The Federal Trade Commission (FTC) settled two unfair and deceptive trade practices cases with mobile app companies for alleged failure to keep the companies’ own cybersecurity promises. Fandango provides a movie ticketing website where consumers can purchase tickets, view showtimes, trailers and reviews. Credit Karma provides a website and app that allows consumers to monitor their credit. According to the FTC’s complaint against Fandango, the company represented to its customers that:
Your Fandango iPhone Application allows you to store your credit card and Fandango account information on your device so you can conveniently purchase movie tickets. Your information is securely stored on your device and transferred with your approval during the transaction.
Fandango did not, however, use Secure Sockets Layer (SSL) validation to encrypt creditcard data in transit. Neither did Credit Karma, which also took creditcard information from its customers over the internet. In order to take payments without SSL validation, the companies had to override their software’s default settings. iOS and Android design materials both strongly warn against disabling SSL encryption. Android’s materials state that an app that does not validate SSL certificates:
might as well not be encrypting communication, because anyone can attack users at a public Wi-Fi hot spot … [and] the attacker can then record passwords and personal data.
The type of attack Android is describing is what the FTC calls a “man in the middle” scheme where a hacker can position himself between the company and the consumer and steal payment information or other personally identifying data in transit. Man-in-the-middle attacks commonly occur on WiFi networks such as those found in coffee shops and bookstores.
The FTC also noted that the fix for this vulnerability is not expensive–in fact, it is the default setting for most apps.
So what was the penalty for these alleged unfair and deceptive acts? The proposed settlements between the FTC and Credit Karma and Fandango require the companies to implement comprehensive security programs. Also, consistent with other FTC cybersecurity settlements, Credit Karma and Fandango will undergo 360-degree audits from an independent professional every other year for the next 20 years.
For a more detailed look at this case, see the FTC’s blog here.