Millennials and baby boomers: Is a showdown coming?
Recall of the Week: General Motors adds nearly 1 million newer vehicles to its ignition switch recall

Fandango, Credit Karma settle federal charges they didn’t protect consumers’ personal information as promised

Two companies have agreed to settle Federal Trade Commission charges that they misrepresented the security of their mobile applications and failed to secure the transmission of millions of consumers’ sensitive personal information from their mobile apps.

The FTC lawsuit also charged that Fandango and Credit Karma disabled a critical default process, called SSL certificate validation, which would have verified that the apps’ communications were secure.

As a result, the companies’ applications were vulnerable to “man-in-the-middle” attacks, which would allow an attacker to intercept any of the information the apps sent or received. This type of attack is especially dangerous on public Wi-Fi networks such as those at coffee shops, airports, and shopping centers.

Although more and more consumers are using mobile apps, research shows that many companies, such as Fandango and Credit Karma, have failed to properly use SSL encryption, said FTC Chairwoman Edith Ramirez.


The Fandango Movies app for iOS allows consumers to purchase movie tickets and view show times, trailers, and reviews.

The Fandango Movies app assured consumers, during checkout, that their credit card information was stored and transmitted securely, according to the FTC’s lawsuit. Despite this promise, for almost four years – from March 2009 to February 2013 – the company disabled SSL certificate validation and left consumers that used its app vulnerable to attacks.

Credit Karma

The Credit Karma Mobile app for iOS and Android allows consumers to monitor and evaluate their credit and financial status.

The FTC alleges that Credit Karma assured consumers that the company followed “industry-leading security precautions,” including the use of SSL to secure consumers’ information. Despite these promises, the company disabled the SSL and left consumers vulnerable to attacks.


The settlements require Fandango and Credit Karma to establish programs to address security risks during application development and to undergo independent security assessments every other year for 20 years.

The settlements also prohibit the companies from misrepresenting the level of privacy or security of their products and services.

Copyright 2014, Rita R. Robison, Consumer Specialist


Feed You can follow this conversation by subscribing to the comment feed for this post.

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:
Your comment has been posted. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.


Post a comment

Your Information

(Name and email address are required. Email address will not be displayed with the comment.)