Friday, December 26, 2014

FTC faults app security for Credit Karma, Comcast's Fandango Movies

Secure Sockets Layer disabled, data vulnerable

FTC faults app security for Credit Karma, Comcast's Fandango Movies

(Photos from iTunes)
(Photos from iTunes)

Comcast's Fandango Movies iPhone app and the free Credit Karma iPhone app each "agreed to settle Federal Trade Commission charges that they misrepresented the security of their mobile apps and failed to secure the transmission of millions of consumers’ sensitive personal information from their mobile apps," writes the FTC here.

"Despite their security promises, Fandango and Credit Karma failed to take reasonable steps to secure their mobile apps, leaving consumers’ sensitive personal information at risk," FTC adds. The agency's complaints "charge that Fandango and Credit Karma disabled a critical default process, known as [Secure Sockets Layer] certificate validation, which would have verified that the apps’ communications were secure.  As a result, the companies’ applications were vulnerable to “man-in-the-middle” attacks, which would allow an attacker to intercept any of the information the apps sent or received," which is "especially dangerous on public Wi-Fi networks such as those at coffee shops, airports and shopping centers...

By overriding the default validation process, Fandango undermined the security of ticket purchases made through its iOS app, exposing consumers’ credit card details, including card number, security code, zip code, and expiration date, as well as consumers’ email addresses and passwords... Credit Karma’s apps for iOS and Android disabled the default validation process, exposing consumers’ Social Security Numbers, names, dates of birth, home addresses, phone numbers, email addresses and passwords, credit scores, and other credit report details such as account names and balances."

According to the FTC, the "Fandango Movies app assured consumers, during checkout, that their credit card information was stored and transmitted securely. Despite this promise, for almost four years – from March 2009 until February 2013 – the company disabled SSL certificate validation and left consumers that used its app to make mobile ticket purchases vulnerable to man-in-the-middle attacks... Fandango could have easily tested for and prevented the vulnerability, but failed to perform the basic security checks that would have caught the issue," and, lacking a system for checking security problems, "missed opportunities to fix the vulnerability."

Separately, "Credit Karma assured consumers that the company followed 'industry-leading security precautions'... Despite these promises, the company disabled SSL certificate validation and left consumers that used its credit-monitoring app vulnerable to man-in-the-middle attacks," and failed to "perform an adequate security review of its iOS app before release." Even after "a user warned Credit Karma about the vulnerability in its iOS app... the company released its Android app with the very same vulnerability."

More coverage
 
Mobile apps often wide open security traps

 

Joseph N. DiStefano
About this blog

PhillyDeals posts raw drafts and updates of Joseph N. DiStefano's columns and stories about Philly-area finance, investment, commercial real estate, tech, hiring and public spending, which he's been writing since 1989, mostly for the Philadelphia Inquirer.

DiStefano studied economics, history and a little engineering at Penn, taught writing at St. Joe's, and has written the book Comcasted, more than a thousand columns, and thousands of articles, and raised six children with his wife, who is a saint.

Reach Joseph N. at JoeD@phillynews.com or 215 854 5194.

Joseph N. DiStefano
Business Videos:
Also on Philly.com:
Stay Connected