Two companies have agreed to settle Federal Trade Commission charges that they misrepresented the security of their mobile apps and failed to secure the transmission of millions of consumers’ sensitive personal information from their mobile apps.
The FTC alleged that, despite their security promises, Fandango and Credit Karma failed to take reasonable steps to secure their mobile apps, leaving consumers’ sensitive personal information at risk. Among other things, the complaints charge that Fandango and Credit Karma disabled a critical default process, known as SSL certificate validation, which would have verified that the apps’ communications were secure.
As a result, the companies’ applications were vulnerable to “man-in-the-middle” attacks, which would allow an attacker to intercept any of the information the apps sent or received. This type of attack is especially dangerous on public Wi-Fi networks such as those at coffee shops, airports and shopping centers.
“Consumers are increasingly using mobile apps for sensitive transactions. Yet research suggests that many companies, like Fandango and Credit Karma, have failed to properly implement SSL encryption,” said FTC Chairwoman Edith Ramirez. “Our cases against Fandango and Credit Karma should remind app developers of the need to make data security central to how they design their apps.”
To help secure sensitive transactions, mobile operating systems, including iOS and Android, provide app developers with tools to implement an industry standard known as Secure Sockets Layer, or SSL. If properly implemented, SSL secures an app’s communications and ensures that an attacker cannot intercept the sensitive personal information a consumer submits through an app.
By overriding the default validation process, Fandango undermined the security of ticket purchases made through its iOS app, exposing consumers’ credit card details, including card number, security code, zip code, and expiration date, as well as consumers’ email addresses and passwords. Similarly, Credit Karma’s apps for iOS and Android disabled the default validation process, exposing consumers’ Social Security Numbers, names, dates of birth, home addresses, phone numbers, email addresses and passwords, credit scores, and other credit report details such as account names and balances.
The settlements with Fandango and Credit Karma are part of the FTC’s ongoing effort to ensure that companies secure the applications they develop and keep their privacy promises to consumers. The FTC has also created a guide to help consumers understand how to stay secure when using public WiFi connections.
The Fandango Movies app for iOS allows consumers to purchase movie tickets and view show times, trailers, and reviews. According to the FTC’s complaint, the Fandango Movies app assured consumers, during checkout, that their credit card information was stored and transmitted securely. Despite this promise, for almost four years – from March 2009 until February 2013 – the company disabled SSL certificate validation and left consumers that used its app to make mobile ticket purchases vulnerable to man-in-the-middle attacks.
The complaint alleges that Fandango could have easily tested for and prevented the vulnerability, but failed to perform the basic security checks that would have caught the issue. In addition, the complaint charges that Fandango failed to have an adequate process for receiving vulnerability reports from security researchers and other third parties, and as a result, missed opportunities to fix the vulnerability.
The Credit Karma Mobile app for iOS and Android allows consumers to monitor and evaluate their credit and financial status. In its complaint, the FTC alleges that Credit Karma assured consumers that the company followed “industry-leading security precautions,” including the use of SSL to secure consumers’ information. Despite these promises, the company disabled SSL certificate validation and left consumers that used its credit-monitoring app vulnerable to man-in-the-middle attacks.
According to the FTC, Credit Karma could have easily prevented the vulnerability with basic tests, but did not perform an adequate security review of its iOS app before release. Even after a user warned Credit Karma about the vulnerability in its iOS app, the company failed to test its Android app before launch. As a result, one month after receiving a warning about the issue, the company released its Android app with the very same vulnerability. The complaint charges that Credit Karma failed to appropriately test or audit its apps’ security and failed to oversee the security practices of its application development firm.
The settlements require Fandango and Credit Karma to establish comprehensive security programs designed to address security risks during the development of their applications and to undergo independent security assessments every other year for the next 20 years. The settlements also prohibit Fandango and Credit Karma from misrepresenting the level of privacy or security of their products and services.
The Commission vote to accept the consent agreement packages containing the proposed consent orders for public comment was 4-0. The FTC will publish a description of the consent agreement packages in the Federal Register shortly. The agreements will be subject to public comment for 30 days, beginning today and continuing through April 28, 2014, after which the Commission will decide whether to make the proposed consent orders final. Interested parties can submit written comments electronically or in paper form by following the instructions in the “Invitation To Comment” part of the “Supplementary Information” section. Comments can be submitted electronically by following the instructions on the web-based form. [Submit comment on Fandango settlement | Submit comment on Credit Karma settlement] Comments in paper form should be mailed or delivered to: Federal Trade Commission, Office of the Secretary, Room H-113 (Annex D), 600 Pennsylvania Avenue, N.W., Washington, DC 20580. The FTC is requesting that any comment filed in paper form near the end of the public comment period be sent by courier or overnight service, if possible, because U.S. postal mail in the Washington area and at the Commission is subject to delay due to heightened security precautions.
Related Case Files: