Credit Karma Settles Mobile App Security Charges

Credit Karma settled Federal Trade Commission charges that it misrepresented the security of its mobile app and thus failed to secure the transmission of millions of consumers’ sensitive personal information.

Fandango settled similar FTC charges at the same time, the FTC reported.

The FTC alleged that, despite security promises, both companies failed to take reasonable steps to secure their mobile apps, leaving consumers’ sensitive personal information at risk. Among other things, the complaints charge that the companies disabled a critical default process, known as SSL certificate validation, which would have verified that the apps’ communications were secure.

As a result, the companies’ applications were vulnerable to “man-in-the-middle” attacks, which would allow an attacker to intercept any of the information the apps sent or received. This type of attack is especially dangerous on public Wi-Fi networks such as those at coffee shops, airports and shopping centers.

The settlements require Credit Karma and Fandango to establish comprehensive security programs designed to address security risks during the development of their applications and to undergo independent security assessments every other year for the next 20 years. The settlements also prohibit the companies Karma from misrepresenting the level of privacy or security of their products and services. Credit Karma is a personal finance Web site with more than 20 million members.

The Credit Karma Mobile app for iOS and Android allows consumers to monitor and evaluate their credit and financial status. In its complaint, the FTC alleges Credit Karma assured  consumers that the company followed “industry-leading security precautions,” including the use of SSL to secure consumers’ information. Despite these promises, the company disabled SSL certificate validation and left consumers that used its credit-monitoring app vulnerable to man-in-the-middle attacks.

According to the FTC, Credit Karma could have prevented the vulnerability with basic tests but did not perform an adequate security review of its iOS app before release. Even after a user warned Credit Karma about the vulnerability in its iOS app, the company failed to test its Android app before launch. As a result, one month after receiving a warning about the issue, the company released its Android app with the very same vulnerability. The complaint charges that Credit Karma failed to appropriately test or audit its apps’ security and failed to oversee the security practices of its application development firm.

“Consumers are increasingly using mobile apps for sensitive transactions. Yet research suggests that many companies, like Fandango and Credit Karma, have failed to properly implement SSL encryption,” said FTC Chairwoman Edith Ramirez. “Our cases against Fandango and Credit Karma should remind app developers of the need to make data security central to how they design their apps.”

The Fandango Movies app for iOS allows consumers to purchase movie tickets and view show times, trailers, and reviews. According to the FTC’s complaint, the Fandango Movies app assured consumers, during checkout, that their credit card information was stored and transmitted securely. Despite this promise, for almost four years – from March 2009 until February 2013 – the company disabled SSL certificate validation and left consumers that used its app to make mobile ticket purchases vulnerable to man-in-the-middle attacks.

For reprint and licensing requests for this article, click here.
Consumer banking Debt collection
MORE FROM AMERICAN BANKER