The settlement was first proposed in March 2014. Under it, both companies are required to establish comprehensive security programs to be followed for all future development of their apps to address possible security risks. In addition, the two companies are required to have these measures reviewed with an independent security assessment every two years through the year 2034.
Both company’s apps had vulnerabilities which had the potential to expose consumers’ sensitive information to hackers using “man-in-the-middle” attacks. This was possible because both companies had disabled the SSL certificate verification process which tells the app to verify communication over the app is secure. With it being disabled, it made it possible for hackers to easily see the sensitive information sent or received by the app.
For consumers using the Credit Karma app, the sensitivity of the information was quite significant. Man in the middle attacks could have accessed names, phone numbers, dates of birth, home addresses, passwords, credit scores, social security numbers and a variety of other important financial data. This information was enough for thieves to then easily steal the person’s identity.
Edith Ramirez, the FTC chairwoman, noted, “Consumers are increasingly using mobile apps for sensitive transactions. Yet research suggests that many companies, like Fandango and Credit Karma, have failed to properly implement SSL encryption. Our cases against Fandango and Credit Karma should remind app developers of the need to make data security central to how they design their apps.”
While the FTC settlement hasn’t seemed to affect the BBB rating of Fandango, it has taken a toll on the BBB rating of Credit Karma, which has fallen from an A to a B rating.