After discovering that its mobile app was not fully compliant with PCI security standards, identity protection firm LifeLock said on Friday that it has pulled its mobile wallet application from popular app stores and was deleting user information stored for the mobile app from its servers.
“We have determined that certain aspects of the mobile app may not be fully compliant with payment card industry (PCI) security standards,” Todd Davis, Chairman and CEO of LifeLock, wrote in a security update on Friday. “For that reason, we are removing the LifeLock Wallet application from the App Store, Amazon Apps, and Google Play, and when users open the LifeLock Wallet, their information will be deleted in the app.”
LifeLock’s Wallet application is based on technology gained from its December 2013 acquisition of Lemon, a digital wallet company that Lifelock bought for $42.6 million in cash.
“Even though we have no reason to believe the data has been compromised, we believe this is the right thing to do,” Davis continued.
While the app will be unavailable for users for the time being, Davis said the company is working to make a Wallet that maintains “the highest level of PCI compliance” available to users soon.
“I want to make sure that when LifeLock Wallet is available again, you’ll know that you can download it, provide your personal information and use it again with confidence—knowing that it’s backed by an industry leader that is committed to doing the right thing and taking care of its customers.”
The company did not say how the security gaps were discovered, or if it had received any notices from regulatory agencies such as the Federal Trade Commission (FTC) or standards bodies such as the PCI Council about the app.
In an effort to protect user privacy security, and The FTC has been targeting technology firms and companies offering mobile applications lately.
As SecurityWeek reported in March, the FTC has found itself challenged in keeping up with privacy implications with technology changing so rapidly. The agency even has a “mobile lab” where technicians and attorneys analyze how apps handle user data.
Earlier this year, Fandango and Credit Karma, two firms offering popular mobile applications, agreed to settle charges brought forth by the FTC over allegations that they failed to properly secure their apps and misrepresented the security of such apps to users.
The FTC alleged that Fandango and Credit Karma “failed to take reasonable steps to secure their mobile apps”, putting consumers at risk by failing to secure the transmission of millions of users’ sensitive personal information.
Specifically, the FTC accused the firms of disabling the SSL certificate validation process, making the apps vulnerable to Man-in-the-Middle (MitM) attacks, especially when connecting via public Wi-Fi networks.
Managing Editor, SecurityWeek.Previous Columns by Mike Lennon:LifeLock Kills Mobile Wallet App, Deletes User Data from ServersCasino Operator Affinity Gaming Says Hackers Accessed Payment Card DataNetskope Raises $35 Million to Help Enterprises Control Cloud AppsHortonworks Acquires XA Secure to Bolster Security for Enterprise HadoopOpenDNS Raises $35 Million to Expand Its Cloud Security Services
Tags: Mobile Security