Monday, February 8, 2016

FTC faults app security for Credit Karma, Comcast's Fandango Movies

Secure Sockets Layer disabled, data vulnerable

FTC faults app security for Credit Karma, Comcast's Fandango Movies

(Photos from iTunes)
(Photos from iTunes)

Comcast's Fandango Movies iPhone app and the free Credit Karma iPhone app each "agreed to settle Federal Trade Commission charges that they misrepresented the security of their mobile apps and failed to secure the transmission of millions of consumers’ sensitive personal information from their mobile apps," writes the FTC here.

"Despite their security promises, Fandango and Credit Karma failed to take reasonable steps to secure their mobile apps, leaving consumers’ sensitive personal information at risk," FTC adds. The agency's complaints "charge that Fandango and Credit Karma disabled a critical default process, known as [Secure Sockets Layer] certificate validation, which would have verified that the apps’ communications were secure.  As a result, the companies’ applications were vulnerable to “man-in-the-middle” attacks, which would allow an attacker to intercept any of the information the apps sent or received," which is "especially dangerous on public Wi-Fi networks such as those at coffee shops, airports and shopping centers...

By overriding the default validation process, Fandango undermined the security of ticket purchases made through its iOS app, exposing consumers’ credit card details, including card number, security code, zip code, and expiration date, as well as consumers’ email addresses and passwords... Credit Karma’s apps for iOS and Android disabled the default validation process, exposing consumers’ Social Security Numbers, names, dates of birth, home addresses, phone numbers, email addresses and passwords, credit scores, and other credit report details such as account names and balances."

According to the FTC, the "Fandango Movies app assured consumers, during checkout, that their credit card information was stored and transmitted securely. Despite this promise, for almost four years – from March 2009 until February 2013 – the company disabled SSL certificate validation and left consumers that used its app to make mobile ticket purchases vulnerable to man-in-the-middle attacks... Fandango could have easily tested for and prevented the vulnerability, but failed to perform the basic security checks that would have caught the issue," and, lacking a system for checking security problems, "missed opportunities to fix the vulnerability."

Separately, "Credit Karma assured consumers that the company followed 'industry-leading security precautions'... Despite these promises, the company disabled SSL certificate validation and left consumers that used its credit-monitoring app vulnerable to man-in-the-middle attacks," and failed to "perform an adequate security review of its iOS app before release." Even after "a user warned Credit Karma about the vulnerability in its iOS app... the company released its Android app with the very same vulnerability."


We encourage respectful comments but reserve the right to delete anything that doesn't contribute to an engaging dialogue.
Help us moderate this thread by flagging comments that violate our guidelines.

Comment policy: comments are intended to be civil, friendly conversations. Please treat other participants with respect and in a way that you would want to be treated. You are responsible for what you say. And please, stay on topic. If you see an objectionable post, please report it to us using the "Report Abuse" option.

Please note that comments are monitored by staff. We reserve the right at all times to remove any information or materials that are unlawful, threatening, abusive, libelous, defamatory, obscene, vulgar, pornographic, profane, indecent or otherwise objectionable. Personal attacks, especially on other participants, are not permitted. We reserve the right to permanently block any user who violates these terms and conditions.

Additionally comments that are long, have multiple paragraph breaks, include code, or include hyperlinks may not be posted.

Read 0 comments
comments powered by Disqus
About this blog

PhillyDeals posts interviews, drafts and updates that Joseph N. DiStefano writes alongside his Sunday and Monday columns and ongoing articles about Philadelphia-area business.

DiStefano studied economics, history and a little engineering at Penn. He taught writing and research at St. Joe’s. He has written for the Inquirer since 1989, except when he left a few times to work at Bloomberg and elsewhere. He wrote the book Comcasted, and raised six kids with his wife, who is a saint.

Reach Joseph N. at, 215.854.5194, @PhillyJoeD. Read his blog posts at and his Inquirer columns at Bloomberg posts his items at NH BLG_PHILLYDEAL.

Reach Joseph N. at or 215 854 5194.

Joseph N. DiStefano
Also on
letter icon Newsletter