On Dec. 2 of last year, 14 people were killed and 22 were seriously injured in a terrorist attack in San Bernardino, California, carried out by Syed Farook and Tashfeen Malik. As one might expect, in the ensuing weeks, the FBI has been gathering as much evidence about the case as possible. One piece of recovered evidence is an iPhone issued to Farook by his employer, the San Bernardino County Department of Public Health.
The health department authorized the FBI to access any data contained on the phone, but there's a problem. All the data on the phone — on all iPhones, for that matter — are encrypted so that even Apple can't decrypt them. To access the data, one needs to know the phone's passcode.
There are, of course, computer programs that can guess passcodes in rapid succession, but iPhones are designed with a trio of additional security measures to prevent that:
- An auto-erase function deletes an iPhone's data after 10 incorrect passcode attempts.
- After a certain number of failed attempts, the iPhone enforces a mandatory delay before the passcode can be attempted again.
- The iPhone knows the difference between a manual passcode entry and one attempted by a computer, and only allows the former.
The FBI currently has no way to bypass these security measures — and just as important, Apple doesn't either. Yet the FBI is convinced the phone holds important information. That brings us to the current showdown.
The FBI asked Apple to create software that would bypass these security measures, allowing the feds to access the data on the phone. The iPhone's encryption-hardened design was very intentional and so Apple refused this request. The FBI in turn sought and obtained a court order requiring Apple to create this software. Apple again refused, and that's where things stand as of this writing.
At first blush, the FBI's request may not seem unreasonable. After all, the agency only wants to examine the contents of one dead terrorist's phone. However, Apple's concern — and the concern of many other technologists and privacy experts — is that once the software is created, the government could reuse it at will. Worse, it could fall into the hands of cybercriminals.
What's at stake for your credit union? Probably not much, but there's plenty at stake for your members. They use your mobile app, for example, because they feel safe doing so. They take comfort knowing that only they can access the data on that mobile device.
When you consider all the phishing attacks to which members and employees fall prey and all the card breaches that are completely out of your control, it becomes clear that cybersecurity needs to be further strengthened, not weakened.
Your members deserve to have their information protected to the highest possible degree. In short, your members deserve peace of mind.
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
