Fandango, Credit Karma settle FTC charges of poor app security
Fandango and Credit Karma have settled Federal Trade Commission (FTC) charges accusing the companies of failing to securely transmit sensitive customer data via mobile apps.
On Friday, the FTC announced that movie ticketing service Fandango and credit score management service Credit Karma were required to establish comprehensive security programs to rectify security concerns impacting consumers.
Under the settlement, both companies will also be subject to independent security audits every other year for the next two decades, a release from the FTC said. In addition, Fandango and Credit Karma are prohibited from “misrepresenting the level of privacy or security of their products or services.”
An FTC complaint (PDF) alleged that the Fandango Movies app for iOS users exposed customer credit card information and account login details to man-in-the-middle (MitM) attacks from March 2009 to February, as secure sockets layer (SSL) certificate validation was disabled in the app.
Similarly, the agency claimed (PDF) that the Credit Karma Mobile app for iOS and Android users left consumers' Social Security numbers, names, dates of birth, credit score information, and other sensitive data, vulnerable to theft.
“Even after a user warned Credit Karma about the vulnerability in its iOS app, the company failed to test its Android app before launch,” the FTC release said. “As a result, one month after receiving a warning about the issue, the company released its Android app with the very same vulnerability. The complaint charges that Credit Karma failed to appropriately test or audit its apps' security and failed to oversee the security practices of its application development firm.”
After a public comment period of 30 days, which ends April 28, the FTC will decide whether to make the proposed orders final.
Back in January, tech giant Apple reached an agreement with the FTC, after the agency took it to task for alleged unfair billing practices related to mobile apps. Under the FTC settlement, Apple agreed to refund $32.5 million to consumers, after games in its App Store allowed kids to make costly purchases without parental consent.