Security Flaws in Fandango, Credit Karma Apps Put Consumer Card Data at Risk

April 1, 2014, Written By Bill Hardekopf
????????????????????

The Federal Trade Commission has reached a settlement with movie ticket seller Fandango and credit report provider Credit Karma over charges that they failed to secure the transmission of consumers’ personal information from their mobile apps.

The FTC alleged that personal information was put at risk when the companies disabled a critical default process, known as SSL certificate validation. This included credit card information, usernames and passwords, and in the case of Credit Karma, Social Security numbers. The disabling of this process could allow a hacker to intercept the information the apps sent or received. Both companies fixed the security issues last year.

As part of the settlement, the FTC requires Credit Karma and Fandango to undergo a security assessment every other year for the next 20 years. The FTC is also overseeing the security programs these companies are putting in place to make sure they have proper encryptions for personal data. The companies will not be required to pay a fine for their actions because their connection with specific monetary loss is hard to track.

“Consumers are increasingly using mobile apps for sensitive transactions. Yet research suggests that many companies, like Fandango and Credit Karma, have failed to properly implement SSL encryption,” said FTC Chairwoman Edith Ramirez in a statement. “Our cases against Fandango and Credit Karma should remind app developers of the need to make data security central to how they design their apps.”

As a safety precaution, consumers should turn off the Wi-Fi while outside the home. The phone will still try to connect even when not using the Internet. This opens the gate for skilled hackers to get into the phone through this type of security mishap. If the Internet is turned off, consumers can use the phone with more peace of mind.



The information contained within this article was accurate as of April 1, 2014. For up-to-date
information on any of the terms, cards or offers mentioned above, visit the issuer's website.