FTC Approves Final Orders with Fandango and Credit Karma: Mobile Apps were Deceptive

The Federal Trade Commission (“FTC”) announced recently that it has approved final orders settling charges against movie ticket company Fandango, LLC and consumer credit information company Credit Karma, Inc.Although neither Fandango nor Credit Karma were charged due to actual security breaches, both companies were charged with failing to take reasonable steps to properly secure data that consumers imputed on their mobile apps, leaving them at risk of being hacked. The FTC said both Fandango and Credit Karma disabled the SSL certificate validation on their apps, leaving consumers’ sensitive personal information, including credit card information and Social Security numbers, vulnerable to interception by third parties. The FTC alleged that Credit Karma’s app developers disabled certificate validation during the testing of Credit Karma’s iOS app and then failed to remove the override function when releasing it into Apple's App Store. Months later, a consumer notified the company of the vulnerability and the default iOS settings were restored. However, the same override error was made again when releasing the Android version of Credit Karma in February 2013. Similarly, Fandango allowed its app for iOS to skip verifications from March 2009 to February 2013. The FTC also said that Fandango lacked a good process for responding to vulnerability reports from security researchers. This led to the company missing an advisory from a researcher who had discovered the SSL vulnerability. The FTC complaint charged that the company’s in-app statements such as “You don’t need an account to securely purchase tickets” were false and misleading. Fandango was charged under Section 5 of the FTC act for deceptive acts and practices.