Fandango, Credit Karma Settlements OK'd
FTC Charged Companies with Failing to Secure Customer InfoThe Federal Trade Commission has granted final approval of settlements with Fandango and Credit Karma on charges that they failed to secure the transmission of millions of consumers' sensitive personal information from their mobile apps.
The settlements, which were proposed in March, require the two companies to establish comprehensive security programs designed to address security risks during the development of their applications and to undergo independent security assessments every other year for the next 20 years (see: Fandango, Credit Karma Settle with FTC).
Fandango is an online service for purchasing movie tickets and finding movie times. Credit Karma is a Web-based credit and financial management service for U.S. consumers.
The FTC alleged the companies failed to take reasonable steps to secure their mobile applications, leaving consumers' sensitive personal information at risk. The agency's complaints charged that Fandango and Credit Karma disabled a critical default process, known as SSL certificate validation, which would have verified that the apps' communications were secure.
The disabling of SSL certificate validation made the companies' applications vulnerable to man-in-the-middle attacks, which allow cyber-attackers to intercept any of the information the apps sent or received, the FTC says.
"Consumers are increasingly using mobile apps for sensitive transactions," says Edith Ramirez, FTC chairwoman. "Yet research suggests that many companies, like Fandango and Credit Karma, have failed to properly implement SSL encryption. Our cases against Fandango and Credit Karma should remind app developers of the need to make data security central to how they design their apps."