Will financial technology, the startup industry that relates directly to the sensitive subject of money, be at risk if public trust in security is shaken?
Since the American Federal Bureau of Investigation demanded that Apple create a new OS backdoor that would allow them to break into the iPhone of San Bernardino shooter Syed Farook, a debate over the future of encryption has been raging between privacy advocates and those who believe authorities have the right to look wherever the law allows them.
While tech giants like Facebook and Google have supported Apple’s fight against the FBI, the startup community has largely sat on the sidelines, likely trying not to get crushed in this clash of titans. How this case sorts out, however, may come to affect many of these younger companies that have built their businesses on the brand of secure communication and transfers of data. Fintech, the startup industry that relates directly to the sensitive subject of money, could be one of those at risk if public trust in security is shaken.
The case at hand
Since the release of iOS 8 at the end of 2014, Apple has instituted a number of security features aimed at keeping intruders from accessing devices. Among them is a handy little trick wherein if the passcode to open the device is entered incorrectly ten times, the phone will automatically wipe itself clean.
This way, even if the phone was lost, the precious data contained within it would stay safe from prying eyes. In an age where your phone carries more personal information than a strand of DNA, this is an important feature.
Understandably, the FBI wants to be able to access the San Bernardino shooter’s phone to look for intelligence that they say could be vital to their investigation. To this end, they have asked that Apple make a new iOS update backdoor that would allow them simultaneously to attempt millions of passcode attempts without endangering the contents of the phone.
For their part, Apple is vociferously opposing this order. They argue that encryption must be all or nothing and that the repercussions could be widespread.
Bank Leumi’s CTIO and COO Dan Yerushalmi agrees with Apple, telling Geektime that, “The public will lose trust in the commercial companies providing backdoors and will engage less with them.”
The challenge says Yerushalmi is that it is “an impossible mission to create an hermetic backdoor,” hammering home the point that once this technological hurdle is overcome, it will be exceedingly difficult if at all possible to walk it back.
Law enforcement from around the United States are already demanding that they too would like to benefit from this master key to break into confiscated devices of their own. Moreover, the American government does not have the world’s best track record when it comes to keeping valuable things secure, raising the risk that this OS could fall into the hands of hackers. Then there is the problem that if Apple caves in for the U.S., then other countries like China and Russia may make similar requests, a move that could endanger activists that the U.S. would otherwise have an interest in protecting.
Nobody believes that Apple, or any other tech company that is backing them, is going up against the U.S. government out of a sense of principle to protect privacy. They have already stated that if they were to undermine their own product, it would destroy public trust in them and the security that they provide, thus hurting their brand.
Yerushalmi goes as far as to say that commercial companies may lose customers, their reputation and eventually their business. “In the case of iPhone,” he believes that, “People will switch to Android when they will understand and feel that their privacy may be impacted while using iPhone. IPhone market use can be severely impacted by that.”
“If Leumi gives backdoors to a government, then people may switch to the competitors,” explains Yerushalmi of the concern that rolling back existing protections would negatively impact the banking industry. “When also the competitors will comply with a backdoor request, then the Fintech companies will find the way to bypass such approach, making the financial organizations irrelevant.”
“We see the impact of such ‘backdoors’ already,” he says, pointing to the European community having canceled the Safe Harbor privacy protections after they lost trust in the American public clouds, leading them to urge cloud companies to open clouds instead within the Eurozone.
How important is encryption?
Security expert Nimrod Lehavi, co-founder and CEO at the BitCoin fraud and security startup Simplex, says that Apple’s case against the FBI seems like a publicity stunt.
He points to the fact that the big tech companies, including Apple, have cooperated for years with the government. This point he says was driven home with the release of stolen documents by former NSA contractor Edward Snowden.
Lehavi doubles down on his charge that the battle over encryption is overblown, telling Geektime that the entire environment is so incredibly insecure. He explains that nearly every network and device is hackable in one way or another, and that a determined hacker or entity can break through even high level defense. “Hacking the router at a cafe is simple,” he explains, adding that nearly all of these kinds of routers are the same model, so if a hacker has broken into one, then they can easily access the majority. This low level of security Lehavi says does not keep most users from surfing while at their cafes, making the point that as a society, people choose to make a compromise between their user experience, and maintaining their security.
“People are the weakest element,” says Lehavi, repeating a common mantra in the security world. He explains that most people are simply not security conscious and make careless mistakes such as clicking on suspicious links and opening documents without verifying who the sender is.
“Even if you see your friend’s name in the email, you need to look at the whole address to see if it’s legit,” he explains, noting that a common hacker trick is to make an address that looks like it could be a gmail account, but has little additions. For example, firstname.lastname@example.org could be enough to make someone believe that they are being contacted by a legitimate source, gaining their trust. Documents and links from this sketchy character could contain trojans and other dangerous items that can take over a machine.
Lehavi believes that the concept of encryption is a bit of a ruse, giving a false sense of security to users, since anything is still hackable. Interestingly, he tells Geektime that even if the illusion of encryption was to be brushed aside, people would continue to use the same services uninterrupted.
Lehavi explains that fixing the multitude of flaws that exist in the source code upon which most technology is built, and even core networks like GSM that is the backbone for mobile communications, is simply too expensive to update properly. The failure to implement the proper fixes leaves all these lines of communication and devices vulnerable for an attacker willing to put in the effort.
Despite all his pessimism about the dearth of security online, Lehavi tells Geektime that there is some value in being a harder target. While anyone can make a successful attack on a user with encryption, using tools like keyloggers or social engineering, there are some basic tools he says like having an anti-virus and two step verification that can fend off the majority of attacks. With any luck, an attacker will see that your system is just a little bit tougher to break into, and instead head off looking for greener pastures.
How will the decline of security affect startups?
Eran Bielski, an Associate at Entrèe Capital who heads up the SigmaLabs accelerator in Tel Aviv, brings a brighter perspective to this otherwise gloomy situation. While he thinks that Apple will end up caving to the government, he does not believe that it will lead to the downfall of fintech.
Bielski cites the rise of fraud detection as the grease that will help keep the gears of financial transactions turning in the age of digital uncertainty. He points to the fact that the integration of fraud prevention has played a big role in allowing payment companies like PayPal make their users feel at ease when making purchases online, guaranteeing that they will cover them in the case of hacks. Companies like Fraud Sciences (bought by PayPal), Riskified, and others have developed innovative and disruptive solutions to help identify cases of fraud, reducing loss and adding protections that keep the market running.
However, he notes that some of the smaller operations like startups that use payment systems run through apps like Google Wallet or Apple Pay could face difficulties if these tech giants are viewed as less secure by the public. In general, Bielski says that a lot of negative PR depicting a weakened security layer could make users more cautious when it comes to adopting new fintech products, which, in turn, could hurt up and coming companies.
The government has the duty to push the limits in their mission to make the public safer and I’m not opposed to a little good natured espionage here and there.
That said, I still side with Apple. While it is up to individuals to be responsible for their own online safety, we should all be pushing for a more secure environment with better protections for our information. Demanding that Apple remove one of the few good steps out there in security for the sake of one terrorist simply feels too high a price and downright unAmerican.
If the FBI wins this battle, they will gain access not only to Farook’s iPhone but to all devices running iOS. It is like giving them a key that would unlock all doors. Can law enforcement legally access an individual’s home with a warrant? Yes, of course. Should they have the key to all our homes to come and look around whenever they want? I don’t think so.
It is difficult to believe that the U.S. intelligence services are really unable to break into a simple iPhone. It is far more likely that the government has been waiting for the perfect public case to come along where they can take the tech community to task over systems that make their surveillance efforts more difficult.
Apple’s refusal to help the FBI open up a dead terrorist’s iPhone 5c is a golden opportunity for them to rail against the threat of the industry “going dark.”
However, Lehavi is correct when he states that everything is hackable and that having encryption built in to our devices is not the silver bullet that many of us would like it to be.
In a recent discussion with a security expert regarding encrypted email, I badgered him for 15 minutes trying to find holes in an otherwise very strong system that included verification of the user’s social media accounts. After running through a series of scenarios, each more ludicrous than the one before it, he conceded that if an attacker with the means and will determined that you are worth the effort, then you will be hacked.
This boils down to a basic truth about security online as in real life. Keep a low profile and don’t take candy from strangers. Be careful about what you open online, and think about whether it makes sense in context for the sender to be passing along to you.
If security fell by the wayside tomorrow, I doubt that it would significantly impact the thriving online economy. People will still send money through PayPal because giving up on the convenience would just be too much to give up on, and the fraud protections there give them peace of mind.
Where it is likely to become an issue is for up and coming startups that have not yet gained public trust, and depend on people using their services to pass on sensitive information and assets.
However the case between the FBI and Apple shakes out in the battle over Farook’s iPhone, we can only hope that they will consider some of the wider effects that their campaign for superior surveillance could have on the progress of this rapidly evolving industry.