Firms Settle With NY Over App Security Flaw

New York's attorney general says the companies' apps had a flaw that could have exposed sensitive user data to hackers.
Matthew HellerDecember 17, 2018
Firms Settle With NY Over App Security Flaw

New York’s attorney general reached settlements with five companies whose mobile apps had a security vulnerability that could have exposed sensitive user information to hackers.

The companies — Western Union, Priceline, Equifax, Spark Networks, and Credit Sesame — all have apps that handle users’ personal information such as credit card and bank account numbers.

Drive Business Strategy and Growth

Drive Business Strategy and Growth

Learn how NetSuite Financial Management allows you to quickly and easily model what-if scenarios and generate reports.

According to New York Attorney General Barbara Underwood, tests performed by her office showed the apps “suffered from a well-known security vulnerability” that could have allowed such information “to be intercepted by eavesdroppers employing simple and well-publicized techniques.”

The settlements require the companies to implement comprehensive security programs to protect user information.

“Businesses that make security promises to their users — especially as it relates to personal information — have a duty to keep those promises,” Underwood said in a news release.

The vulnerability identified by the attorney general involved a security protocol known as Transport Layer Security (TLS), which is used to protect data that mobile devices send and receive over public WiFi networks.

If a mobile device communicating with another computer does not authenticate the computer’s SSL/TLS certificate, it could be vulnerable to a “man-in-the-middle” attack” by someone positioned between the mobile device and computer even if the data has been encrypted.

“Certain versions of the [five] companies’ apps all failed to properly authenticate the SSL/TLS certificates they received,” the attorney general said. “As a result, an attacker could have impersonated the companies’ servers and intercepted information entered into the app by the user. With this information, an attacker could commit various forms of identity theft and fraud, including credit card fraud.”

The AG’s office tested dozens of apps and websites as part of a proactive initiative to uncover critical security vulnerabilities before user information is stolen. No monetary penalties were associated with the settlements.