Mobile Apps are Often Wide Open Security Traps
NEW YORK ( MainStreet) It's just so easy to use apps for practically everything: to buy movie and concert tickets, check your credit profile and monitor financial transactions and we do so with complete confidence that our transactions are secure. However, that's often not the case. While an app may claim a transaction is confidential, it may be anything but.
Two companies have agreed to settle charges levied by the Federal Trade Commission (FTC) that they misrepresented the security of their mobile apps -- failing to secure the transmission of millions of consumers' sensitive personal information.
Fandango, the movie ticket service and Credit Karma, a credit monitoring app, both promised secure transactions, but instead "failed to take reasonable steps to secure their mobile apps," according to the FTC. Among other things, the consumer watchdog says the two companies disabled SSL certificate validation, a critical security process that left consumers vulnerable to "man-in-the-middle" attacks the ability for hackers to intercept transmitted data.
These attacks are especially possible on public Wi-Fi networks such as those found at coffee shops, airports and shopping centers.
"Consumers are increasingly using mobile apps for sensitive transactions. Yet research suggests that many companies, like Fandango and Credit Karma, have failed to properly implement SSL encryption," said FTC Chairwoman Edith Ramirez. "Our cases against Fandango and Credit Karma should remind app developers of the need to make data security central to how they design their apps."
With faulty security protocols, ticket purchases through Fandango exposed credit card details as well as consumers' email addresses and passwords. The breach continued for nearly four years from March 2009 until February 2013, according to the FTC.
Credit Karma's apps allowed access to customers' Social Security Numbers, names, dates of birth, home addresses, phone numbers, email addresses and passwords, as well as credit scores and other credit report details including account names and balances.
Both companies assured consumers that private information was stored and transmitted securely, but the FTC says many apps don't encrypt information properly.
"If you plan to use a mobile app to conduct sensitive transactions like filing your taxes, shopping with a credit card, or accessing your bank account use a secure network," says Nicole Vincent Fleming, a consumer education specialist with the FTC in a blog post. "That way, even if the app doesn't encrypt the information, the network does."
Fleming says that most public Wi-Fi networks aren't secure. "If a hotspot doesn't require a WPA or WPA2 password, it's probably not secure," she says. "You might want to change the settings on your mobile device so that it doesn't connect automatically to nearby Wi-Fi. Finally, if you haven't already, take steps to secure your home wireless network."