Five companies settle charges that they had mobile apps that didn’t keep sensitive user information secure
December 18, 2018
Five companies settled charges Friday that their mobile apps failed to keep sensitive user information secure when transmitted over the Internet.
The mobile apps of Western Union Financial Services, Priceline.com, Equifax Consumer Services, Spark Networks, and Credit Sesame had a security problem that could have allowed sensitive information entered by users – such as passwords, Social Security numbers, credit card numbers, and bank account numbers – to be stolen by eavesdroppers using simple techniques, tests by the New York Attorney General’s Office showed. Although each company told consumers that it used security measures to protect their information, the companies failed to determine whether their mobile apps had this problem.
The settlements with the New York agency require the companies to carry out comprehensive security programs to protect user information.
“Businesses that make security promises to their users – especially as it relates to personal information – have a duty to keep those promises,” said New York Attorney General Barbara Underwood.
The settlements are the result of an effort by the Attorney General’s Office to uncover security problems before user information is stolen. The office tested dozens of mobile apps that handle sensitive user information, such as credit card and bank account numbers.
Establishing a secure connection using TLS
Consumers in public places often use WiFi networks to connect their mobile phones to the internet. Public WiFi provides an opportunity for eavesdroppers to steal the data that mobile devices send and receive. To protect this data, mobile web apps use a security protocol known as transport layer security or TLS to establish a secure, encrypted connection over the internet.
To establish a secure TLS connection, the mobile device needs to verify the computer’s identity. It does this by using credentials the computer provides through a file known as an SSL/TLS certificate.
An app that doesn’t validate a certificate could allow a “man-in-the-middle attack.” This lets someone who’s between the mobile device and computer to get any information that the mobile device and computer transmit to each other, even if it’s been encrypted. A man-in-the-middle attack can be done using a WiFi-enabled laptop and free software without the user of the mobile device knowing it.
This problem has been well-known in the industry for years, said Underwood. In 2014, several teams of security researchers announced that they’d identified apps that had the problem. In addition, in March 2014, the Federal Trade Commission announced that the maker of two apps had agreed to settle charges because their apps failed to properly validate SSL certificates.
App developers can test their mobile apps for this problem using free software, she said.
The companies’ flawed use of TLS
Western Union, Priceline, Equifax, Spark Networks, and Credit Sesame offered free mobile apps for download through Apple’s App Store and Google’s Play Store. App users were required to enter information – such as log-in information, email address, and password – to create or access a user account or to enter credit card numbers to make purchases.
Some versions of the companies’ apps didn’t properly validate the SSL/TLS certificates they received. As a result, an attacker could have acted like the companies’ servers and gotten information entered into the app by the user. With this information, an attacker could commit identity theft and fraud, including credit card fraud.
You can follow this conversation by subscribing to the comment feed for this post.