Even if you are a person who will never in your life end up as any kind of person of interest for the government, handing over data in this way could still be quite dangerous.
Phones will often contain data that can facilitate theft and fraud if ending up in the wrong hands. If they're able to copy everything, including private data from all apps that could be quite bad. For example many countries now use apps to login to online banking, with private keys for the login stored in the app. Will that be copied? Will it ever be found out if one of the 3000 government officials with access to this data sold it on darknet markets?
Maybe some months after your travel you suddenly wake up one day to find all your money transferred from your bank account to some account in Nigeria.
To me the lack of checks/balances before handing over your device for an hour or so is the worst part.
The chain of custody in these instances is basically one guy going into a back room by himself and hooking it up to a computer.
At the very least you should be able to have the contents of your phone independently hashed before handing it over to a potentially corrupt individual. They can put anything they want on there in that time and what recourse do you really have?
It doesn't even have to be the government itself. Let's say the sheriff in your town takes interest in your partner. Or his kid gets in a spat with your mom because the kid was DUI.
The chances of becoming a person of interest will always be non-zero, but I think I a lot of people can be reasonably confident that they are not likely to become a person of interest.
Given that 0.5—1% of the US population is incarcerated[1], and that getting a prison sentence is far from the only way to become a person of interest, it is quite reasonable to say that chances of getting some unwanted attention from various government and government-adjacent institutions are too damn high to ignore it.
While US justice certainly can be capricious and arbitrary, it is not entirely a random lottery whose eye it falls upon. And while those who believe in the centrality of personal responsibility and try to tell you that anyone who comes into contact with the police must have done something to deserve it are clearly deluded, there are things you can do in your life, or elements of your personal background and lifestyle that, though you never really opted into them, you may benefit from (one might call them 'privileges'), which will reduce the chances that you personally will run into trouble with the law quite considerably.
Your own personal odds are rarely the same as the average odds across the whole population. For anything. That's why insurance companies can exist.
> there are things you can do in your life, or elements of your personal background and lifestyle that, though you never really opted into them, you may benefit from (one might call them 'privileges'), which will reduce the chances that you personally will run into trouble with the law quite considerably.
They are always watching. Always collecting your data and trolling through it looking for things to use against you. You might not face consequences from the ongoing surveillance, but it never stops and something as simple as being in the wrong place at the wrong time or typing the wrong combinations of words in a search engine can be enough to get you questioned by police.
You can always make choices that will make your situation worse, but no matter what you do or don't do there's really no telling what might cause you harm.
> You can always make choices that will make your situation worse, but no matter what you do or don't do there's really no telling what might cause you harm.
People resist this notion because psychologically, on a basic level, we wanna feel safe at home. In Maslow's ordered sets of needs, the need to feel safe at your resting spot comes right after "not being beaten", "not freezing" and "not starving". The idea that it's entirely unknowable to you what (completely innocent and legal) things you might have done ten years ago turn you into a "PoI" today is - obviously - quite scary and contrary to that.
That's what makes the panopticon so disturbing. You can't (or at least shouldn't) ever feel entirely safe/free because the threat is always looming and strikes at any time. I think on some level most people do realize that, even the ones who have never known things any other way, and I think it's only getting harder and harder to ignore. Difficult to say what it's been doing to us though. There' are a lot of other things contributing to the background level of dread these days.
When pretty much every single person in the country is being spied on doesn't that make everyone a "person of interest?"
The only thing that differentiates you from anyone else is how much interest they have in you and that likely changes by some percentage with every scrap of data they collect or whatever they happen to be fishing for in the moment.
At any time your phone's GPS history and your Google searches can land you on a suspect list. Somebody is interested.
This discussion is sorely lacking the nuance that you don’t even have to be a person of interest. You just have to be a convenient fall guy. There’s always a right time for anybody to fit that description.
I worked with a great Nigerian dev some years ago. He contracted for us to do our frontend work. The stories this dude told were insane. He lived in Lagos, notorious for traffic jams. He would frequently get stuck in multi-hour long traffic jams just trying to get fuel for his electric generator. He had to do this to keep his power on during the routine black/brown outs that plagued the city, so that he could continue to work. He eventually, thanks to his work, was able to move to a nicer part of the city where the electricity was more reliable.
Last I heard he and his GF/wife (I don't recall which) were able to immigrate to Dubai, where he's continuing to work as a contractor for western clients, with an eye to eventually immigrating to Europe or the US.
I wish him well, but it is a damn shame that the best option for Nigerians who wish to engage in this type of work is to...leave.
I once sat through a “Pending Regulation of Cryptocurrency” CLE and one of the panelists was a real crypto-fanatic. He put up a slide about how quickly bitcoin was being adopted around the world and he kept excitedly saying how Nigeria was the fastest-growing crypto market in Africa! Another of the panelists was an FBI agent who investigates crypto-related crimes and when it was his turn he was quick to point out that rapid adoption of crypto in a country famous for internet scams isn’t exactly a selling point...
Looks like Dare@MSFT does have an account on HN, altho unused for many years. He's a genuine Nigerian Prince! Well, at least he's the son of a genuine Nigerian warlord/dictator.
A Nigerian and a Florida Man walk into a bar. They order drinks and nachos and have a reasonable conversation that concludes in a legitimate business deal.
Have you seen the YouTube channel “Pleasant Green”? He is a scam baiter but has been working with some of the Nigerian scammers to turn their lives around.
Why the hell would anybody sane, especially with all knowledge average HN user has about government overreach and greed, hacks, 0days, bugs etc. ever put such a critical item as banking app on their phone?
Apple vs Android is irrelevant in this, there is no truly safe mainstream phone in 2022, period. Are people really that lazy?
I do manage quite a few financial things but for none of those phone apps is crucial and I use exactly 0 of them. There is ebanking login app, but on its own its useless, another 3 factors are required for login. There is always desktop browser variant for everything, with firefox with ublock origin and few other plugins making internet a bit more as it was intended to be.
So yes US government can hack my phone if they havent already, they will see what kind of photography and travelling I do, which family members I write to, and some online shopping history. Thats it.
Phones are not secure and probably never will be for anything more. Anybody telling you otherwise is either dangerously clueless or worse
> Why the hell would anybody sane, especially with all knowledge average HN user has about government overreach and greed, hacks, 0days, bugs etc. ever put such a critical item as banking app on their phone?
Because it's convenient, and security is a trade off with convenience. I use banking apps on my phone, and I suspect many (most, even) people here on HN (and who are technically savvy in general) do as well. That doesn't make it smart or good or correct, but I suspect that is the status quo.
I haven't traveled outside the US since before the pandemic, but these days I may only travel with a burner phone the next time I do so.
> Phones are not secure
Neither are laptops or desktops, or anything, really. Everyone needs to decide for themselves what level of security they're willing to accept, and what their threat model is.
> ever put such a critical item as banking app on their phone?
Laziness has nothing to do with it.
Why? Three of my bank accounts cannot be accessed without a phone app, and some of my credit cards will not authorise payments without a phone app. It's not a choice.
Two of the bank accounts do have web banking too, i.e. from a desktop browser. But you have to use the phone app to authenticate the browser login! I found this out the hard way, when my phone screen died so I couldn't login to web banking on my laptop.
I called customer support, hoping to use phone banking to make some payments. They told me they could not do anything until I obtained a new working phone, moved my SIM or phone number over, and then they could transfer the authentication to the new device. Other than that, they had no options for logging in. It was fine to borrow someone else's phone if I wanted, installing the bank app on there, but I couldn't login without a phone.
I had to go through this again when the second phone died a few months later.
Now, I'm guessing you're thinking "use a different bank, duh!". Turns out I didn't have a choice of non-app banks when I needed to open a business account during the pandemic, in order to accept a contract, which I needed. My credit rating was not rosy either, greatly limiting which card services I could choose. Things are easier now, thanks.
My bank sent me a little fob that generates a one time code. Of course, they will also use SMS, the app on your phone, or email for 2FA. They are all considered equally valid and there is no intermediate step should you wish to use one over the other at any time.
>ever put such a critical item as banking app on their phone?
Because my PC isn't meaningfully more secure.
Because in the overwhelming majority of situations, if that security is compromised, my bank will eventually cough up my money.
Also because I also expect neither Google, Apple, my carrier, nor the dab gum gubment is likely to rob me by...
*checks notes*
Compromising the banking app on my phone. Or my PC. Or my router. Or any of the other non-100% secure devices and processes I use to get through my life.
There's basic security precautions, and there's living in fear and paranoia, brought on by a misunderstanding of the threats you are facing.
> Compromising the banking app on my phone. Or my PC. Or my router. Or any of the other non-100% secure devices and processes I use to get through my life. There's basic security precautions, and there's living in fear and paranoia, brought on by a misunderstanding of the threats you are facing.
If you think the risks to your privacy and security are remotely equivalent with a PC and a cell phone I'd argue that you're the one who is misunderstanding the threats you are facing. It is possible that your PC is no more secure than your phone, but that'd be uncommon and your own failing.
You can be responsible and secure a PC pretty well, but there is nothing you can do to prevent a functional cell phone from collecting extremely sensitive data and leaking it like a sieve.
These days, I don't think it's realistic to tell people not to drive. There will always be some risk involved, but you can give folks the tools and the information they need to help protect what's important to them most of the time.
Sometimes that might even include advice on helmets and five-point seat belts, but even without them we should be careful not to mislead people into thinking that a well maintained Volvo XC90 on their desk would be no safer than the 1970s Ford Pinto in their pocket.
Some things are just broken by design and shouldn't be trusted with anything you really care about, while other things can be reasonably safe if you're careful and pay attention.
As someone who works very prominently in mobile device security, and had to long ago come to the realization that I actually KNEW the people who could manage to hack into my phones... I agree with your answer 100%. The threat analysis here leading to only using Firefox on your desktop computer to access your bank makes absolutely no sense to me and--to inject some conspiracy theory back into this (for shits and giggles)--almost feels like "what the enemy wants you to do" ;P.
If your bank uses phone for 2FA (say OTP via SMS or whatever else), but you have no bank login, now attacker have to hack your PC (to get bank account login) AND phone (to get access to 2FA). So not having your 2FA source in same place as your password would be meaningfully more secure
Do you ever use an ATM? How do you justify the possibility there’s a card skimmer in it?
You mentioned “hacks, 0-days and bugs”. I assume you’ve seen the news when big banks like capitalone got hacked. Do you believe your account is safe from any of these types of hacks because you don’t use their mobile app?
How do you justify using your phone to communicate with family members? After all, a hacker could use those people as an attack vector. Those communications, the family member email addresses, your photos and travel history and shopping history could all be used to profile you, profile them, steal your identity, etc
How do you justify using any technology whatsoever when it’s just such a scary world? Once you answer that for yourself, you’ll find the answer to your “why the hell would anybody sane” question.
Wth the various stories about what data apps seem able to access despite being totally unrelated to their core function, they appear to be a goldmine for privacy invaders (advertising companies) and scammers, hence why even semi-popular apps are targeted for purchase by unethicals to turn into personal data feeds.
I don't have banking apps on my phone. I don't need to move money immediately in any situation. And I still have more apps on my phone than I'm comfortable with.
It's all a personal choice about risk appetite, but for most people (not really the HN crowd) the risks are downplayed or unknown.
Were any of the companies listed on the PRISM slide consensual partners? My understanding is that the NSA tapped the internal network in an era where mTLS wasn't rolled out. Everyone then saw the slides and rolled out mTLS.
Sure. I would think that the NSA had plenty of insiders. So do other security agencies, probably. Background checks aren't that thorough against a state-level adversary. (This is one reason why big companies can't trust insiders. I guess small companies should be cautious as well, but sometimes you don't have the funding to protect against insiders and still do your actual work.)
And a hardware implant will give the evil maid control over device I/O at minimum, likely the ability to read RAM too. All that's left is to exfiltrate over a prepaid SIM or something.
It always blows my mind that the same people who insist they don’t trust the government are the first in line to hand over all their personal data to the government, whether by way of Google, Facebook, or otherwise.
Phones will often contain data that can facilitate theft and fraud if ending up in the wrong hands. If they're able to copy everything, including private data from all apps that could be quite bad. For example many countries now use apps to login to online banking, with private keys for the login stored in the app. Will that be copied? Will it ever be found out if one of the 3000 government officials with access to this data sold it on darknet markets?
Maybe some months after your travel you suddenly wake up one day to find all your money transferred from your bank account to some account in Nigeria.