Bad Credit Karma: FTC Settlements Show Importance of Securing Mobile App Data
As consumer transactions via mobile devices proliferate, two recent consent orders highlight the FTC’s heightened emphasis on security of information transmitted via mobile applications.
The consent orders involved the popular movie-ticket application Fandango Movies and the Credit Karma Mobile application, which allows consumers to monitor and evaluate their credit history. In both cases, the FTC alleged that, despite their security promises, the companies failed to take basic precautions to secure information transmitted via their mobile applications, potentially exposing consumers’ sensitive personal information to man-in-the-middle attacks. Man-in-the-middle vulnerabilities allow attackers to position themselves between the consumer’s mobile application and online service providers, particularly through public Wi-Fi networks. Attackers can then decrypt, monitor or alter communications between the application and the online service.
The FTC complaints prompting the orders alleged that the vulnerabilities arose because the companies disabled secure-socket layer (SSL) certificate validation, which secures an application’s communications if properly implemented. The FTC alleged that the vulnerability could have been tested for and prevented, but the companies failed to perform basic security checks. In addition, the FTC’s complaint alleged that Fandango also failed to have in place procedures to receive vulnerability reports that would have provided an opportunity for the Company to fix the problems.
In settlement of the FTC allegations, Fandango and Credit Karma agreed to implement written comprehensive security programs and to be subject to biannual security assessments from a qualified, objective, independent third-party professional for the next two decades.
The FTC requirements for the comprehensive security programs provide useful guidance for companies seeking to develop their own protocols. Under the orders, each company’s comprehensive security program must:
- designate an employee or employees to coordinate and be accountable for the information security program;
- identify material internal and external risks to the security, confidentiality, and integrity of covered information that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of such information, whether such information is in its possession or is input into, stored on, captured with, accessed or transmitted through a computer using its products or services, and assess the sufficiency of any safeguards in place to control these risks;
- consider risks in each area of relevant operation, including but not limited to (1) employee training and management, including in secure engineering and defensive programming; (2) product design and development; (3) secure software design, development, and testing; and (4) review, assessment, and response to third-party security vulnerability reports; and (5) prevention, detection, and response to attacks, intrusions, or system failures;
- design and implement reasonable safeguards to control the risks identified through risk assessment, and regularly test or monitor the effectiveness of the safeguards’ key controls, systems, and procedures, including through reasonable and appropriate software security testing techniques;
- develop and use reasonable steps to select and retain service providers capable of maintaining security practices consistent with the order, and require service providers by contract to implement and maintain appropriate safeguards; and
- evaluate and adjust its security program in light of the results of testing and monitoring, any material changes to its operations or business arrangement, or any other circumstances that it knows or has reason to know may have a material impact on the effectiveness of its security program.
More information about the FTC’s ongoing efforts to make sure that companies secure their applications and adhere to their privacy policies is available here.