Fandango, Credit Karma reach security settlement

PORTLAND, Ore. (AP) -- The Federal Trade Commission says the mobile applications of movie ticket-seller Fandango and credit report-provider Credit Karma may have exposed millions of users' sensitive personal information, including credit card data and social security numbers.

The companies failed to properly secure their apps over a multiyear period, potentially exposing information users sent or received, according to the FTC.

Fandango and Credit Karma fixed the security issue last year.

The companies said Friday that they are not aware of any individual's information being compromised. But the FTC said that due to the nature of the types of attacks, it would be nearly impossible to trace.

Fandango, owned by Comcast Corp., and Credit Karma agreed to settle FTC's charges that they misrepresented the security of their applications and failed to secure information.

As part of the settlements, the companies agreed to establish more comprehensive security programs and undergo independent security assessments every other year for the next 20 years. The settlements also prohibit Fandango and Credit Karma from misrepresenting the level of privacy or security of their products and services.

The FTC said Fandango and Credit Karma disabled a critical process, known as SSL certificate validation, which would have verified that communications were secure. Because of that, the applications were vulnerable to "man-in-the-middle" attacks, which allow attackers to intercept information.

"This is something that would be undetectable to either the consumer or the company," Nithan Sannappa of the FTC's Bureau of Consumer Protection said.

This type of attack is more dangerous on public Wi-Fi networks, such as those available at coffee shops, airports and shopping centers. In these settings, the network is typically not secure, which leaves users relying largely on the security measures of their applications to protect them. Such attacks are possible on a secured network, but less likely, according to the FTC.

Fandango may have exposed consumers' credit card, email address and passwords through its application for Apple's iOS operating system between March 2009 and March 2013, according to the complaint.

Credit Karma's may have exposed consumers' names, Social Security numbers, birthdates, addresses, phone numbers, credit scores and more. This affected its iOS applications used between July of 2012 and January of 2013. The company also launched an Android version of its app in 2013 without proper security steps, an issue which it later resolved.

The FTC does not have a specific figure of how many people may have been made vulnerable. But it noted in its complaint that Credit Karma's app has been downloaded more than one million times and Fandango's has been downloaded more than 18.5 million times.

Copyright © The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.


Top Stories

  • Black Market
    Despite legalization, 'business is good' for Seattle's illegal pot dealers

  • Mourning Trees
    Chiara D'Angelo spent her day mourning the loss of over 800 trees on Bainbridge Island

  • Endangered
    Some of the most beautiful animals in the world are disappearing from Washington
ATTENTION COMMENTERS: We've changed our comments, but want to keep you in the conversation.
Please login below with your Facebook, Twitter, Google+ or Disqus account. Existing MyNorthwest account holders will need to create a new Disqus account or use one of the social logins provided below. Thank you.
comments powered by Disqus
Listen to the show
Hear GeekWire on KIRO Radio
Join Todd Bishop and John Cook weekends on KIRO Radio to talk Seattle technology.

Sign up for breaking news e-mail alerts from MyNorthwest.com
In the community
Do you know an exceptional citizen who has impacted and inspired others?
KIRO Radio and WSECU would like to recognize six oustanding citizens this year. Nominate them to be recognized and to receive a $2,000 charitable grant.