Mobile Apps Operated by Western Union, Priceline, Equifax, Spark Networks, and Credit Sesame Suffered from Well-Known Security Vulnerability.
New York, NY - December 17, 2018 - Attorney General Barbara D. Underwood today announced settlements with five companies – Western Union Financial Services, Inc. (“Western Union”), Priceline.com, LLC (“Priceline”), Equifax Consumer Services, LLC (“Equifax”), Spark Networks, Inc. (“Spark Networks”), and Credit Sesame, Inc. (“Credit Sesame”) – for having mobile apps that failed to keep sensitive user information secure when transmitted over the Internet. The companies’ mobile apps suffered from a well-known security vulnerability that could have allowed sensitive information entered by users – such as passwords, social security numbers, credit card numbers, and bank account numbers – to be intercepted by eavesdroppers employing simple and well-publicized techniques. Although each company represented to users that it used reasonable security measures to protect their information, the companies failed to sufficiently test whether their mobile apps had this vulnerability. Today’s settlements require each company to implement comprehensive security programs to protect user information.
“Businesses that make security promises to their users – especially as it relates to personal information – have a duty to keep those promises,” said Attorney General Underwood. “My office is committed to holding businesses accountable and ensure they protect users’ personal information from hackers.”
The settlements announced today are the result of an initiative undertaken by the Attorney General’s office to uncover critical security vulnerabilities before user information is stolen. As part of this initiative, the office tested dozens of mobile apps that handle sensitive user information, such as credit card and bank account numbers.
Establishing a Secure Connection Using TLS
Consumers in public places, such as coffee shops and airports, frequently use WiFi networks to connect their mobile phones and tablets to the Internet. In these settings, public WiFi provides an opportunity for eavesdroppers to intercept, and even modify, the data that mobile devices send and receive. To protect this data, mobile web browsers and apps use a security protocol known as Transport Layer Security (TLS) to establish a secure, encrypted connection over the Internet.
To establish a secure TLS connection between a mobile device and another computer, the mobile device must verify the computer’s identity. It does so using credentials the computer provides through a file known as an SSL/TLS certificate.
An app that fails to properly authenticate a certificate is vulnerable to a “man-in-the-middle attack.” This is a method of eavesdropping that allows someone positioned between the mobile device and computer (“in-the-middle”) to intercept and view any information that the mobile device and computer transmit to each other, even if that information has been encrypted. A man-in-the-middle attack can be performed using a WiFi-enabled laptop and freely available software and can be virtually undetectable by the user of the mobile device.
This vulnerability has been well-known in the industry for many years. For example, in 2014, several teams of security researchers independently announced that they had identified apps that suffered from the vulnerability. In addition, in March 2014, the Federal Trade Commission announced that the maker of two apps had agreed to settle charges relating to their apps’ failure to properly validate SSL certificates.
App developers can test their mobile apps for this vulnerability using freely available software.
The Companies’ Flawed Implementation of TLS
Western Union, Priceline, Equifax, Spark Networks, and Credit Sesame offered free mobile apps for download through Apple’s “App Store” and Google’s “Play Store.” Users of these apps were required to enter information into the apps, such as log-in credentials (e.g. email address and password) to create or access a user account, and credit card numbers to make purchases.
Certain versions of the companies’ apps all failed to properly authenticate the SSL/TLS certificates they received. As a result, an attacker could have impersonated the companies’ servers and intercepted information entered into the app by the user. With this information, an attacker could commit various forms of identity theft and fraud, including credit card fraud. Pursuant to their settlement agreements, each company will implement comprehensive security programs to protect user information from future potential attacks.
This case was handled by Assistant Attorneys General Jordan Adler and Johanna Skrzypczyk and Deputy Director of Strategic Initiatives Vanessa Ip, under the supervision of Bureau Chief Kim A. Berger and Deputy Bureau Chief Clark P. Russell, all of the Bureau of Internet and Technology. The Bureau of Internet and Technology is overseen by Executive Deputy Attorney General for Economic Justice Manisha M. Sheth.