Apple put a lot of work into making iPhones secure. Big banks didn’t. You might think big banks are secure, but that’s just because nobody knows their weak points, and anyone who finds one goes to jail in a hurry. Plus, if you steal money by hacking a bank, they’ll just undo it, so why bother?
Apple tries to make it so iPhones don’t even *have* weak points to begin with.
Banks have a much, MUCH larger attack surface than an iPhone. And a whole lot more of the weakest point in any system: the humans who need to access it. There’s an old adage in cybersecurity: What’s the easiest way to get an employee’s password? You ask them for it. You’d be shocked how many hacks are pulled that way. Kevin Mitnick got famous doing just that. With any large organization you’re pretty much guaranteed to have someone gullible enough to just give you their password, especially if you create an employee ID for some bogus IT support company.
There are a number of reasons:
– many of these banks and institutions don’t spend enough on securing their data networks, they often have lots of old software running that is vulnerable to attack. Modern phones by comparison were designed recently with security built in from day 1
– For the ones which haven’t left the barn door open, by having internet connected Win98 machines sitting in bedroom closets, they also have lots of ill trained staff, who are susceptible to social engineering… That’s how Sony got hacked…
– there is a huge difference in scale between securing a phone and securing a bank – kinda like comparing a home security system to border security… Big organisations have lots of points of contact (ATMs/PoS terminals, employee laptops/phones, websites etc)
– the value of breaking into a big company or bank is much greater, so attackers will spend more (time/money/effort) to get in
Apple is a monoculture. That means that only specific, Apple-targeting, techniques work.
It’s not true that “entire banking systems” have been hacked. Some companies have had some disclosure problems, where their transaction records leaked out, but it’s not like hackers just transferred all the money out of their bank accounts. That mostly happens in movies. That said, there are many companies with many software systems. Hackers don’t care if the take money from Target or Walmart, so they can attack all the companies and just see where they get lucky. Attacking Apple is harder, because there is only the one Apple.
Tee iphone’s base architecture is very very secure. To put it simply, if Apple does not sign your code, the hardware won’t run it.
Now this is an extreme simplification, there are ways to force an IPhone to run your code by injecting it into memory leaks, but that’s a long, complicated path. In most cases you can just be sure that only code that Apple wants to run, will run,
Windows and linux do not have this privilege or burden. Developers can just write code, and it will run. This is vital for a company as they write their own software to operate their company. They can’t wait for weeks to have a 3rd party sign all their code.
So as any code that you want runs, anyone can write malware and figure out how to get it on the device. This opens up tons of routs to attacks.
If you want to know more about code signing, that’s a separate question.
In games, your protection against attack is usually represented by a single number. You have an armor rating; maybe it’s 1 if you’re wearing ordinary clothing, but 3 if you’re wearing leather armor, and 10 if you’re wearing a plated spacesuit. If you put on a helmet, it improves your armor rating by 2; and that applies even to blows that would hit you in the belly instead of the head.
In the real world, protection against attacks doesn’t work like that. Putting a helmet on protects your head, but does nothing to protect you against getting clubbed in the belly. Armor protects what it covers; it doesn’t grant you a static percentage chance to deflect any attack.
Computer protections are like that, only more so. If a server does not receive email, then it cannot be attacked via email. If it is only exposed to web requests through a reverse-proxy, then only those requests the reverse-proxy accepts can possibly attack it.
The most vulnerable systems are those that have to communicate with a large number of other systems, including business partners, consumers, governments, etc.
Latest Answers