Apps from Credit Karma, Fandango failed to protect user information, FTC says

Email to a Friend

Two companies settled charges by Federal Trade Commission that they failed to protect the personal information of millions of consumers who used the companies’ mobile applications.

FTC says the Credit Karma Mobile app for Apple iOS and Google Android, which allows a consumer to monitor and evaluate his/her credit, and the Fandango Movie app for iOS, which allows consumers to buy movie tickets and view showtimes, didn’t feature a particular layer of encryption and therefore weren’t secure.

FTC says mobile operating systems provide app developers with tools to implement an industry standard that’s known as secure sockets layer (SSL), which secures an app’s communications and prevents attackers from intercepting personal information that consumers submit via a mobile app.

Credit Karma and Fandango disabled the default SSL certificate validation process, which left consumers’ personal information such as credit-card numbers, Social Security numbers, email addresses and passwords at risk. FTC says the companies could have prevented the vulnerability by applying basic security checks. Both companies agree to undergo independent security assessments every other year for the next 20 years.