On December 14, 2018, New York Attorney General Barbara D. Underwood announced settlements with Western Union Financial Services, Inc., Priceline.com, LLC, Equifax Consumer Services, LLC, Spark Networks, Inc., and Credit Sesame, Inc., “for having mobile apps that failed to keep sensitive user information secure when transmitted over the Internet.”
No fraud had happened with those apps but they all suffered from a well-known security vulnerability that could have allowed third parties to access sensitive information entered by users, such as passwords, social security numbers, credit card numbers, and bank account numbers.
To establish a secure, encrypted connection over the Internet, apps and computers use a security protocol known as Transport Layer Security (TLS).
The Attorney General found that certain versions of the companies’ apps failed to properly authenticate the SSL/TLS certificates they received. As a result, an attacker could have impersonated the companies’ servers and intercepted information entered into the app by the user to commit frauds.
The Attorney General’s initiative aims at uncovering critical security vulnerabilities before user information is stolen. As a result, it forces the companies to implement comprehensive security programs to protect app users’ information.
New York Attorney General Barbara D. Underwood’s press release is available at https://ag.ny.gov…