back to article FTC: Do SSL properly or we'll shove a microscope up you for decades

The US Federal Trade Commission (FTC) has forged settlement deals with a pair of companies accused of botching their SSL encryption and leaving people vulnerable to identity thieves. According to the watchdog, Fandango and Credit Karma failed to implement basic safeguards when sending highly sensitive personal information over …

COMMENTS

This topic is closed for new posts.
  1. Paul J Turner

    Make Lemonade

    Re-do the validation, then change your advertising to proclaim "Security audited by the FTC". Not many of their competitors could claim that! :-)

    1. Ole Juul

      Re: Make Lemonade

      You nailed it. I was actually thinking that these two companies could be a first choice because of that guarantee.

    2. Paul Hovnanian Silver badge

      Re: Make Lemonade

      Security validated by the FTC, subject to NSA exclusions.

  2. Anonymous Coward
    Anonymous Coward

    Wouldn't it be even more secure if they didn't allow Wi-Fi connections to be used? It would make sniffing the traffic much harder as they would need to hack the mobile carrier in the process.

    1. ZenCoder

      Many iOS devices only have wi-fi.

      Its WiFi Only for ...

      1) Everyone with an iPod Touch.

      2) Everyone with an iPad that's WiFi only.

      3) Everyone with an iPhone with talk/text only plan (yes they exist now).

      4) Everyone on a pay as you go plan who hit their cellular data limit.

      5) Everyone where there is wifi but no/poor cell phone reception.

      Even if it make business sense (which it doesn't), I don't think Apple would approve an cellular data only app ... wouldn't meet their standards.

      SSL validation works and 100% solves this problem, they just got careless and skipped it.

      1. Vincent Ballard

        Re: Many iOS devices only have wi-fi.

        The fact that it's possible to skip it, let alone to skip it by being careless rather than malicious, doesn't say much for the platform's standard libraries.

        1. Tomato42

          Re: Many iOS devices only have wi-fi.

          @Vincent Ballard: you can authenticate the connection after it has been established (see channel bonding) so the library should allow for that

          it shouldn't be the default, of course

      2. Mike Moyle

        Re: Many iOS devices only have wi-fi.

        Just to be complete, add "Everyone with a wifi-only Android tablet."

        Just sayin', the article notes that it's not just IOS.

  3. Robert Carnegie Silver badge

    Uh, yeah

    I expect that it's not really allowed to use the FTC and their interest in your affairs when you advertise. But who knows. Any other companies got that history?

    1. Ole Juul

      Re: Uh, yeah

      Well, what Paul suggested is simply to say exactly what is happening. There need not be mention of endorsement of any kind. I wonder though, does the FTC publish a list of all the companies they've checked? In not, we can never be sure about the "unmonitored" ones.

  4. pigor

    no punishment as usual

    They failed security and all FCC does is forcing them to implement the security measures they should have implemented 4 years ago.

  5. ecofeco Silver badge

    We talk about sophisticated hacking

    We talk about sophisticated hacking and cackle at the latest boneheaded vulnerabilities, but it's really the low hanging fruit, the forgetting to lock the door of your car, kind of idiocy that is still the biggest problem.

  6. Jamie Jones Silver badge
    Black Helicopters

    It's a funny old world

    One government department exploits weaknesses, the other punishes them!

    1. hj
      Joke

      Re: It's a funny old world

      They do this for the NSA, their scripts fail if SSL is not implemented correctly.

  7. McHack

    Very suspicious...

    Credit Karma had long been advertising with Little Old Grandma and Grandpa caricatures, with glasses and cane, as they complain about "free credit score sites" that want credit card info so they can charge you after the trial period. Which Credit Karma doesn't do, it's free always.

    So how do they make money?

    Thus it's marketed as something no-fuss that old people should have, or their kids should sign them up for, so they can stop worrying and get back to surfing for elder lesbo flicks.

    I seem to remember one of the oldest internet tricks is to lure the old folk with promises of safety and security to get the info to rob them blind.

    Are we sure this lack of security with sensitive personal info was accidental?

  8. Adam 1

    Does this also cover goto fail implementations?

  9. Anonymous Coward
    Anonymous Coward

    It's not just these guys.....

    We have recently completed penetration tests on a number of apps delivered by vendors such as SAP and others, who also failed to validate the certificates used to secure TLS connections, both from a revocation perspective, and if it was from the expected supplier.

    Trust the maths.....

    Don't trust the implementation....

  10. Tom 13

    Ironically, I just saw my first ad from Credit Karma yesterday.

    While it was slightly intriguing compared to the usual suspects, it wasn't enough so to get me to visit their site.

    After today, that won't ever be happening.

This topic is closed for new posts.

Other stories you might like