FTC faults app security for Credit Karma, Comcast's Fandango Movies

Comcast's Fandango Movies iPhone app and the free Credit Karma iPhone app each "agreed to settle Federal Trade Commission charges that they misrepresented the security of their mobile apps and failed to secure the transmission of millions of consumers’ sensitive personal information from their mobile apps," writes the FTC here.

"Despite their security promises, Fandango and Credit Karma failed to take reasonable steps to secure their mobile apps, leaving consumers’ sensitive personal information at risk," FTC adds. The agency's complaints "charge that Fandango and Credit Karma disabled a critical default process, known as [Secure Sockets Layer] certificate validation, which would have verified that the apps’ communications were secure.  As a result, the companies’ applications were vulnerable to “man-in-the-middle” attacks, which would allow an attacker to intercept any of the information the apps sent or received," which is "especially dangerous on public Wi-Fi networks such as those at coffee shops, airports and shopping centers...

By overriding the default validation process, Fandango undermined the security of ticket purchases made through its iOS app, exposing consumers’ credit card details, including card number, security code, zip code, and expiration date, as well as consumers’ email addresses and passwords... Credit Karma’s apps for iOS and Android disabled the default validation process, exposing consumers’ Social Security Numbers, names, dates of birth, home addresses, phone numbers, email addresses and passwords, credit scores, and other credit report details such as account names and balances."

According to the FTC, the "Fandango Movies app assured consumers, during checkout, that their credit card information was stored and transmitted securely. Despite this promise, for almost four years – from March 2009 until February 2013 – the company disabled SSL certificate validation and left consumers that used its app to make mobile ticket purchases vulnerable to man-in-the-middle attacks... Fandango could have easily tested for and prevented the vulnerability, but failed to perform the basic security checks that would have caught the issue," and, lacking a system for checking security problems, "missed opportunities to fix the vulnerability."

Separately, "Credit Karma assured consumers that the company followed 'industry-leading security precautions'... Despite these promises, the company disabled SSL certificate validation and left consumers that used its credit-monitoring app vulnerable to man-in-the-middle attacks," and failed to "perform an adequate security review of its iOS app before release." Even after "a user warned Credit Karma about the vulnerability in its iOS app... the company released its Android app with the very same vulnerability."