Two recent events should make everybody a lot more cautious about giving any financial information to third-party companies like Credit Karma and LifeLock. While one would assume that these companies would have the highest security available for their mobile apps, since they collect sensitive consumer financial data such as a social security number in order to perform their services, that doesn’t seem to be the case.
Credit Karma recently had to settle with the Federal Trade Commission (FTC) due to vulnerabilities that were part of their mobile phone app. The use of their app had the potential to expose users’ financial information to hackers using “man-in-the-middle” attacks. The lack of security made it possible for thieves to obtain any information the mobile app sent or received. Those using the Credit Karma mobile app could have exposed their dates of birth, home addresses, names, phone numbers, passwords, credit scores, social security numbers and other important financial data to those who wanted to see it. Had this information fallen into the wrong hands, it would have been quite easy for any person with it to steal the identity of that person.
LifeLock recently disclosed their own mobile app vulnerability. In response, the company ended up voluntarily withdrawing its Wallet App for download, and deleted all of the users’ data which had been collected through the app. They did so because the technology the Wallet App used fell short of the payment card industry’s (PCI) Data Security Standard (DSS) which had the potential to expose users’ financial data to hackers. This comes after LifeLock had to pay $12 million to the FTC in 2010 for making false identity theft protection and data security claims about its service.
It’s important to realize that every time you give your financial information to a new website, you increase the chances of having this information stolen. When even high profile companies dealing with users’ financial information are not always securing your information, you can assume that there are far more vulnerabilities where your data can be accessed. Anytime you are asked to give any information that could be used to steal your identity, you should stop and think whether access to the site requesting it is worth it.
(Photo courtesy of Irita Kirsbluma)