Credit Karma must establish security programs to address risks during the development of applications and must undergo independent security assessments every other year for the next 20 years under a settlement of Federal Trade Commission charges approved Tuesday.
The settlement bans Credit Karma from misrepresenting the level of privacy or security of its products and services. The company was accused of failing to secure the transmission of millions of consumers' sensitive personal information. Credit Karma is a personal finance Web site with more than 20 million members.
The FTC alleged that, despite security promises, Credit Karma failed to take reasonable steps to secure its mobile apps. The complaint alleged that the company, among other things, disabled a process called SSL certificate verification that would have protected consumers information.
As a result, Credit Karma's applications were vulnerable to third-party attacks, which would allow an attacker to intercept any of the information the apps sent or received. The type of attack is particularly dangerous on public WiFi networks such as those at coffee shops, airports and shopping centers.??
The Credit Karma Mobile app for iOS and Android allows consumers to monitor and evaluate their credit and financial status. The FTC's complaint alleged Credit Karma assured consumers that the company followed "industry-leading security precautions" such as the use of SSL to secure consumers information. ??
According to the FTC, Credit Karma could have prevented the vulnerability with basic tests but did not perform an adequate security review of its iOS app before release. Even after a user warned Credit Karma about the vulnerability in its iOS app, the company failed to test its Android app before launch. As a result, one month after receiving a warning about the issue, the company released its Android app with the same vulnerability.
The complaint charges that Credit Karma failed to appropriately test or audit its apps security and failed to oversee the security practices of its application development firm.??