app used SSL when it did not, the FTC said. A user even warned Credit Karma about the flaw in its iOS app, then the company failed to test its Android app for the same error before launch. A month after receiving that warning, the company released its Android app with the exact same vulnerability.
"Consumers are increasingly using mobile apps for sensitive transactions," FTC Chairwoman Edith Ramirez said in a statement. "Yet research suggests that many companies, like Fandango and Credit Karma, have failed to properly implement SSL encryption. Our cases against Fandango and Credit Karma should remind app developers of the need to make data security central to how they design their apps."
Fandango and Credit Karma fixed the flaws last year, according to the AP.
Like What You're Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
Sign up for other newsletters
