New York Attorney General settles with five companies over mobile app security failures
On December 14, the New York Attorney General announced settlements with five companies, including a global payment processor, a credit reporting agency, and a credit score company, whose mobile apps allegedly failed to secure sensitive user data. As part of the Attorney General’s initiative to uncover vulnerabilities before a data breach, the office tested dozens of mobile apps that handled consumer information such as credit card and bank account numbers. After testing, the Attorney General determined that certain versions of the five companies’ apps failed to properly authenticate the “SSL/TLS” certificates, which are used to verify the computer’s identity attempting to establish a connection to the mobile device. According to the Attorney General, this failure could allow an attacker to impersonate the companies’ servers and intercept information, including credit card information, entered into the app by the user. The settlement requires the companies to implement a comprehensive security program to protect their users’ information.