On March 28, 2014, the Federal Trade Commission announced proposed settlements with Fandango and Credit Karma stemming from allegations that the companies misrepresented the security of their mobile apps and failed to secure consumers’ sensitive personal information transmitted using their mobile apps.
The FTC alleged that Fandango and Credit Karma did not take reasonable steps to secure their mobile apps, including by overriding the industry standard Secure Sockets Layer (“SSL”) certificate validation process. According to the FTC, by disabling the SSL process, the companies undermined the security of the apps’ communications; any information the apps sent or received could be intercepted by hackers. This type of vulnerability is especially problematic with respect to sensitive transactions on public Wi-Fi networks.
The settlements require Fandango and Credit Karma to establish comprehensive security programs and undergo independent biennial security assessments for 20 years. The companies also are barred from misrepresenting the privacy or security of their products and services.
Read the FTC’s Business Center Blog post regarding the settlements.