FTC okays final orders with Fandango, Credit Karma over mobile app security issues


While hotel chain Wyndham is challenging the FTC's right to take action against firms over IT security lapses, the agency is moving ahead with its regulatory enforcement efforts in this controversial area.

In the latest action, the FTC approved this week final orders settling charges against Fandango and Credit Karma over allegations that they failed to protect sensitive personal information of its customers and misrepresented the security of their mobile apps.

The FTC charged that the two firms' "mobile apps left consumers' sensitive personal information, including credit card information and Social Security numbers, vulnerable to interception by third parties." Among other security lapses, the agency alleged that the two firms disabled secure socket layer, or SSL, certificate verification, which is intended to protect the transmission of information by verifying that the apps' communications are secure.

"As a result, the companies' applications were vulnerable to 'man-in-the-middle' attacks, which would allow an attacker to intercept any of the information the apps sent or received. This type of attack is especially dangerous on public Wi-Fi networks such as those at coffee shops, airports and shopping centers," the commission explained in announcing the initial settlements in March.

As part of the settlements, Fandango and Credit Karma have agreed to set up comprehensive security programs designed to address security risks during the app development process and to undergo biennial independent security assessments for the next 20 years.

For more:
- check out the FTC release on the final order
- see the FTC release on the initial settlements

Related Articles:
Can the FTC sue companies over lax IT security?
Identity theft ring steals $10M in federal tax returns
Bad karma for Credit Karma's mobile app