One of the first mobile apps from a third-party to launch on the iPhone was Fandango, a service that allows you to buy movie tickets from your phone. Simple, useful, and novel. Naturally, it was popular, but it severely lacked security. The security flaw was not about privacy concerning who saw which movie, but the financial information of everyone that made a transaction through the Fandango app. The details are complicated and technical, but the FTC and its team of experts clearly understood the security issues when they filed a complaint against Fandango on August 13, 2014.
The problem with the Fandango IOS app was that it didn’t abide by the application development interfaces defaults. To put it simply, they didn’t follow the rules for how their servers were to communicate with your iPhone. The Fandango servers were using a different security certificate (SSL) than IOS was using at the time. Instead of alerting the user that their connection was not secure, the Fandango servers ignored the mismatching certificates and exchanged credit card information, through plain text over the internet. Sending private information as plain text over the internet is terrible for many apparent reasons.
This violation of interface happened from March 2009 until March of 2013. There was not much evidence of consumer harm found in the case, but four years is a long time to put consumers at risk. It’s quite probable that someone was injured from this, but it’s hard to prove.
Despite the lack of damage, the FTC still has the authority to stop potentially harmful security practices. Their job is not only to prosecute for damage but the possibility of damage as well.
Fandango compromised quickly and fixed the problem. But many people still think that the lack of security, in this case, was a “victimless crime.” No one got hurt, why should we care? But whether victimless or not, there was still a high chance that someone could get financially injured by Fandango’s insecure communications practices, so the FTC took action.
My warning to cyber risk managers is that just because nobody gets harmed by bad security doesn’t mean that the FTC isn’t going to come knocking at your door.