N.Y. A.G. settles with 5 companies that failed to secure user information

The settlements require each company to implement comprehensive security programs to protect user information.

Certain versions of the companies’ apps failed to properly authenticate the Secure Sockets Layer (SSL)/Transport Layer Security (TLS) — which establishes a secure, encrypted connection over the internet — certificates they received. (Photo: Fotolia)

New York Attorney General Barbara D. Underwood has settled with five companies — Western Union Financial Services Inc., Priceline.com LLC, Equifax Consumer Services LLC, Spark Networks Inc., and Credit Sesame Inc. — for having mobile apps that failed to keep sensitive user information secure when transmitted over the internet. The settlements require each company to implement comprehensive security programs to protect user information.

The companies’ mobile apps suffered from a well-known security vulnerability could have allowed passwords, social security numbers, credit card numbers and bank account numbers to be intercepted.

“Businesses that make security promises to their users — especially as it relates to personal information — have a duty to keep those promises,” Attorney General Underwood said in a press release. “My office is committed to holding businesses accountable and ensure they protect users’ personal information from hackers.”

Related: Experian predicts 2019’s top cyber threats

Flawed implementation

All five companies offered free mobile apps for download through Apple’s “App Store” and Google’s “Play Store.” Users of these apps were required to enter information into the apps, such as log-in credentials to create or access a user account, and credit card numbers to make purchases.

Certain versions of the companies’ apps failed to properly authenticate the Secure Sockets Layer (SSL)/Transport Layer Security (TLS) — which establishes a secure, encrypted connection over the internet — certificates they received. As a result, an attacker could have impersonated the companies’ servers and intercepted information entered into the app by the user. With this information, an attacker could commit various forms of identity theft and fraud, including credit card fraud.

An app that fails to properly authenticate an SSL/TLS certificate is vulnerable to a “man-in-the-middle attack.” This is a method of eavesdropping that allows someone positioned between the mobile device and computer to intercept and view any information that the mobile device and computer transmit to each other, even if that information has been encrypted.

Related: Marriott breach exposes weakness in cyber defenses for hotels

For more coverage like this, explore our Identity theft & protecting personal data Instant Insights page

Recommended Stories