Credit Karma, Inc.

Agency: Federal Trade Commission (FTC)Washington
Description:

The Federal Trade Commission ("FTC") reached an Agreement with Credit Karma, Inc. ("Credit Karma") over allegations that they misrepresented the security of their mobile apps and failed to secure the transmission of millions of consumers' sensitive personal information from their mobile apps. When a consumer creates an account through the Credit Karma Mobile application, the application transmits sensitive personal information to Credit Karma, including the consumer's email address, password, security question and answer, first and last name, date of birth, street address, apartment number, city, zip code, phone number and Social Security Number. Online services often use the Secure Sockets Layer ("SSL") protocol to establish authentic, encrypted connections with consumers. In order to authenticate and encrypt connections, SSL relies on electronic documents called SSL certificates. According to the FTC Complaint, Credit Karma failed to provide reasonable and appropriate security in the development and maintenance of its mobile application, including: overriding the default SSL certificate validation settings provided by the iOS and Android APIs without implementing other security measures to compensate for the lack of SSL certificate validation. The FTC further charged that Credit Karma failed to appropriately test, audit, assess, or review its applications, including failing to ensure that the transmission of sensitive personal information was secure and failed to reasonably and appropriately oversee its service providers' security practices. As a result of these failures, attackers could decrypt, monitor, or alter any of the information transmitted from or to the application. Attackers also could intercept a consumer's authentication credentials, allowing an attacker to log into the consumer's Credit Karma web account to access the consumer's credit score and a more complete version of the consumer's credit report. The misuse of these types of sensitive personal information can lead to identity theft, including existing and new account fraud, the compromise of personal information maintained on other online services, and related consumer harms.

The FTC Orders that Credit Karma and its officers, agents, representatives, and employees shall not misrepresent in any manner, the extent to which Credit Karma or its products or services maintain and protect the privacy, security, confidentiality, or integrity of any covered information. The FTC further Orders Credit Karma to immediately establish and implement, and thereafter maintain, a comprehensive security program that is reasonably designed to address security risks related to the development and management of new and existing products and services for consumers, and that will protect the security, integrity, and confidentiality of covered information using consumer's products or services and obtain initial and biennial assessments and reports from a qualified, objective, independent third-party professional who uses procedures and standards generally accepted in the profession. For a period of three years, Credit Karma must maintain and upon request of the FTC for inspection, all materials relied upon to prepare the Assessment. For five years from the date of dissemination, upon request of the FTC, Credit Karma shall make available any documents necessary to demonstrate full compliance with this Order. Credit Karma shall deliver a copy of this Order to all current and future subsidiaries, current and future principals, officers, directors, and managers having responsibilities relating to the subject matter of this Order and deliver this Order to such current subsidiaries and personnel within 30 days after service of this Order, and to such future subsidiaries and personnel within 30 days after the person assumes such position or responsibilities. It is further Ordered that Credit Karma shall notify the FTC at least 30 days prior to any change in the corporation(s) that may affect compliance obligations arising under this Order. Within 120 days after the date of service of this Order, Credit Karma shall file with the FTC a true and accurate report, in writing, setting forth in detail the manner and form of its compliance with this Order. Within 10 days of receipt of written notice from a representative of the FTC, it shall submit an additional true and accurate written report. This Order will terminate 20 years from the date of issuance, or 20 years from the most recent date that the United States or the FTC files a Complaint in federal court alleging any violation of the Order.

Date of Action: 3/28/2014

Agency: Federal Trade Commission (FTC)Washington
Description:

On August 13, 2014, the Federal Trade Commission ("FTC") filed a Decision and Order with Credit Karma, Inc. ("Credit Karma") settling charges they violated the FTC Act. The FTC Complaint alleges Credit Karma misrepresented the security of their mobile apps and failed to secure the transmission of millions of consumers' sensitive personal information from their mobile apps. The FTC Complaint further charged Credit Karma disabled a critical default process, known as Secure Sockets Layer ("SSL") certificate validation, which would have verified that the apps' communications were secure. The Credit Karma Mobile app for iOS and Android allows consumers to monitor and evaluate their credit and financial status. The FTC Complaint, alleges that Credit Karma assured consumers that the company followed "industry-leading security precautions," including the use of SSL to secure consumer's information. Despite these promises, the FTC alleges Credit Karma disabled SSL certificate validation and left consumers that used its credit-monitoring app vulnerable to man-in-the-middle attacks. As a result of these failures, attackers could decrypt, monitor, or alter any of the information transmitted from or to the application. Attackers also could intercept a consumer's authentication credentials, allowing an attacker to log into the consumer's Credit Karma web account to access the consumer's credit score and a more complete version of the consumer's credit report. The misuse of these types of sensitive personal information can lead to identity theft, including existing and new account fraud, the compromise of personal information maintained on other online services, and related consumer harms.

The Decision and Order requires Credit Karma to establish comprehensive security programs designed to address security risks during the development of their applications and to undergo independent security assessments every other day for the next 20 years. The Order also prohibits Credit Karma from misrepresenting the level of privacy or security of their products and services. This Order will terminate on August 13, 2034 or twenty years from the most recent date that the United States or the FTC files a Complaint in federal court alleging any violation of the Order.