Fandango, Credit Karma settle FTC charges of poor app security

Share this article:
A malicious app has infected more than 2k mobile devices and intercepted at least 25k SMS messages.
The companies were accused of failing to securely transmit sensitive data collected by their apps.

Fandango and Credit Karma have settled Federal Trade Commission (FTC) charges accusing the companies of failing to securely transmit sensitive customer data via mobile apps.

On Friday, the FTC announced that movie ticketing service Fandango and credit score management service Credit Karma were required to establish comprehensive security programs to rectify security concerns impacting consumers.

Under the settlement, both companies will also be subject to independent security audits every other year for the next two decades, a release from the FTC said. In addition, Fandango and Credit Karma are prohibited from “misrepresenting the level of privacy or security of their products or services.”

An FTC complaint (PDF) alleged that the Fandango Movies app for iOS users exposed customer credit card information and account login details to man-in-the-middle (MitM) attacks from March 2009 to February, as secure sockets layer (SSL) certificate validation was disabled in the app.

Similarly, the agency claimed (PDF) that the Credit Karma Mobile app for iOS and Android users left consumers' Social Security numbers, names, dates of birth, credit score information, and other sensitive data, vulnerable to theft.

“Even after a user warned Credit Karma about the vulnerability in its iOS app, the company failed to test its Android app before launch,” the FTC release said. “As a result, one month after receiving a warning about the issue, the company released its Android app with the very same vulnerability. The complaint charges that Credit Karma failed to appropriately test or audit its apps' security and failed to oversee the security practices of its application development firm.”

After a public comment period of 30 days, which ends April 28, the FTC will decide whether to make the proposed orders final. 

Back in January, tech giant Apple reached an agreement with the FTC, after the agency took it to task for alleged unfair billing practices related to mobile apps. Under the FTC settlement, Apple agreed to refund $32.5 million to consumers, after games in its App Store allowed kids to make costly purchases without parental consent.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

Ground system for weather satellites contains thousands of 'high-risk' bugs

Ground system for weather satellites contains thousands of ...

An audit of the Joint Polar Satellite System ground system revealed thousands of vulnerabilities, most of which will be addressed in two years when the next version of the system ...

Threat report on Swedish firms shows 93 percent were breached

The study by KPMG and FireEye also found that 49 percent of detected malware was unknown.

Former acting HHS cyber director convicted on child porn charges

Former acting HHS cyber director convicted on child ...

Timothy DeFoggi, who was nabbed by the FBI last year in its Operation Torpedo investigation was convicted by federal jury in Nebraska.