Although Credit Karma has a number of factors which help to raise its BBB score (length in business, complaint volume for business size, response to complaints, resolution of complaints and sufficient background of the business), the BBB website states the main factor which decreased the BBB score was government actions taken against the business.
The FTC charged that Credit Karma claimed to follow “industry-leading security precautions,” including SSL certificate validation with its mobile app, but in reality failed to secure customer’s information. This left customer’s financial information on the credit-monitoring app vulnerable to hackers, which could access the sensitive information with man-in-the-middle attacks. Although they could have easily prevented this vulnerability and were warned about it, they failed to remedy the vulnerability in their iOS app. They then released their Android app with the same vulnerability a month later.
This security flaw could have been quite damaging if an identity thief had taken advantage of it. Those using the app had vital financial information exposed including their names, birth dates, home addresses, phone numbers, credit scores, social security numbers and passwords. Anyone who had access to this information could have easily stolen the person’s identity.
As part of the settlement, Credit Karma is required to create and establish a comprehensive security program to address security risks when they develop applications for their customers. In addition, they must undergo an independent security assessment every two years, over the next 20 years, to verify their security program is properly working. Another component of the agreement is that when they do advertise their products, they are prohibited from misrepresenting the level of privacy their products and services have to the public.
It’s never good when a company falls below an A rating with the BBB. Over time, they should be able to raise their rating back to the level it was before the incident if they comply with the FTC agreement. What’s somewhat curious about the BBB rating fall for Credit Karma is that Fandango, which was also hit with the same FTC charges at the same time as them, didn’t see their BBB score decline. Fandango currently has an “A” BBB rating.
(Photo courtesy of Credit Karma)