FTC: Credit Karma & Fandango Apps Pose Security Threats

fandangoFandango and Credit Karma apps have both settled with the FTC following allegations that they “deceived consumers by failing to securely transmit sensitive personal information. Both companies knowlingly disabled SSL encryption, or secure sockets layer certificate validation. By removing the default security measure, the app makers left personal information vulnerable to hackers capable of intercepting the data to and from the apps. These types of attacks are known as “man-in-the-middle” attacks that are particularly dangerous in public wi-fi locations like coffee shops. Users who have used these apps should check their credit reports for fraud.

FTC Chairwoman Edith Ramirez said, “Consumers are increasingly using mobile apps for sensitive transactions. Yet research suggests that many companies. Our cases against Fandango and Credit Karma should remind app developers of the need to make data security central to how they design their apps.”

By overriding the default validation process, Fandango undermined the security of ticket purchases made through its iOS app, exposing consumers’ credit card details, including card number, security code, zip code, and expiration date, as well as consumers’ email addresses and passwords. Similarly, Credit Karma’s apps for iOS and Android disabled the default validation process, exposing consumers’ Social Security Numbers, names, dates of birth, home addresses, phone numbers, email addresses and passwords, credit scores, and other credit report details such as account names and balances.

The March 28 agreement requires that both companies to undergo independent security assessments every two years for the next twenty years.