FTC okays final orders with Fandango, Credit Karma over mobile app security issues
While hotel chain Wyndham is challenging the FTC's right to take action against firms over IT security lapses, the agency is moving ahead with its regulatory enforcement efforts in this controversial area.
In the latest action, the FTC approved this week final orders settling charges against Fandango and Credit Karma over allegations that they failed to protect sensitive personal information of its customers and misrepresented the security of their mobile apps.
The FTC charged that the two firms' "mobile apps left consumers' sensitive personal information, including credit card information and Social Security numbers, vulnerable to interception by third parties." Among other security lapses, the agency alleged that the two firms disabled secure socket layer, or SSL, certificate verification, which is intended to protect the transmission of information by verifying that the apps' communications are secure.
"As a result, the companies' applications were vulnerable to 'man-in-the-middle' attacks, which would allow an attacker to intercept any of the information the apps sent or received. This type of attack is especially dangerous on public Wi-Fi networks such as those at coffee shops, airports and shopping centers," the commission explained in announcing the initial settlements in March.
As part of the settlements, Fandango and Credit Karma have agreed to set up comprehensive security programs designed to address security risks during the app development process and to undergo biennial independent security assessments for the next 20 years.