The Federal Trade Commission announced Friday that the two companies settled charges that they misrepresented the security of their mobile apps and failed to secure the transmission of millions of consumers’ personal information.
The FTC alleged that, despite their security promises, Fandango and Credit Karma failed to take reasonable steps to secure their mobile apps.
According to the FTC complaints, Fandango and Credit Karma disabled a critical default process, known as SSL certificate validation, which would have verified that the apps’ communications were secure.
By overriding the validation process, Fandango undermined the security of ticket purchases made through its iOS app, exposing consumers’ credit card information, as well as consumer email addresses and passwords.
Similarly, Credit Karma’s iOS and Android apps disabled validation process exposed consumers’ Social Security numbers, names, dates of birth, home address, phone numbers, email addresses and passwords, credit scores and other credit report details, such as account balances.
According to the FTC, both companies could have easily prevented the vulnerability by performing adequate security reviews of their apps.
“Consumers are increasingly using mobile apps for sensitive transactions. Yet research suggests that many companies, like Fandango and Credit Karma, have failed to properly implement SSL encryption,” FTC Chairwoman Edith Ramirez says in a news release. “Our cases against Fandango and Credit Karma should remind app developers of the need to make data security central to how they design their apps.”
Under the settlements Fandango and Credit Karma must establish comprehensive security programs designed to address security risks during the development of their applications and undergo independent security assessments every other year for the next 20 years.
The companies are also prohibited from misrepresenting the level of privacy or security of their products and services.