WHAT DO I HAVE TO BE CONCERNED ABOUT?
Companies Misleading Customers on Safety
If you’ve been following our blog, you’ll know that we’ve talked a lot this year about upcoming mobile trends and payment security, including an infographic on both topics. These topics came full circle again last week, when Fandango and Credit Karma settled out of court with the FTC over allegations that they misrepresented the security of their mobile apps and failed to secure the transmission of millions of consumers’ sensitive personal information. This oversight opened up both company’s apps to ‘man-in-the-middle’ attacks, which would allow an attacker to intercept any of the information the apps sent or received.
Evolving Payment Industry
With the near complete saturation of Smartphones into the mobile market, and the adoption of mobile payment options by major businesses, mobile payments are set to take off this year, ushering in the era of a cashless future. Mobile payments are easier, safer, and more convenient for the customer, so it’s no wonder that they’ve experienced such a quick adoption rate. In order for customers to fully adopt mobile payment technology, they need to be assured of their safety, and those who violate that promise should be held publicly accountable.
Customers need to trust that when a business says their apps, websites, and text services are secure, they really are. This is why organizations such as the FTC , NACHA, and PCI exist–to ensure customer security. Although they can occasionally have their failings, a system of checks and balances is already in place to ensure the security of the consumer’s data.
What is SSL Certificate Validation?
The main point of the settlement was that both Credit Karma and Fandango failed to take reasonable steps to ensure payment security. The complaints charge that both companies disabled a critical default process known as SSL certificate validation, which would have verified that the apps’ communications were secure.
To help secure sensitive transactions, mobile operating systems, including iOS and Android, provide app developers with tools to implement an industry standard known as Secure Sockets Layer, or SSL. If properly implemented, SSL secures an app’s communications and ensures that an attacker cannot intercept the sensitive personal information a consumer submits through an app.
Along with PCI compliance, SSL certificate validation are the two most important security measures for consumers to look for before making a mobile payment, or transmitting their information.
The Settlement
The results of the settlement are clear and in favor of the consumer:
“The settlements require Fandango and Credit Karma to establish comprehensive security programs designed to address security risks during the development of their applications and to undergo independent security assessments every other year for the next 20 years. The settlements also prohibit Fandango and Credit Karma from misrepresenting the level of privacy or security of their products and services.”
Why Consumers Should be Concerned
While both of these companies were ultimately held accountable for their actions, the settlement doesn’t underline the length of time consumers’ personal information and credit card numbers were exposed before the flaw was discovered and corrected. While companies should always operate under the best interests of the consumer, that doesn’t always happen, and often final security is left to the customer.
You can ensure your payment information is secure in the following ways:
1) Check a company’s website and mobile app for SSL certificate verification and other compliance logos. We display our certifications at the bottom of every web page.
2) Look for a press release on the company’s website or blog that announces that they have recently passed their PCI compliance. E-Complish regularly releases press after passing certifications and compliances.
3) Look for payment forums where customers have voiced security complaints for the company.
4) Only use apps and websites you trust, avoiding third-party vendors.
5) If you experience any problems, complain to The Better Business Bureau and in online forums.
More Information
For more information about the FTC, click here
To read the settlement, click here.
For a list of E-Complish’s mobile solutions, click here.