Both Fandango and Credit Karma settled Federal Trade Commission charges that they misrepresented the security of their mobile apps and did not provide secure transmission of consumers’ sensitive personal information, says the FTC in a written statement.
The FTC alleges Fandango and Credit Karma did not make a reasonable effort to secure their mobile apps and protect consumers’ sensitive personal information.
Furthermore, there are complaints that Fandango and Credit Karma disabled SSL certificate validation, which act to verify the security of an app’s communications.
Consequently, any app information could be intercepted by what are known as “man in the middle” attacks.
“This type of attack is especially dangerous on public Wi-Fi networks such as those at coffee shops, airports and shopping centers,” says the FTC. Known as Secure Sockets Layer, SSL prevents an attacker from obtaining sensitive information submitted through the app.
By disabling the SSL, both Fandango and Credit Karma exposed consumers’ credit card details, Social Security Numbers, names, and dates of birth, among other sensitive personal information.
The FTC says the settlements with Fandango and Credit Karma are part of the FTC’s goal to make sure companies are keeping their privacy promises to consumers.