[BreachExchange] Equifax, Western Union, Priceline settle with New York attorney general over insecure mobile apps

[Destry Winant]

https://techcrunch.com/2018/12/17/equifax-western-union-priceline-settle-insecure-apps/

New York’s attorney general has settled with five tech and financial
giants, requiring each company to implement basic security on their
mobile apps.

The settlements force Credit Sesame, Equifax (yes, that Equifax),
Priceline, Spark Networks and Western Union to ensure data sent
between the app and their servers are encrypted. Specifically, the
attorney general said their apps “could have allowed sensitive
information entered by users — such as passwords, social security
numbers, credit card numbers, and bank account numbers — to be
intercepted by eavesdroppers employing simple and well-publicized
techniques.”

In other words, their mobile apps “all failed” to properly roll out
and implement HTTPS, one of the barest minimum security measures in
any modern app’s security.

HTTPS certificates (also known as SSL/TLS certificates) encrypt data
between a device, like your phone or computer, and a website or app
server, ensuring any sensitive data, like credit card numbers or
passwords, can’t be intercepted as it travels over the internet —
whether that’s someone on the same coffee shop Wi-Fi network or your
nearest federal intelligence agency.

These certificates are more common than ever, not least because when
they’re not incredibly cheap, they’re completely free — and most
modern browsers these days will bluntly tell you when a website is
“not secure.” Apps are no different, but without a green padlock in
your browser window, there’s often very little to know for sure on the
face of it that your data is traversing the internet securely.

At least, with financial, banking and dating apps — you’d just assume,
right? Bzzt, wrong.

“Although each company represented to users that it used reasonable
security measures to protect their information, the companies failed
to sufficiently test whether their mobile apps had this
vulnerability,” the office of attorney general Barbara Underwood said
in a statement. “Today’s settlements require each company to implement
comprehensive security programs to protect user information.”

The apps were picked out after an extensive batch of app testing in an
effort to find security issues before incidents happen. Underwood’s
office follows in the footsteps of federal enforcement in recent years
by the Federal Trade Commission, which brought action against several
app makers — including Credit Karma and Fandango — for failing to
properly implement HTTPS certificates.

In taking action, the attorney general gets to keep closer tabs on the
companies going forward to make sure they’re not flouting their data
security responsibilities.