Equifax, others must secure apps as part of New York settlement
The New York attorney general’s office said five apps made by well-known companies could have leaked user data. The firms – Western Union, Priceline, Equifax, Spark Networks and Credit Sesame – have agreed to revamp the security of their apps as part of a settlement announced Friday.
The state office said the companies failed to use the proper protocols to secure user information that is transmitted over the internet, despite assuring users about the security of the apps in question.
“Businesses that make security promises to their users – especially as it relates to personal information – have a duty to keep those promises,” said Barbara Underwood, the New York attorney general, in a statement.
The AG’s office said that the apps at had a “well-known security vulnerability” that could enable man-in-the-middle attacks, whereby a hacker can intercept data when it’s sent via a wireless connection. The office explained that apps that fail to properly implement the Transport Layer Security (TLS) protocol to protect data in transit are particularly susceptible to such an attack. This settlement only is the latest in which state attorneys or the Federal Trade Commission have faulted organizations for exaggerating their security practices.
“Although each company represented to users that it used reasonable security measures to protect their information, the companies failed to sufficiently test whether their mobile apps had this vulnerability,” the office said. “Certain versions of the companies’ apps all failed to properly authenticate the SSL/TLS certificates they received. As a result, an attacker could have impersonated the companies’ servers and intercepted information entered into the app by the user.”
The companies implicated in the settlement are a diverse set that handle data that includes basic contact information, login credentials, banking or payment information and Social Security numbers. Such information could be used for fraud.
The settlement requires the companies to “implement comprehensive security programs to protect user information.” It was not immediately clear what those programs must entail. The office of the attorney general did not respond to a request for comment.
The settlement is part of a broader effort to find security flaws in consumer products before they are exploited.
“As part of this initiative, the office tested dozens of mobile apps that handle sensitive user information, such as credit card and bank account numbers,” the office said.