Stop Phoning It in on Mobile Security: What Your Business Needs to Know About the FTC’s Settlements with Fandango and Credit Karma

by Mintz Levin - Privacy & Security Matters

If you’re like most Americans, you probably think that the worst thing that Fandango, the online movie ticket service, has ever done to you is make you watch those commercials with the creepy talking paper bags before your movie. The Federal Trade Commission (FTC), however, begs to differ.

According to an FTC press release, Fandango, LLC and Credit Karma, Inc., a credit information company, have agreed to settle charges brought by the FTC alleging that the companies misrepresented the security provided to users of their respective mobile applications and failed to secure the transmissions of millions of users who provided personal information through the applications. The central allegation in both complaints is that Fandango and Credit Karma failed to properly implement and utilize SSL protocols to validate exchanges of information.

How SSL Protocols Protect Users of Online Services

SSL, which stands for “Secure Sockets Layer,” is a protocol used in online transactions to establish authentic, encrypted connections between two parties. To do this, SSL requires electronic validations (referred to as “SSL certificates”) to verify the identity of the parties. If the certificates cannot be verified, SSL refuses to make the connection. On your mobile phone, the way this works is that an online service provider (such as a mobile application) presents its certificate to the application on your device. If the verification checks out, then a secure connection is established and information can be exchanged. The SSL protocol is important because without it transmissions made on public Wi-Fi networks are susceptible to what are referred to as “man-in-the-middle-attacks,” where an attacker positions himself between the user and the online service by presenting an invalid certificate so that they can monitor and intercept the unencrypted exchange of potentially personal information between the two parties. To prevent this type of attack from occurring, operating systems provide mobile application developers with application program interfaces (APIs) that, by default, refuse to establish an SSL connection if a certificate is invalid. Developer documentation for both iOS and Android platforms also provides warnings against disabling or circumventing this feature.

Allegations Against Credit Karma

In its complaint against Credit Karma, the FTC alleges that in separate incidents Credit Karma’s mobile application for iOS and Android were launched to consumers with code that disabled SSL validation and overrode the defaults provided by the platform APIs. In one case, the code had been implemented with Credit Karma’s authorization by a third-party developer during the application’s testing phase, but remained in the application following release to the general public. According to the FTC, these two errors were not detected and addressed until after Credit Karma was contacted by a user and the FTC and made aware of the vulnerability. During an internal security review conducted thereafter, Credit Karma discovered that its iOS application was storing authentication tokens and passcodes on the device in an insecure manner. The FTC alleges that Credit Karma (a) overrode the default SSL certificate validation settings without implementing other security measures to compensate, (b) failed to appropriately test, audit, assess, or review its application, and (c) failed to appropriately oversee its service providers’ security practices.

Allegations Against Fandango

As of August 2013, approximately 20% of tickets purchased from Fandango have been from its mobile application. As in the complaint against Credit Karma, the claims alleged by the FTC against Fandango are focused on failures relating to both implementation and testing. In Fandango’s case, its Fandango Movies application failed to validate SSL certificates for 4 years following the launch of the application in March 2009. According to the FTC, Fandango commissioned security audits starting in 2011, but those audits were limited in scope and did not include a review of the security of the application’s transmission of information. Moreover, Fandango did not implement an effective channel for security complaints, and instead relied on its general customer service system to handle security vulnerability reports. In one case, the automated system failed to identify a security researcher’s warning message about the security gap and assumed the individual needed help resetting his password. The FTC alleges that Fandango (a) overrode the default SSL certificate validation settings without implementing other security measures to compensate, (b) failed to appropriately test, audit, assess, or review its application, and (c) failed to maintain an adequate process for receiving and addressing security vulnerability comments from users.

Key Takeaways for Your Business

Subscribers to our Privacy & Security Matters blog are likely not surprised to see that these actions have been brought against mobile applications. As we noted back in December, an increase in enforcement actions against mobile application providers was so heavily telegraphed by the FTC and State Attorneys General in 2013 that these types of settlements were certain to follow this year. That having been said, the allegations and proposed settlement agreements highlight key lessons for online service providers and, in particular, mobile application developers going forward:

  • Understand the level of security you provide. A key aspect to the FTC’s complaints is the way in which the FTC has moved the ball forward on defining the components of “reasonable” security in the mobile sphere. The FTC describes SSL protocol as a standard security measure that is provided to application developers by iOS and Android operating systems to be applied by default. If that security measure is not implemented, then the FTC expects that compensating measures will be put in place to provide an equivalent level of protection as part of a broader comprehensive security plan.
  • Ensure proper testing and audits on an ongoing basis. The allegations made against Fandango and Credit Karma are as much about the failure to properly test for vulnerabilities as they are about the decision to circumvent SSL in the first place. The FTC is taking the clear position that simply not knowing about security vulnerabilities is no defense for not correcting them. Audit and security procedures need to be comprehensive and effective for analyzing risks and weaknesses at all stages of the life cycle of user information, from collection to storage and disposal, and should be applied consistently on an ongoing basis. Security audit procedures should also be reviewed and updated periodically to address technological developments and new potential threats. As shown by the Credit Karma complaint, particular care should be taken to thoroughly review and assess programs and mobile applications as they move out of the testing phase.
  • Have a process specifically devoted to receiving and escalating security feedback. Many breach incidents and security failures over the past year have been discovered by independent security researchers who have contacted organizations to inform them about the security gaps. Having a quick and effective way to receive this type of feedback can help your business get out ahead of surprises. More importantly, your users should have a fast and effective way to communicate incidents related to their accounts or information they have provided you.
  • Know what your vendors and service providers are doing. Monitoring and auditing third-party service providers for mobile applications can be a more difficult process for mobile applications than it is for standard Web-based services. Regardless, in the Credit Karma complaint the FTC has made it clear that online service providers are ultimately responsible for knowing and understanding what kind of security processes third-party contractors are using and enforcing appropriate standards.

The proposed settlement agreements with Fandango and Credit Karma are available on the FTC’s website and are open for public comment through April 28, 2014.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Mintz Levin - Privacy & Security Matters | Attorney Advertising

Written by:

Mintz Levin - Privacy & Security Matters

Mintz Levin - Privacy & Security Matters on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at:

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.