Do you use your smartphone to purchase movie tickets with the Fandango app or monitor your finances with the Credit Karma app? You might want to rethink that practice – especially if you routinely connect to either app through public WiFi connections. According to a statement released by the Federal Trade Commission on March 28, 2014 users of Credit Karma’s and Fandango’s were potentially vulnerable to “man in the middle” attacks, which allow attackers to intercept information transmitted to or from the apps. Source : FTC
Both iOS and Android versions of the Credit Karma and Fandango apps were vulnerable to such attacks, according to the FTC report. Security shortcomings in the Fandango apps persisted from March 2009 through February 2013. The report did not disclose how long security lapses were present in the Credit Karma apps.
1. SSL Issues in Mobile Apps
The FTC report claimed that both Credit Karma and Fandango could have greatly minimized this risk by performing basic security tests before releasing their apps and implementing industry-standard security measures in the performance of the apps. Instead, officials at both companies were less than forthcoming with users of their apps about the safety and privacy of sensitive personal information. As a result, users of both apps may have unknowingly placed sensitive personal information at risk, especially if they used the apps in locations such as coffee shops, public libraries and airports.
According to the FTC report, both Credit Karma and Fandango disabled a critical security measure in their apps known as secure sockets layer certificate validation, abbreviated as SSL. With SSL in place, the apps could verify that communications between users’ devices and company servers were secure. Without SSL validation, there is no way to ensure the security of information that is transferred to and from the apps.
The FTC report also claimed that both companies could have minimized security risks associated with their apps by performing adequate security reviews and by subscribing to third-party vulnerability reports. Credit Karma was allegedly warned about security risks associated with its iOS app by a user, but failed to act on the information. Instead, Credit Karma released the Android version of its app – which included the same security vulnerabilities of the iOS version – the following month.
2. Overexposure to Fraud and Identity Theft
Along with failing to implement adequate security measure, Fandango and Credit Karma exposed users of their apps to potential credit card fraud and identity theft. Fandango customers who used its mobile app potentially exposed sensitive information such as credit card numbers, email addresses and passwords. Users of Credit Karma’s apps were even more vulnerable, because its apps use critical personal information such as Social Security numbers, bank account information, dates of birth, credit report information and credit scores, home addresses, email addresses and passwords.
3. FTC Settlements Reached
Both Credit Karma and Fandango have reached settlements with the FTC to establish what it labeled “comprehensive security programs” to minimize security risks in future updates of their mobile apps. Both companies must subject their apps to independent security assessments every other year for the next two decades. No monetary penalties were imposed on either company by the FTC.
If you used either Fandango or Credit Karma mobile apps in recent years, you would be well advised to obtain copies of your credit report from all three major credit reporting agencies: Experian, Equifax and TransUnion. You might also consider placing fraud alert notices on your credit report, which require merchants and lenders to obtain enhanced authorization before issuing credit to someone claiming to be you. Whether or not you used either Fandango or Credit Karma’s apps, installing apps such as Lookout onto your mobile device, along with exercising caution when your mobile device is connected to a public Wi-Fi network can minimize the risk that you will be victimized.