FTC Settles with Credit Karma, Fandango Over App Security

Credit Karma and Fandango have settled charges with the Federal Trade Commission that their mobile applications inadequately protected consumers' payments and other personal data.

Under the settlement, the two companies are required to undergo independent security assessments every other year through 2034. Furthermore, both companies are prohibited from misrepresenting the level of privacy of their products. They do not have to pay a fine.

Commissioners voted 4-0 in favor of the settlement, with Terrell McSweeny not participating, an FTC release Tuesday said. The proposed settlement was announced in March.

Credit Karma is a credit monitoring company, and consumers use Fandango to buy movie tickets.

Complaints filed with the FTC alleged that both companies disabled the secure sockets layer (SSL) certificate on their mobile applications. This function is used to establish authentic, encrypted connections with consumers and is meant to prevent theft by a hacker.

If this function is not installed on a mobile application, a third-party attacker has the ability to obtain a consumer's credit card information, Social Security number, credit report data and other sensitive information, according to the FTC.

"The misuse of these types of sensitive personal information can lead to identity theft, including existing and new account fraud, the compromise of personal information maintained on other online services, and related consumer harms," the FTC release said.

For reprint and licensing requests for this article, click here.
Consumer banking Bank technology
MORE FROM AMERICAN BANKER