Fandango and Credit Karma Mobile Apps Put Users At Risk

A night at the movies previously meant compromising between an edge-of-your-seat thriller and that new Nora Ephron romantic comedy, with the biggest ding to your wallet being a $10 bucket of large popcorn. However, now it may end up costing you more than just the exorbitantly priced snacks.

Movie ticket site Fandango as well as credit score management site Credit Karma found themselves in some hot water recently after it came to light that their mobile apps for iOS and Android did not properly encrypt customer data. The Federal Trade Commission (FTC) called the companies out for knowingly disabling critical mobile security features and potentially exposing customers’ credit card information, Social Security numbers, and other personal information.

Currently, Fandango has had nearly 100 million downloads from the Apple App Store and Google Play Store in total, and Credit Karma has more than 5 million downloads overall, which means that there were a considerable amount of people potentially impacted by these oversights. According to the FTC, Fandango and Credit Karma misrepresented the security of their apps and failed to take the necessary steps to keep customer data safe. Both companies disabled the Secure Sockets Layer (SSL) certificate validation process for their iOS and Android apps, which verifies that the apps’ communications are secure when sensitive data is being transmitted over the network.

These security slip-ups were dangerous not only because both apps were used for financial transactions, but also because they made sensitive data vulnerable to easily executed attacks via public Wi-Fi. In Credit Karma’s case, the original mistake occurred during testing, when developers disabled the SSL certificate validation feature and then failed to turn it back on after releasing it to the Apple App Store. The same mistake was also made nearly six months later when they released the Android version in February 2013. Fandango, on the other hand, allowed its iOS app to skip SSL certificate validations for nearly three years before rectifying the error. Both situations reveal a major gap in the app security review process, as well as reiterating the importance of maintaining safe mobile habits despite app promises.

Both companies quickly settled the complaint with the FTC, and while they will now be required to establish comprehensive security programs and undergo security assessments every other year for the next 20 years, the information that was potentially exposed prior to discovery cannot be reclaimed. However, Fandango and Credit Karma were not the first, nor will they be the last company called out for neglecting to properly secure their mobile apps—and the data sent through them. Consumers are increasingly using mobile apps for sensitive transactions and shouldn’t assume that companies are taking their safety seriously. With great convenience comes great responsibility, and users must take the security of their mobile devices and personal information into their own hands.

Below are some simple safety tips to follow when using your mobile devices for sensitive transactions.

  • Avoid public Wi-Fi networks when performing financial transactions. Avoid purchasing items or downloading content while on unsecure networks. Cybercriminals often use public Wi-Fi to intercept unsuspecting victims’ transactions. McAfee® Mobile Security for Android also features Wi-Fi protection when using unprotected networks on the go.
  • Don’t store critical personal information on your device. You never know what could happen should your mobile device fall into the wrong hands. Keep your accounts safe by always signing out and keeping login data saved elsewhere. For instance, do not store banking information on your device.
  • Lock down your device with a PIN Code. Regardless of what information you store on your device, keep it passcode protected to keep the cyber snoops out.
  • Don’t share account information over text. Never share sensitive information over unsecured text channels such as email, text message or chat. Issues with a bank or other institution are better dealt with over the phone—at least to verify legitimacy first.
  • Go the extra mile when it comes to mobile security. A company’s promise that their app is secure is clearly not always enough. Enlist the help of a comprehensive security service like McAfee Mobile Security, free for both iOS and Android devices. In addition to back up and recovery for contacts on both versions, Android users are warned about apps that ask for more access than they really need.



FacebookLinkedInTwitterEmailCopy Link

Stay Updated

Follow us to stay updated on all things McAfee and on top of the latest consumer and mobile security threats.


More fromMobile Security

Back to top