I recently had the privilege of attending a TED talk-style seminar on cybersecurity at my alma mater, UCLA. The information I learned at this session certainly gave me pause, and I was anxious to share the information I learned with our clients and other readers of our blog. Perhaps the most interesting aspect of the lively discussion was the panelists – one, the former general counsel of the National Security Agency (“NSA”) and the other, a benevolent hacker.
As you must have heard in the news, the cybersecurity debate has heated up again in recent months, with the FBI vs. Apple encryption dispute. In case you have been living under a rock since the beginning of 2016, the debate involves a judge ordering Apple to help the FBI by unlocking the iPhones of the San Bernardino shooters. The bigger question is whether we are entitled to anonymity in our use of technology, or alternatively, whether the government should be allowed access to our telephones, text messages, emails and other online activities when they have probable cause to believe that a crime has been committed.
In the case of the San Bernardino shooters, I don’t think there is any question that a crime was committed – a particularly heinous crime involving the slaying of 14 innocent people (22 others were seriously injured) at the Inland Regional Center in San Bernardino by a husband and wife team of religious radicals. The couple had destroyed two personally owned cell phones and removed a hard drive from their computer at the time of the attack, but the husband’s employer-issued iPhone had not been destroyed, and the FBI was very interested in seeing if there was any information on the device.
The FBI’s argument: There is already a hole in the iPhone’s security – Apple can (and frequently does) access your iPhone for the purposes of installing updates, and can essentially put anything it wants on your device. We should be able to read the emails of those who prey on us. Apple can read all of our emails now, at this very moment, so why should they not be required to turn this information over to the FBI to protect the people of the United States? It is not impossible to do this on the shooter’s iOS 9 iPhone – Apple can disable security barriers in the iPhone’s coding, or alternatively, they can write code to unlock the iPhone.
Apple’s argument (supported by the hacker): Despite the fact that it is impossible to unlock devices running iOS 8 or later, this is an overreach by the government. We must consider the implications of the FBI’s demands. While well-intentioned, it would be wrong for the government to force Apple to build a backdoor into their products. And ultimately, we fear that this demand would undermine the very freedoms and liberties our government is meant to protect. Helping the FBI would be like providing a universal key that would permit law enforcement to break into anyone’s iPhone. It will also create a vulnerability that hackers from any part of the world can exploit.
In the end, this particular dispute became moot when the FBI reportedly paid upwards of $1M to a hacker who was able to unlock the shooter’s iPhone.
The two panelists went on to discuss many other security issues. For example, the new chips we have on our credit and debit cards – our cards were all issued with chips because they are more secure, right? Actually, no. The hacker revealed that he and a friend purchased an $8 RFID reader on Amazon and were able to write a simple code, go to the local Starbucks and “scan people’s butts” in the line, obtaining all of their credit card and identification information. This particular brand of electronic pick-pocketing is not new – it has been termed RFID skimming and can be done at several feet. If the thief is particularly sneaky about it, they can do it without your even realizing what is happening.
With regard to passwords, we have all heard about changing our passwords regularly and using different passwords for all of our accounts, right? Many of us know we should, but the hassle and impossibility of remembering 25 (or more) different passwords means most of us will not actually follow this advice. But consider this – if you are not going to create different passwords for each account, at least use a different one for your email account(s) and change it regularly. If a hacker discovers your email password, they can find out who you have accounts with (by looking at the orders you’ve placed, marketing emails, etc.), go to those sites, hit the “forgot my password” link, read your email and reset or even discover your universal password – you know, the one that you use for everything else. They can also then get information about where you live, what credit cards you have, and other interesting and dangerous tid-bits about you.
We all think that biometric authentication is secure, right? Well, it is – but not if you are using your fingerprint to access a large database owned by someone else. For example, if your grocery store allowed you to use biometric authentication to pay, and a hacker was able to breach their security and gain access to everyone’s fingerprints, your fingerprint would never be safe again (unlike passwords, fingerprints can’t be changed). The hacker on the panel revealed that he and his friend did an experiment “for fun” and that his friend now has a model of his finger (that he created from an online database) and is able to use this fake finger to biometrically authenticate as his buddy. Not cool!
The bottom line, straight from the hacker’s mouth: Don’t be the low-hanging fruit! Change your passwords regularly – especially your email password, and don’t use the same passwords for all of your accounts. Consider purchasing an RFID-blocking wallet. When making online purchases, use your iPhone and/or iPad, which are far more secure than your MacBook, iMac or PC. Never use a biometric authentication system unless it is to access your own personal device.
If you have questions about security, your duties in connection with protecting customer information, or any other questions regarding business law and transactions, please contact me or one of our other attorneys at (805) 546-8785. The attorneys at Carmel & Naccasha have extensive experience in handling such matters and are happy to answer your questions and assist you.
The information contained in this article does not constitute legal advice and neither the author nor Carmel & Naccasha make any representations or warranties as to the accuracy of the information contained herein. Your access or reading of the article and/or your following of any of the suggestions contained herein do not create an attorney-client relationship between you and the author or you and Carmel & Naccasha LLP.