"FOR RELEASE:
March 28, 2014FOR RELEASEF
Credit Karma Settle FTC Charges that They Deceived Consumers By Failing to Securely Transmit Sensitive Personal Information
The FTC alleged that, despite their security promises Credit Karma failed to take reasonable steps to secure their mobile apps, leaving consumers’ sensitive personal information at risk. Among other things, the complaints charge that Credit Karma disabled a critical default process, known as SSL certificate validation, which would have verified that the apps’ communications were secure.
As a result, the companies’ applications were vulnerable to “man-in-the-middle” attacks, which would allow an attacker to intercept any of the information the apps sent or received.