A recent burst of news about NSA access to individual’s iPhones serves as a reminder that using modern mobile devices for some types of Financial Services business activities involves elevated risk. Risk that is difficult to quantify.
Late last summer I wrote a little about the potential for NSA data gathering to influence Financial Services privacy and security promises.
This reference to iPhone surveillance is a reminder that using consumer devices to perform material company business of any kind, or to perform many types of common operations using company non-public data involves a certain amount of risk. This should be factored into your ‘risk appetite’ discussions and planning — and this should occur at a number of levels throughout your Financial Services organizations.
Mass surveillance by U.S. intelligence organizations has been relatively-frequently documented in the last 7 years since Mark Klein, a retired AT&T communications technician, revealed that AT&T provided U.S. National Security Agency personnel with full access to its customers’ phone calls, and shunted its customers’ internet traffic to data-mining equipment installed in a San Francisco switching center since 2003. The U.S. is not the only government engaged in mass surveillance.
“Shopping for Spy Gear: Catalog Advertises NSA Toolbox.” By Jacob Appelbaum, Judith Horchert and Christian Stöcker; 12-29-2013; http://www.spiegel.de/international/world/catalog-reveals-nsa-has-back-doors-for-numerous-devices-a-940994.html
“These NSA agents, who specialize in secret back doors, are able to keep an eye on all levels of our digital lives — from computing centers to individual computers, and from laptops to mobile phones. For nearly every lock, ANT seems to have a key in its toolbox. And no matter what walls companies erect, the NSA’s specialists seem already to have gotten past them. “
“How The NSA Hacks Your iPhone (Presenting DROPOUT JEEP).” By Tyler Durden; 12-30-2013; http://www.zerohedge.com/news/2013-12-30/how-nsa-hacks-your-iphone-presenting-dropout-jeep
“NSA Data Gathering Hits Financial Services Privacy & Security Promises.” September 8, 2013; https://completosec.wordpress.com/2013/09/08/nsa-data-gathering-hits-financial-services-privacy-security-promises/
Historical References to U.S. Mass Surveillance:
“NSA’s Domestic Spying Grows As Agency Sweeps Up Data — Terror Fight Blurs Line Over Domain; Tracking Email.” By Siobhan Gorman; 03-10-2008; http://online.wsj.com/news/articles/SB120511973377523845“The central role the NSA has come to occupy in domestic intelligence gathering has never been publicly disclosed. But an inquiry reveals that its efforts have evolved to reach more broadly into data about people’s communications, travel and finances in the U.S. than the domestic surveillance programs brought to light since the 2001 terrorist attacks.”
“According to current and former intelligence officials, the spy agency now monitors huge volumes of records of domestic emails and Internet searches as well as bank transfers, credit-card transactions, travel and telephone records. The NSA receives this so-called “transactional” data from other agencies or private companies, and its sophisticated software programs analyze the various transactions for suspicious patterns.”
“The Treasury, for instance, built its database “to look at all the world’s financial transactions” and gave the NSA access to it about 15 years ago, said a former NSA official. The data include domestic and international money flows between bank accounts and credit-card information, according to current and former intelligence officials. The NSA receives from Treasury weekly batches of this data and adds it to a database at its headquarters. Prior to 9/11, the database was used to pursue specific leads, but afterward, the effort was expanded to hunt for suspicious patterns.” The NSA also has access from the Treasury to financial transactions globally via their connection to the Society for Worldwide Interbank Financial Telecommunication, or Swift, the Belgium-based clearinghouse for records of international transactions between financial institutions.
“Government Is Tracking Verizon Customers’ Records.” By Siobhan Gorman And Jennifer Valentino-DeVries; 06-06-2013; http://online.wsj.com/news/articles/SB10001424127887324299104578528181094177900“Verizon is required to provide NSA with “all call detail records” of customers, including all local and long-distance calls within the U.S., as well as calls between the U.S. and overseas, according to a court order labeled “top secret” published Wednesday by the Guardian newspaper.”
“U.S. Collects Vast Data Trove — NSA Monitoring Includes Three Major Phone Companies, as Well as Online Activity.” By Siobhan Gorman, Evan Perez and Janet Hook; 06-07-2013; http://online.wsj.com/article/SB10001424127887324299104578529112289298922.html?mod=WSJ_hpp_LEFTTopStories“The National Security Agency’s monitoring of Americans includes customer records from the three major phone networks as well as emails and Web searches, and the agency also has cataloged credit-card transactions, said people familiar with the agency’s activities.”
“Civil-liberties advocates slammed the NSA’s actions. “The most recent surveillance program is breathtaking. It shows absolutely no effort to narrow or tailor the surveillance of citizens,” said Jonathan Turley, a constitutional law expert at George Washington University.”
“The Washington Post and the Guardian reported earlier Thursday the existence of the previously undisclosed program, which was described as providing the NSA and FBI direct access to server systems operated by tech companies that include Google Inc., Apple Inc., Facebook Inc., Microsoft Corp. The newspapers, citing what they said was an internal NSA document, said the agencies received the contents of emails, file transfers and live chats of the companies’ customers as part of their surveillance activities of foreigners whose activity online is routed through the U.S.”
“The arrangement with Verizon, AT&T and Sprint, the country’s three largest phone companies means, that every time the majority of Americans makes a call, NSA gets a record of the location, the number called, the time of the call and the length of the conversation, according to people familiar with the matter.”
“Gamma FinSpy Surveillance Servers in 25 Countries.” By Vernon Silver; 03-13-2013; http://www.bloomberg.com/news/2013-03-13/gamma-finspy-surveillance-servers-in-25-countries.html“Computers running U.K.-based Gamma Group’s FinSpy surveillance tool, which can remotely take over computers and phones, have been found in 25 countries, according to an updated global scan of the Internet that mapped the locations of servers that control infected machines.”
“U.S. Confirms That It Gathers Online Data Overseas.” By Charlie Savage, Edward Wyatt and Peter Baker; 06-06-2013; http://www.nytimes.com/2013/06/07/us/nsa-verizon-calls.html“The federal government has been secretly collecting information on foreigners overseas for nearly six years from the nation’s largest Internet companies like Google, Facebook and, most recently, Apple, in search of national security threats, the director of national intelligence confirmed Thursday night.”
“In the internal documents, experts boast about successful access to iPhone data in instances where the NSA is able to infiltrate the computer a person uses to sync their iPhone. Mini-programs, so-called “scripts,” then enable additional access to at least 38 iPhone features.”
“Privacy Scandal: NSA Can Spy on Smart Phone Data.” By Marcel Rosenbach, Laura Poitras and Holger Stark; 09-07-2013; http://www.spiegel.de/international/world/privacy-scandal-nsa-can-spy-on-smart-phone-data-a-920971.html“SPIEGEL has learned from internal NSA documents that the US intelligence agency has the capability of tapping user data from the iPhone, devices using Android as well as BlackBerry, a system previously believed to be highly secure.”
“The material viewed by SPIEGEL suggests that the spying on smart phones has not been a mass phenomenon. It has been targeted, in some cases in an individually tailored manner…”
“iSpy: How the NSA Accesses Smartphone Data.” By Marcel Rosenbach, Laura Poitras and Holger Stark; 09-09-2013; http://www.spiegel.de/international/world/how-the-nsa-spies-on-smartphones-including-the-blackberry-a-921161.htmlAccording to internal NSA documents from the Edward Snowden archive that SPIEGEL has been granted access to, “The US intelligence agency NSA has been taking advantage of the smartphone boom. It has developed the ability to hack into iPhones, android devices and even the BlackBerry, previously believed to be particularly secure.”
“A detailed NSA presentation titled, “Does your target have a smartphone?” shows how extensive the surveillance methods against users of Apple’s popular iPhone already are.”
Finally, if you are interested in an excellent recent 1-hour technical presentation on some of the technical surveillance aspects of this topic by Jacob “@ioerror” Applebaum at the 30C3: 30th Chaos Communication Congress (Hamburg, Germany, Dec 27-30, 2013)