2 minute, 30 second read.
Welcome back to the CRO blog. Last week we continued our three-part discussion of Federal Trade Commission lawsuits and complaints. This week we’re diving into the third and final FTC case we’ve chosen to highlight, a complaint filed against Fandango back in 2014.
So, do you like watching movies? Well if you do, chances are you’ve utilized Fandango.com to purchase movie theater tickets.
Fandango’s Big Mistake:
On August 13, 2014, the FTC filed a complaint against Fandango, LLC. If you recall, in 2009 Apple had just released the iPhone 3GS. That was around the time when Apple released the App Store to everybody. When the iPhone first came out there was no App Store. Instead, you got what Apple gave you.
Well, Fandango was one of the first to offer an application, a mobile app to buy your movie tickets. Unfortunately, what Fandango failed to do was abide by the application development interfaces defaults. From a lay person’s viewpoint, the Fandango app used a process that was insecure, and it was known to be insecure.
To dig a little deeper, SSL stands for secure sockets layer. It’s a protocol used to establish authentic encrypted communications and connections across the internet. In order to make that work, you have to have electronic documents that are SSL certificates. Basically, you can think of this as an online handshake.
In this case, the app on your iPhone wants to talk to the Fandango server. Because that goes over the internet, the goal is to make sure that conversation can’t be monitored by anybody else.
Why Should You Care?
The reason that we really care, is that in order to go see that movie you have to buy a ticket. In order to buy the ticket, you’re going to have to transmit your credit card data. As a consumer, you don’t want your credit card information to be compromised, because that’s going to cause a lot of inconveniences.
Let us break it down: your iPhone says, “here’s my SSL certificate.” Fandango server says, “Okay, here’s my SSL certificate.” The two authenticate to each other with encryption cryptography. What Fandango did is, they used an SSL certificate that wasn’t the default for IOS. Unsurprisingly, it didn’t work. Rather than throw up an error message, Fandango just sent the credit card data over the internet.
This was allowed to go on from March 2009 until March 2013. That’s four years, where the Fandango movies application for IOS failed to validate SSL certificates.
What Did the FTC Do About It?
When the FTC finally dug in, they tagged Fandango for three different components. One, overriding the default SSL certificate without implementing other security measures to compensate for the lack of SSL certificate validation. And then, failing to appropriately test, audit, assess, or review its application, including failing to ensure that the transmission of this data was secure. And then, finally, they failed to maintain any kind of process for receiving or addressing security reports from third parties. Fandango really dropped the ball on this one.
“But nobody got hurt, so what’s the big deal?”
It’s a victimless crime, yes. It’s practices that we’re focused on, not actual damage. The standard is actions that cause or are likely to cause substantial injury to consumers. This is a situation where the FTC said, “Look, you got lucky here.”
First of all, we don’t necessarily know if consumers got hurt or not. There are lots of different ways to find credit cards. It’s quite probable that someone was injured from this. The FTC doesn’t have to prove that. It can do its job just by showing that this is likely to cause substantial injury. Just because nobody shows up at your office, wrapped in bandages, showing you that they’ve been hurt, doesn’t mean that the FTC isn’t going to come after you.