WASHINGTON — Apple engineers have already begun developing new security measures that would make it impossible for the government to break into a locked iPhone using methods similar to those now at the center of a court fight in California, according to people close to the company and security experts.
If Apple succeeds in upgrading its security — and experts say it almost surely will — the company would create a significant technical challenge for law enforcement agencies, even if the Obama administration wins its fight over access to data stored on an iPhone used by one of the killers in last year’s San Bernardino, Calif., rampage. The F.B.I. would then have to find another way to defeat Apple security, setting up a new cycle of court fights and, yet again, more technical fixes by Apple.
The only way out of this back-and-forth, experts say, is for Congress to get involved. Federal wiretapping laws require traditional phone carriers to make their data accessible to law enforcement agencies. But tech companies like Apple and Google are not covered, and they have strongly resisted legislation that would place similar requirements on them.
“We are in for an arms race unless and until Congress decides to clarify who has what obligations in situations like this,” said Benjamin Wittes, a senior fellow at the Brookings Institution.
Companies have always searched for software bugs and patched holes to keep their code secure from hackers. But since the revelations of government surveillance made by Edward J. Snowden, companies have been retooling their products to protect against government intrusion.
Apple built its recent operating systems to protect customer information. As its chief executive, Timothy D. Cook, wrote in a recent letter to customers, “We have even put that data out of our own reach, because we believe the contents of your iPhone are none of our business.”
But there is a catch. Each iPhone has a built-in troubleshooting system that lets the company update the system software without the need for a user to enter a password. Apple designed that feature to make it easier to repair malfunctioning phones.
In the San Bernardino case, the F.B.I. wants to exploit that troubleshooting system by forcing Apple to write and install new software that strips away several security features, making it much easier for the government to hack into the phone. The phone in that case is an old model, but experts andformer Apple employees say that a similar approach could also be used to alter software on newer phones. That is the vulnerability Apple is working to fix.
Apple officials alluded to this in a conference call last week when a journalist asked why the company would allow firmware — the software at the heart of the iPhone — to be modified without requiring a user password. One executive replied that it was safe to bet that security would continue to improve, and someone close to the company confirmed this week that Apple engineers had begun work on a solution even before the San Bernardino attack. A company spokeswoman declined to comment on what she called rumors and speculation.
Independent experts have offered possible solutions in both public forums and private, informal conversations with the company over the last few weeks. “There are probably 50 different ideas we have all sent to Apple,” said Jonathan Zdziarski, a security researcher.
Apple regularly publishes security updates and gives credit to researchers who hunt for bugs in the company’s software. “Usually, bug reports come in an email saying, ‘Dear Apple Security, we’ve discovered a flaw in your product,’ ” said Chris Soghoian, a technology analyst with the American Civil Liberties Union. “This bug report has come in the form of a court order.”
The court order to which Mr. Soghoian referred was issued last week by a federal judge magistrate, and tells Apple to write and install the code sought by the F.B.I. Apple has promised to challenge that order. Its lawyers have until Friday to file its opposition in court.
In many ways, Apple’s response continues a trend that has persisted in Silicon Valley since Mr. Snowden’s revelations. Yahoo, for instance, left its email service unencrypted for years. After Mr. Snowden revealed how the National Security Agency exploited the company, the company quickly announced plans to encrypt email. Google similarly moved to fix a vulnerability that the government was using to hack into company data centers.
Apple’s showdown with the Justice Department is different in one important way. Now that the government has tried to force Apple to hack its own code, security officials say, the company must view itself as the vulnerability. That means engineers will have to design a lock they absolutely cannot break.
“This is the first time that Apple has been included in their own threat model,” Mr. Zdziarski said. “I don’t think Apple ever considered becoming a compelled arm of the government.”
The F.B.I. director, James B. Comey Jr., signaled this week that he expected Apple to change its security, saying that the phone-cracking tool the government sought in the San Bernardino case was “increasingly obsolete.” He said that supported the government’s argument that it was not seeking a skeleton key to hack all iPhones.
Apple, though, says the case could set a precedent for forcing company engineers to write code to help the government break any iPhone. “The U.S. government has asked us for something we simply do not have, and something we consider too dangerous to create,” Mr. Cook said in his letter.
The heated back-and-forth between the government and technology companies is, at least in part, a function of the Obama administration’s strategy. The White House has said it will not ask Congress to pass a law requiring tech companies to give the F.B.I. a way to access customer data. That has left the Justice Department to fight for access one phone at a time, in court cases that often go unnoticed.
While it is generally accepted that Silicon Valley’s tech giants can outgun the government in a technical fight, the companies do face one important limitation. Security features often come at the expense of making products slower or clunkier.
Apple’s brand is built around creating products that are sleek and intuitive. A security solution that defeats the F.B.I. is unworkable if it frustrates consumers. One of the impediments to encrypting all the data in Apple’s iCloud servers, for instance, has been finding a way to ensure that customers can easily access and recover photos and other information stored there.
“Telling a member of the public that they’re going to lose all the family photos they’ve ever taken because they forgot their password is a really tough sell,” Mr. Soghoian said. “A company wants to sell products to the public.”
Written by Matt Apuzzo and Katie Benner of The New York Times
Nightfall in Minsk means Dmitry Naskovets begins working the phone. Naskovets is tall and lean, and at 24 still looks like a kid, with shaggy hair, pale and skinny. He’s in his apartment’s kitchen, in a respectable neighborhood off the second ring road in the capital of Belarus. He starts around 6 p.m. and usually doesn’t quit until three the next morning.
On this particular winter night in 2009, Naskovets checks the online orders that have come in and sees a routine assignment. A client has tried to buy a MacBook Pro online with a stolen credit card, but American Express blocked the purchase. Now it’s Naskovets’s job to work it out with Amex.
He calls the toll-free number, using software that makes it look as if he’s dialing from the U.S. Any information the customer rep might ask for, Naskovets’s client sends him instantly by chat. The questions don’t usually get beyond the cardholder’s date of birth, Social Security number, or mother’s maiden name, but the woman fielding this call is unusually thorough. She notices that the phone number on the account has changed recently, triggering extra security. She puts Naskovets on hold while a colleague dials the old number and gets the actual cardholder on the line.
Thus begins an absurd contest: Naskovets against the man he’s impersonating. The agents throw out questions to distinguish the fake. When did you buy your home? What color was the car you bought in 2004? Each time Amex puts him on hold, he knows the legitimate cardholder is being asked the same question. At last, the rep thanks him, apologizes, and approves the purchase. Naskovets was even better than the real thing.
Telling the anecdote years later, Naskovets has a certain sympathy for the victim, who had to dredge up details from memory, while Naskovets just read off a screen. “This guy has his credit stolen from in front of his eyes,” he says.
From 2007 to 2010, Naskovets was an identity thief—the voice on the phone that explained questionable purchases to banks and gave final approval for fraudulent wire transfers. He didn’t convince every agent; about a third of the time, the scam didn’t work, he says. Hang up, move on. But he was successful enough to smooth the way for more than 5,000 instances of fraud, according to the U.S. Department of Justice.
If a bank employee got suspicious, Naskovets feigned impatience. “I don’t have time for this!”
The prefix “cyber” evokes technological sophistication, yet cybercrime depends on legions of old-fashioned crooks. They’re foot soldiers with no particular computer skills who play the part of customers over the phone or cash out compromised accounts and send laundered money to superiors in Eastern Europe or elsewhere. As data theft has exploded, with hackers vacuuming up hundreds of millions of credit card and bank account records in recent years, so has this service sector.
“I understand it’s bad,” Naskovets says. “I understand that. But in the beginning, when you’re sitting in Belarus, and you’re very young and you need money … ,” he trails off. “You don’t see blood, you don’t see crying people in front of you. You’re just pushing the button.”
Naskovets grew up in Borisov, a small city an hour northeast of Minsk, raised by his grandmother and his mother, a nurse. He attended a public school with an intensive English program, with lessons six times a week from age 6 to 15, including classes in literature and translation, then studied finance in college. At 22, he was working for a Minsk car dealership when he ran into a former classmate named Sergey Semashko on the subway. He mentioned a job opportunity for someone with excellent English.
A few days later, Naskovets visited Semashko, whom he’d never known to be wealthy, in a mysteriously high-end apartment in one of Minsk’s better neighborhoods. Semashko left the details of the job vague. Get a headset and a Skype account, he told Naskovets, handing him $500—more than Naskovets earned in a month.
Whatever this new chance might be, Naskovets had reasons beyond greed for jumping at it. Selling cars wasn’t the career he’d planned. When he graduated in 2004, he’d gotten a job at a state-owned bank. But after joining a demonstration that criticized President Aleksandr Lukashenko, he was detained by Belarusian security agents. (They’re known by the initials KGB, as in the former Soviet Union.) The agents wanted him to snitch on his fellow demonstrators, he says. He refused. The KGB persisted. When Naskovets stopped answering his personal phone, agents called him at the bank, and the bank didn’t renew his contract. Finding a job became difficult. The KGB kept up its pursuit, detained him again, and then pressured the adhesive tape factory where he’d found work to fire him, he says.
It was late 2006, and as Naskovets struggled, a golden age of cybercrime was underway. TJX Cos., the owner of T.J. Maxx and Marshalls stores, would shortly discover that hackers had made off with credit card data for 46 million customers—one of the first corporate megabreaches. Within a year, the Zeus Trojan, a piece of malware designed for bank robbery, would infect tens of thousands of computers. The new efficiency in harvesting stolen data created a bonanza of opportunities in the black market. This was the world Naskovets entered.
He set up an e-mail account, email@example.com, and began to get messages from strangers via Semashko. At first, they wanted him to check a credit card balance or change the billing address on an account. The requests quickly became more obviously illegal—impersonating bank customers and getting bogus wire transfers approved. To Naskovets, it felt almost like a game. “It’s crazy and every day something new,” he says. “You can do it from your kitchen in your underwear with a beer.”
By mid-2007, his business was thriving. Customers typically reached him via an order form on the website he and Semashko set up, CallService.biz. They advertised on CardingWorld.cc and other forums popular with data thieves.
His hacker partners did the complex computer work of stealing account data, logins, and passwords; Social Security numbers; and security questions and answers. They would then initiate fraudulent transfers or purchase expensive, easily resold items such as watches or Apple computers. With his conversational English, Naskovets provided the final piece, getting around the toughest security measures—if an outgoing wire required verbal confirmation, say, or a card company called to make sure it was really John Smith buying that $3,000 watch on EBay.
Naskovets did as many as 30 calls a day, charging about $20 a pop or a percentage of the transaction. For most jobs, customers provided the information he needed, usually culled from credit reports. If a bank asked for ID, Naskovets knew a guy who could e-mail a PDF of a fake driver’s license in seven minutes for $20. If he didn’t know the answer to a security question, or an agent got suspicious, he had a strategy: feign impatience or frustration. American financial institutions focus on customer service at the expense of security, Naskovets says. “Why are you asking me that?” he’d sputter. “I don’t have time for this! I need to get this done!”
His accent wasn’t much of a problem. Agents at banks followed a tight script. As long as he had all the answers right, he says, they weren’t going to risk going to a supervisor over a foreign accent.
Not that there weren’t hiccups. Once, when he was supposed to be someone named Thomas Jefferson, an agent pointedly asked if he knew who that was. He began to get threatening calls from bank security personnel and the FBI. “We’re going to get you,” they said. He’d tell them they had the wrong number.
He didn’t worry too much about those calls. He didn’t know who any of his clients were, and all they knew about him was his e-mail address, or so he thought.
Naskovets is cagey about how much he brought in—sometimes $400 a day, sometimes $1,000, sometimes nothing. He avoided transactions involving millions of dollars, preferring smaller stakes, less anxiety, and greater freedom. “The bigger the money, the bigger the mental tension,” he says. Instead, he enjoyed himself. He could afford restaurants and nightclubs. He traveled for the first time, to Bulgaria, India, Paris, and Turkey. He married his girlfriend. “It was a good life,” he says. “The most important thing was a kind of freedom from anything.”
With his profits, he tried to start over outside Belarus. In 2009, Naskovets and his wife left for Prague with plans to start a pet supply store. But his old clients kept bringing him work. “I already understood I cannot do this business all my life,” he says. “It was so difficult to cancel—people are constantly messaging you.”
Naskovets was at home on April 15, 2010, in a six-story apartment building near Prague’s biggest park, when the power cut out. The doorbell rang; a man in a bright orange jacket with a company name on it waited outside—an electrician, Naskovets assumed. Naskovets opened the door and found a gun in his face. Shouting, the fake workman forced him to the floor, handcuffing him while more officers entered the apartment. A silent FBI agent stood watch. They put Naskovets in a chair and showed him a document. It said he could go to jail for 39½ years in the U.S. for conspiracy to commit wire fraud and aggravated identity theft. Then they bundled him off to Prague’s Pankrác prison, wearing a zip-up Fair Isle sweater and looking like an early ’60s Beatle with his floppy hair.
Belarus authorities arrested Semashko on the same day, and officials in Lithuania seized computers that hosted CallService.biz. Preet Bharara, the U.S. Attorney for the Southern District of New York, trumpeted the arrests: “Dmitry Naskovets’s website was essentially an online bazaar for dangerous identity thieves. … Today, we have shut down that business and protected untold thousands of potential victims of identity theft.”
Naskovets didn’t know how the U.S. had found him. He suspected a former girlfriend had turned on him. Also, the indictment referenced a chat where he’d inadvertently sent personal information to a client. His first instinct was to fight the charges. He didn’t cooperate when U.S. authorities attempted to interrogate him in May 2010. But his lawyer told him to accept extradition and make a deal; by mid-September he was at the Metropolitan Correctional Center in Manhattan. He pleaded guilty in 2011. In March 2012, Judge Lewis Kaplan sentenced him to 33 months, most of which he’d already served, and ordered him to pay $200.
“I want to say thank you to the American government for giving me an opportunity to clean my hands in front of justice in such a humane and civilized way,” Naskovets told the judge, “for giving me the opportunity to accept responsibility for all unlawful and immoral deeds and to start a new part of my life with totally different ideas in my mind.”
He meant it. After a conversation with Naskovets, you realize quickly that he’s a relentless optimist. He paints his time in the U.S. correctional system as an adventure. “I get this philosophy probably from my grandmother. It’s like, ‘Life is good no matter what.’ ” He spent the biggest chunk of time in Brooklyn’s Metropolitan Detention Center, working a 3-to-8 a.m. kitchen shift for 20¢ an hour and reading—the New York Times, Keith Richards’s Life, and Russian novels donated to the prison library by a previous inmate, Ukrainian hacker Roman Vega. Cybercrime, Naskovets discovered, commanded respect. He got more than one business proposal from fellow inmates for work when he got out.
“You can get life for two kilos of cocaine, but if you’re going to get some bank fraud, OK, you’re going to get 18 months,” he says. “And at the same time, the reputation you got, it’s like, ‘Oh, you are the most sophisticated.’ So this is crazy.”
Factoring in time served and a reduction for good behavior, Naskovets got out in September 2012. He faced a deportation order that would have sent him back to Belarus. Representing himself in immigration court, he argued that he risked torture if sent home, based on his run-ins with the KGB. As a signatory to the U.N. Convention Against Torture, the U.S. cannot send someone back to a country knowing he’s likely to be tortured. An immigration judge sided with Naskovets. The government appealed.
Here’s where Naskovets’s optimism proved justified. While he was buffing floors in a county prison in Pennsylvania, his case had caught the attention of Stephen Yale-Loehr, a law professor who runs an immigration clinic at Cornell. With the help of Yale-Loehr and his students, Naskovets fought Immigration and Customs Enforcement in court for two years—and in October 2014 the agency decided to let him stay.
I met Naskovets two weeks later, at a Central Asian restaurant near Coney Island. He already had a job, doing office work for Arkady Bukh, the lawyer who’d represented him in his criminal case. He ordered fried Russian dumplings and coffee. He looked rough, dressed all in black, with unkempt hair, a deep pallor, and teeth chipped in a prison accident. He more or less matched my mental image of an Eastern European identity thief.
By February 2015, Naskovets was living in Far Rockaway, Queens. He picked me up in a friend’s white Audi sedan, wearing a long black dress coat and new shoes, with new teeth and a haircut. He’d been taking an online course on the art business through Sotheby’s. He’d also applied for a Discover card. “From the professional point of view, I’m analyzing how they work,” he says, unimpressed. “They ask very secure, very tough questions—they think—like, ‘What is your business address?’ ”
Naskovets and Bukh have since started their own company, CyberSec, which bills itself as “a different kind of cyber security firm.” Their website touts the skills of “hackers who are now using their knowledge of computers to do good.” They include Igor Klopov, who’s back in Russia after serving a sentence for identity theft in the U.S., and Vladislav Horohorin, formerly known as BadB, a notorious Russian hacker who’s still in jail in Massachusetts for credit card and wire fraud.
Not long after he got out of jail, Naskovets contacted the American Express security department to offer his help. “I was like, ‘Because of you, I’m here. I’m good, so let me pay you back a little bit,’ ” he says. The company didn’t take him up on the offer.